The transparency and legitimate interests battle in direct marketing: ICO to Appeal First Tier Tribunal Decision in Experian v The Information Commissioner 2023

Hot off the press: The ICO has now confirmed that it plans to appeal the recent First-Tier Tribunal decision in Experian v The Information Commissioner 2023.

There is plenty to digest from a reading of the UK First-Tier Tribunal (the "Tribunal") decision in the case of Experian Limited v The Information Commission concerning the ICO's 2020 enforcement notice against Experian. Takeaways from the decision are potentially relevant across a number of different sectors, particularly in view of the Tribunal's recognition that, irrespective of whether Experian was a data broker (the Tribunal agreed with Experian that its business was more in the line of producing marketing services), the relevant point was that it was a data controller. However, confirmation by the UK Information Commissioner ("ICO") that it intends to appeal the decision means that caution needs to be exercised before seeking to rely on any of those takeaways.  

Background

In 2020, following investigations into the practices of several data brokers, the ICO issued an enforcement notice against Experian in respect of the direct marketing arm of its business, known as Experian Marketing Services ("EMS").

In broad terms, personal data for EMS came from three key sources: (1) publicly available sources (such as the electoral role and Companies House); (2) Experian's credit reference agency business ("CRA"); and, (3) third party data suppliers (such as retailers) that had direct relationships with data subjects. Experian processed personal data of around 51 million individuals in the UK in connection with EMS. It processed this data to create modelled attributes based on the demographic, social, economic and behavioural characteristics of individuals on a predictive basis. Experian would then sell this data to commercial customers for postal direct marketing purposes (although, on average, it provided only four attributes). Experian relied on legitimate interests for its EMS processing activities.

The original enforcement notice can be found [here] but, in overview, the ICO found against Experian on the key issues of transparency and lawful basis, such findings being rooted in the perceived intrusive nature of the EMS processing activities. 

Experian appealed the enforcement notice and, in a significant turn of events, on 20 February 2023 the Tribunal ruled in favour of Experian on a number of key issues, overturning the ICO's enforcement notice and replacing it with a far more limited "Substitute Enforcement Notice".
 

Key Findings of the Tribunal

Experian was not able to rely on legitimate interests grounds in connection with its EMS processing activities where such data had been acquired by third party sources on the basis of consent.

Otherwise, Experian could rely on legitimate interests in connection with its EMS processing activities.

Experian was able to rely on privacy notices provided by third parties to inform individuals about its EMS processing activities (and thereby satisfy its transparency obligations under Article 14 GDPR).

Experian should not have relied on the "disproportionate effort" exemption under Article 14(5) GDPR to avoid having to send a privacy notice to around 5.3 million individuals (of the circa 51 million whose information was processed by Experian), notwithstanding that sending such notice would involve "considerable business expense".

While bearing in mind that the Tribunal's conclusions were very specific to the facts of the EMS business, it is possible to extrapolate some points that may have broader application to controllers.  We consider these in more detail below.

Legitimate interests as a lawful basis for direct marketing activities

The Tribunal's decision provides support for controllers seeking to rely on legitimate interests for less intrusive direct marketing activities.

From the outset, it is important to note that the Tribunal was highly critical of two arguments that were core to the ICO's original conclusion that Experian's legitimate interests assessment had been flawed.

Privacy intrusiveness

The first argument was that Experian's processing in connection with EMS was privacy intrusive.  On this point, the Tribunal determined that the ICO had "fundamentally misunderstood" the nature of Experian's processing in connection with EMS and the associated level of privacy intrusiveness.  The Tribunal suggested that the "worst outcome" would likely be that individuals would receive a marketing leaflet that was more likely to align with their interests than not.

"Surprising" processing

The second argument was that data subjects would find Experian's processing "surprising". On this point, the Tribunal found the ICO had not provided any factual evidence to support this assertion. 

