Franchise

Experian v the ICO

The recent decision of the First Tier Tribunal (Information Rights) (the Tribunal) has addressed several interesting points of general application in relation to using legitimate interests as a basis for direct marketing processing and the standard of privacy information which needs to be provided by organisations. The decision marks a significant departure from the status quo and is likely to have significant repercussions (although whether this decision will stand on appeal is another matter).

The original action by the ICO

Experian collects data from various sources (its work as a Credit Reference Agency (CRA), open sources such as the electoral register and third parties), collates it and sells it on for marketing purposes. It also uses the data to profile individuals in relation to their marketing preferences (e.g., the types of products they might be interested in). It maintains a huge number of records, relating to over 50 million people in the UK. The legal basis it uses for the processing is legitimate interest (the marketing being offline in nature).

In 2020 the ICO issued an enforcement notice against Experian stating (amongst other things) that Experian was not processing the personal data transparently or lawfully, that Experian could not rely on the legitimate interest legal basis because they were conducting invisible and intrusive profiling for marketing purposes. The ICO considered the fact that individuals would receive more relevant marketing material as a result of the processing to have little weight in assessing whether the individuals’ interests override the legitimate interest pursued.

The appeal

Experian appealed the ICO’s decision, and the appeal was heard by the Tribunal.

The Tribunal differed significantly in its approach and took issue with some of the evidence provided by the ICO in support of its case, finding it significantly flawed.

Balancing interests

The ICO was criticised for not understanding the outcomes of the processing and not having looked at the positives in the processing e.g. – using credit pre-screening information to ensure people are not sent information about things they can’t afford, using information to keep individuals’ details up to date so that marketing is not sent to the wrong address, ensuring under-age individuals don’t access gambling websites and using data about fuel poverty to allow utilities companies to assist individuals struggling with energy costs. The Tribunal considered the negative effects were, at worst, that an individual would receive marketing materials which were relevant to them, rather than irrelevant.

The Tribunal considered that the modelling undertaken by Experian was, in fact, less intrusive than using actual personal data. The Tribunal was critical about the emotive language used by the ICO – “We accept, as is clear from the sample profiles shown to us, that …profiles will include up to 49 derived data points about individuals and up to 370 modelled points about individuals. These are…predictions about the likelihood of people having certain characteristics. We consider it is unhelpful for the Information Commissioner to use emotive terms such as “judgments” about people when describing modelled data points.”

The Tribunal also made the point that the marketing was not targeting particular individuals, as Experian was merely sending lists of people likely to be interested in particular types of marketing (although this is surely true of most “targeted marketing”).

The Tribunal found that Experian had controls in place in relation to the onward use of the data, including a list of businesses they would not supply information to, controls over how CRA data is used, contractual controls on what the data could be used for and auditing powers to check this is being complied with.

Privacy information

The Tribunal considered the privacy information currently provided to be adequate to discharge Experian’s duties in relation to transparency. Where the ICO had criticised Experian for not clearly setting out the use of data for marketing purposes, the Tribunal warned that information overload was a risk and that the layered approach adopted by Experian was useful in that it allowed anyone who was interested in finding out about how their data was used (commenting that there is evidence that a large proportion of individuals are not) to go beyond the first layer and find out more.

Other matters

The Tribunal agreed with the ICO that data collected by third parties by consent could not be used by Experian for legitimate interest purposes but found that this practice was no longer taking place.

The Tribunal has ordered Experian to provide individuals whose data was obtained from open sources (e.g., the electoral roll) with a privacy notice, holding that Experian could not rely on the disproportionate effort exemption. The processing of the data obtained in this way was found to be non-compliant, but the Tribunal considered there was no clear remedy to this which it could impose on Experian.

Where does this leave us?

This is quite a radical departure from the more conservative rationale used by the ICO and elsewhere in the EU.

In relation to privacy information, the ICO essentially makes the point that Experian collects data from a huge number of people and the uses of the information are not clear (there is no clear indication about the marketing practices on the landing page of the website even if it is explained in the privacy information), with the Tribunal taking the view that people who are interested in how their data is used have ways to find out what their data is being used for.

In relation to balancing legitimate interests, the Tribunal was much more ready to find positives for data subjects in the processing undertaken, whereas the ICO aligned with the established position that profiling is considered intrusive, and so hard to justify, regardless of the outcome.

It is important to remember that the ruling relates to offline marketing and the same rationale should not be applied to electronic marketing, which may require consent.

The case also provides us with a reminder that the disproportionate effort exception is a tough one to rely on and just because providing privacy information is expensive is not enough of a reason not to provide it. As the Tribunal stated, if the cost of providing the notices was too high, the option was open to Experian not to undertake the processing.

Unsurprisingly, the ICO has appealed. Letting this judgment stand would open the door for many more appeals against the ICO and would leave us at a point of real divergence from the approach taken by EU regulators. It may also prompt the ICO to tighten up its practices when putting together evidence in support of its enforcements.

The full judgment can be found here.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified