The recent decision of the First Tier Tribunal (Information Rights) (the Tribunal) has addressed several interesting points of general application in relation to using legitimate interests as a basis for direct marketing processing and the standard of privacy information which needs to be provided by organisations. The decision marks a significant departure from the status quo and is likely to have significant repercussions (although whether this decision will stand on appeal is another matter).
The original action by the ICO
Experian collects data from various sources (its work as a Credit Reference Agency (CRA), open sources such as the electoral register and third parties), collates it and sells it on for marketing purposes. It also uses the data to profile individuals in relation to their marketing preferences (e.g., the types of products they might be interested in). It maintains a huge number of records, relating to over 50 million people in the UK. The legal basis it uses for the processing is legitimate interest (the marketing being offline in nature).
In 2020 the ICO issued an enforcement notice against Experian stating (amongst other things) that Experian was not processing the personal data transparently or lawfully, that Experian could not rely on the legitimate interest legal basis because they were conducting invisible and intrusive profiling for marketing purposes. The ICO considered the fact that individuals would receive more relevant marketing material as a result of the processing to have little weight in assessing whether the individuals’ interests override the legitimate interest pursued.
Experian appealed the ICO’s decision, and the appeal was heard by the Tribunal.
The Tribunal differed significantly in its approach and took issue with some of the evidence provided by the ICO in support of its case, finding it significantly flawed.
The ICO was criticised for not understanding the outcomes of the processing and not having looked at the positives in the processing e.g. – using credit pre-screening information to ensure people are not sent information about things they can’t afford, using information to keep individuals’ details up to date so that marketing is not sent to the wrong address, ensuring under-age individuals don’t access gambling websites and using data about fuel poverty to allow utilities companies to assist individuals struggling with energy costs. The Tribunal considered the negative effects were, at worst, that an individual would receive marketing materials which were relevant to them, rather than irrelevant.
The Tribunal considered that the modelling undertaken by Experian was, in fact, less intrusive than using actual personal data. The Tribunal was critical about the emotive language used by the ICO – “We accept, as is clear from the sample profiles shown to us, that …profiles will include up to 49 derived data points about individuals and up to 370 modelled points about individuals. These are…predictions about the likelihood of people having certain characteristics. We consider it is unhelpful for the Information Commissioner to use emotive terms such as “judgments” about people when describing modelled data points.”
The Tribunal also made the point that the marketing was not targeting particular individuals, as Experian was merely sending lists of people likely to be interested in particular types of marketing (although this is surely true of most “targeted marketing”).
The Tribunal found that Experian had controls in place in relation to the onward use of the data, including a list of businesses they would not supply information to, controls over how CRA data is used, contractual controls on what the data could be used for and auditing powers to check this is being complied with.
The Tribunal considered the privacy information currently provided to be adequate to discharge Experian’s duties in relation to transparency. Where the ICO had criticised Experian for not clearly setting out the use of data for marketing purposes, the Tribunal warned that information overload was a risk and that the layered approach adopted by Experian was useful in that it allowed anyone who was interested in finding out about how their data was used (commenting that there is evidence that a large proportion of individuals are not) to go beyond the first layer and find out more.
The Tribunal agreed with the ICO that data collected by third parties by consent could not be used by Experian for legitimate interest purposes but found that this practice was no longer taking place.
The Tribunal has ordered Experian to provide individuals whose data was obtained from open sources (e.g., the electoral roll) with a privacy notice, holding that Experian could not rely on the disproportionate effort exemption. The processing of the data obtained in this way was found to be non-compliant, but the Tribunal considered there was no clear remedy to this which it could impose on Experian.
Where does this leave us?
This is quite a radical departure from the more conservative rationale used by the ICO and elsewhere in the EU.
In relation to privacy information, the ICO essentially makes the point that Experian collects data from a huge number of people and the uses of the information are not clear (there is no clear indication about the marketing practices on the landing page of the website even if it is explained in the privacy information), with the Tribunal taking the view that people who are interested in how their data is used have ways to find out what their data is being used for.
In relation to balancing legitimate interests, the Tribunal was much more ready to find positives for data subjects in the processing undertaken, whereas the ICO aligned with the established position that profiling is considered intrusive, and so hard to justify, regardless of the outcome.
It is important to remember that the ruling relates to offline marketing and the same rationale should not be applied to electronic marketing, which may require consent.
The case also provides us with a reminder that the disproportionate effort exception is a tough one to rely on and just because providing privacy information is expensive is not enough of a reason not to provide it. As the Tribunal stated, if the cost of providing the notices was too high, the option was open to Experian not to undertake the processing.
Unsurprisingly, the ICO has appealed. Letting this judgment stand would open the door for many more appeals against the ICO and would leave us at a point of real divergence from the approach taken by EU regulators. It may also prompt the ICO to tighten up its practices when putting together evidence in support of its enforcements.
The full judgment can be found here.