Against this backdrop, the Tribunal confirmed that Experian could rely on legitimate interests as a lawful basis for its EMS activities. A factor that the Tribunal appeared to take into consideration was that, in view of Lloyd v Google LLC, it would be unlikely that any individual could successfully claim damages. It is particularly interesting that reliance on legitimate interests was not precluded: (i) by the fact that the processing was large scale (circa 51 million data subjects) and involved predictive profiling; or (ii) by the fact that the data was being processed for purposes that were one step removed from the context in which the was originally collected.

That said, of course, the nature and context of the profiling would be always important. For example, while the processing was large scale, the profiling undertaken in connection with EMS was specifically for the purposes of off-line direct marketing activities that did not involve the targeting of specific individuals based on their actual behaviours. Rather, EMS sought to help Experian customers understand which individuals were more likely to respond to particular marketing offers.  The Tribunal distinguished this type of processing from online marketing practices where the actual buying habits of particular individuals are processed (suggesting that the Tribunal might not have reached the same conclusion with respect to online behavioural advertising practices). 

However, the Tribunal found that Experian had previously infringed the GDPR by processing personal data on legitimate interests grounds where such data had been acquired by third parties on the basis of consent. The Tribunal agreed with the ICO that this reliance on legitimate interests presented significant difficulties, specifically because the third party could not have sufficiently disclosed the way in which Experian would go on to process the data and could not have made the disclosure in a way that would ensure that the consent was sufficiently informed. While perhaps not a surprising conclusion, what is helpful is that the Tribunal did not suggest that there would be an issue with third party data suppliers relying on legitimate interests to disclose the data to Experian. It is not clear, however, to what extent reliance on legitimate interest would extend to a different context that involves more privacy intrusive processing or data sharing (such as in the context of online behavioural advertising).
 

Legitimate Interests – Key Takeaways from the Tribunal decision

Personal data for profiling purposes on a large scale does not necessarily always involve a level of intrusion that precludes reliance on legitimate interests.  However, this takeaway must be viewed in the context of the particular processing and it makes sense that the nature and context of the processing should always be considered.

Since "modelled" data points may not in fact reflect a person's characteristics, the Tribunal considered the processing such data points to be less intrusive than processing actual data (it was interesting that the Tribunal did not consider any potential impact to data subjects caused by inaccurate inferences or modelled data points).

​ When carrying out a balancing exercise, due weight can and should be given to the benefits to the controller's business activities, data subjects and the broader society. The Tribunal appeared critical of the fact that the report compiled by the ICO on data broking (not specific to Experian) had failed to present a balanced account of Experian's processing and did not account for any of the benefits to data subjects or wider society. By contrast, in its decision, the Tribunal pointed to a number of benefits arising from Experian's processing in connection with EMS. For example: Experian's use of CRA data to validate and update address data was supportive of the GDPR accuracy principle and helpful in ensuring that individuals did not receive direct marketing mailshots not intended for them. This reasoning of the Tribunal is likely to be helpful to controllers wishing to use third party data sources for verification purposes in other contexts. Experian's use of CRA data to remove certain individuals from marketing lists for credit products for which they would be unlikely to receive approval was beneficial to individuals. Experian's EMS activities may ultimately result in there being less marketing material in circulation by virtue of the fact that businesses could undertake more targeted marketing activities.

Controllers cannot rely on legitimate interests grounds to process data that has been obtained by third parties on the basis of consent.

Transparency

The Tribunal's decision is also informative on the topic of transparency, providing some potentially helpful and perhaps some less welcome takeaways for controllers.

The Tribunal ultimately found that the version of Experian's Privacy Notice that it reviewed was sufficiently transparent in describing Experian's EMS practices and that there was no need for specific attention to be drawn to particular information on the basis that individuals might find it "surprising". Of note was that Experian had previously changed its approach so that the Privacy Notice (displayed via its "Consumer Information Portal") popped up on every visit a user made to the site. While there is nothing to suggest that this point had any significant bearing on the Tribunal's ultimate decision, it is likely a factor to take into account.

The Tribunal seemed to suggest that, as long as information is sufficiently transparent and straightforward for individuals to navigate, individuals ought to be able to find the information that they are looking for without the need for controllers to draw "surprising" information to their attention. This was important because, as the Tribunal put it: "Put bluntly, what surprises one person may not surprise another but what is in issue is an individual's reasonable expectations". It is not clear whether the Tribunal might have reached a different conclusion in the context of processing activities that it perceived to be more privacy intrusive.

Of note was that the Tribunal was not swayed by evidence that Experian's Privacy Notice had only received 130,000 unique visits (a stark contrast to the circa 51 million individuals whose personal data Experian processed in connection with EMS). It seemed to conclude that, as long as individuals who are actually interested in what happens to their data have an easily navigable route to find out more, it should not matter that others are not interested to learn more. As the Tribunal put it, "to a significant extent that is their choice… you cannot force people into reading privacy policies".

The Tribunal concluded (having regard to the Article 29 Working Party Transparency Guidelines) that Experian had not complied with the GDPR in failing to provide around 5.3 million individuals with an Article 14 privacy notice. It did not accept the argument that doing so would involve considerable business expense and therefore constitute "disproportionate effort".

However, the Tribunal did suggest that the ICO had not exercised its discretion proportionately when requiring Experian retrospectively to provide a privacy notice to the individuals that had not been notified. The Tribunal took a pragmatic stance in recognising that correcting this non-compliance would have significant economic impact for Experian  and would likely be disproportionate, in view of: (a) the lack of adverse outcomes that EMS posed to individuals; and (b) the fact that some individuals may be confused or even distressed to receive an out-of-the-blue notice about historic practices. However, the Tribunal did expect Experian to comply with its Article 14 obligation in respect of data obtained from third party sources (including publicly available sources) going forward.  It found that it would be reasonable for Experian to incur the expense of doing so in the course of doing business over months and years.

Finally, the Tribunal expected Experian to consider what it could do to discontinue using data obtained from data subjects who had not received a privacy notice (even in circumstances where the personal data had been anonymised in models). The Tribunal found itself unable to make any specific orders in this regard because of the challenges surrounding data that had been anonymised, and because it could not order Experian to take steps that were unclear or incapable of implementation.
 

Transparency  – Key Takeaways from the Tribunal decision

Information layers, hyperlinks and expandable headings are good techniques to overcome the tension between providing large amounts of information (with the aim of improving transparency) and avoiding information overload.

Privacy Notices can be provided via third parties, provided that there is a "sufficiently easy to follow trail through hyperlinks" from one notice to another.

The mere fact that providing a Privacy Notice would involve "considerable business expense" does not exempt controllers from disclosure on "disproportionate effort" grounds under Article 14(5).

 
Conclusion

There are a number of interesting takeaways from the Tribunal's decision. Perhaps the most striking is the Tribunal's significant departure from the ICO's original enforcement notice. Clearly, the Tribunal was not impressed with the "little to no evidence" produced by the ICO to support its positions in the enforcement notice. It would be interesting to know whether the Tribunal would have reached a different conclusion on key issues of transparency and legitimate interests had the ICO been armed with evidence to support its positions.  Nonetheless, the Tribunal's approach should provide businesses with more confidence to challenge any subjectively held assertions of the ICO in future.   

What is also notable is that the Tribunal seemed to approach a number of issues with significant business pragmatism. Such an approach appears to align with the indications from the UK government in relation to a more business-friendly approach to applying data protection principles in the future.  

The Information Commissioner confirmed that the ICO intends to appeal the Tribunal's decision at the UK IAPP Data Protection Intensive: UK 2023 conference, stating that, having carefully considered that judgement, he believed that the Tribunal had got the law wrong. It will be interesting to see how the appeal unfolds and whether the Tribunal's decision will in fact mark a change in attitudes towards transparency and reliance on legitimate interests in the context of this type of direct marketing activities.