Tribunal favours Experian appeal in ICO data protection dispute

The issue of how consumers can benefit from data processing was considered by the First-Tier Tribunal (General Regulatory Chamber – Information Rights) (FTT) in an appeal brought by credit reference agency Experian (47-page / 484KB PDF) against an enforcement notice issued by the Information Commissioner’s Office (ICO) in 2020.

Experian’s direct marketing arm acquired personal data on data subjects from a variety of sources, including publicly available sources like the electoral register, the credit reference aspect of its own business, and from data suppliers that had acquired data through their own interactions with individuals. Experian then collated the data to build a profile on those individuals – around 50 million adults – and sold the data on for marketing purposes. Experian relied on its ‘legitimate interests’ to process the data it acquired. 

The FTT heard that the data collected from these sources was not processed in a uniform manner and it accepted Experian’s evidence that “each disclosure of data to a client is considered on a case-by-case basis”. Experian highlighted this in relation to the credit reference agency data in particular, a point which the FTT accepted, noting that the ICO “did not properly appreciate the limited extent” to which that data was used.

It is lawful, under the General Data Protection Regulation (GDPR), to process personal data if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party – provided the interests cited are not “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data […]”. A balancing exercise therefore needs to be undertaken by any organisation seeking to undertake legitimate interests processing.

The ICO, which has issued a template to help businesses undertake a legitimate interests assessment (LIA), criticised the approach Experian took with its LIAs, including believing Experian to have underplayed the intrusiveness of its data processing for direct marketing purposes.

However, the FTT has now determined that the ICO “fundamentally misunderstood the actual outcomes of Experian’s processing” and confirmed that legitimate interests can be a lawful basis for processing personal data for direct marketing purposes. Among other things, it said the ICO appeared not to have reflected any of the benefits of Experian’s processing in its enforcement notice – despite being duty bound to do so in its regulatory decision making.

Examples of the benefits to consumers of Experian’s data processing that were cited in the FTT decision included that it would ensure Experian’s clients’ respect for consumers’ marketing choices, potentially protect individuals “from distressing outcomes”, and enable consumers’ addresses to be validated and updated. Other public interest benefits were also identified by the FTT, such as that individuals would not be offered products they could not afford, that it could prevent underage individuals from gambling, and that it could help identify individuals who might be in fuel poverty and enable utility companies to support them.

Data protection law expert Rebecca Townsend of Pinsent Masons said: “The Tribunal accepted that direct marketing may be regarded as a legitimate interest but that the interests of the data controller and the individual must be balanced within the context of the applicable circumstances. The Tribunal appeared to consider a wide range of factors when determining whether processing is lawful or not, including the transparency of the processing, which in itself is fact- and context-specific; economic impact; and the benefit to data subjects of this processing.”

Much of the ICO’s case against Experian was built on its belief that data subjects had not been properly notified about the way in which their data would be processed. In particular, it was critical of the information Experian had shared via its consumer information portal (CIP). However, the FTT found that the ICO had not been able to evidence the CIP’s defectiveness at the time it had assessed it and found that the privacy notices presented to consumers via the CIP now do comply with the GDPR.

For the approximately 5.3 million people whose data was acquired by Experian from open sources, such as the open electoral register, the FTT found, though, that the data subjects had not received a privacy notice. This meant, it said, that the processing of their data “has not been transparent, fair or lawful”.

The FTT has given Experian a year to ensure individuals whose personal data is obtained by Experian from one or more of the Open Electoral Register, the Registry Trust Limited or Companies House receive a privacy notice, either directly from it or through one of the open source providers. There are exceptions to this requirement, however. They include if Experian has gathered data on the individuals from its credit reference agency business or third party suppliers too, or if Experian ceases the processing of their data for direct marketing purposes within the next 12 months.

Jose Luiz Rossi, managing director of Experian UK&I, said the company would build the notification requirements into the company’s processes in accordance with the deadline set by the FTT.  

In reaching its decision in relation to the 5.3m cohort, the FTT addressed concerns Experian had raised about the cost to its business of meeting the GDPR’s transparency requirements. The FTT described the cost entailed in notifying data subjects as “a business expense which should have been incurred over time as a matter of routine compliance” and said that if Experian considered the costs of compliance too high to bear, then it was “free to take a business decision not to undertake the processing”.

However, while the FTT found that Experian’s processing of the 5.3m cohort’s data was unlawful, it said it was unable to impose an order on the company to remedy this since it considered the steps available to do so to be “unclear or incapable of implementation”.

In this regard, the FTT reflected on the fact that the data had been used “to build models from which Experian may continue to derive a commercial benefit” and said that its continued processing would be non-compliant with the GDPR. It has encouraged Experian to “consider what it can do to discontinue this processing”. In doing so it confirmed that businesses cannot rely on anonymisation to avoid their regulatory obligations in relation to data that has previously been processed unlawfully, even though anonymised data is not subject to the GDPR.

The FTT also found that Experian had breached the GDPR previously when it processed personal data gathered from third parties based on its legitimate interests where the data had been obtained from individuals on the basis of consent. It said: “we do not accept that legitimate interests is a proper means by which that data could have been used by Experian for the purpose it was processed”.

Experian’s data protection and privacy lead told the FTT in evidence that the company no longer have suppliers who collect data on a consent basis and then transfer the data to be processed on the basis of legitimate interest, so the FTT has not ordered Experian to take action in this regard.

Data protection law expert Rosie Nance of Pinsent Masons said, however, that the FTT’s comments do little to clarify whether there could be circumstances where businesses are able to process personal data based on their legitimate interests where the data has been obtained on the basis of consent.

“The FTT’s comments are fact specific and still leave open questions on further processing,” Nance said. 

“Article 5(1)(b) of the GDPR requires personal data to be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. Only limited exceptions are cited for scientific or historical research purposes or statistical purposes,” she said.

“Recitals to the GDPR clarify that further processing can take place where consent is given, but do not clarify whether further processing on the basis of legitimate interests could be possible if transparency requirements were fulfilled,” Nance said.

The UK GDPR is liable to be updated by a new Data Protection and Digital Information Bill. The Bill was introduced to the UK parliament last year, but its second reading has been delayed amidst an uncertain political environment and the government is understood to be considering tabling reforms.

Nance said the Bill in its current form looks to tackle the limitations around further processing but may actually place an even greater emphasis on the need for consent in most commercial contexts. 

“The proposed new Article 8A lists a number of circumstances where processing of personal data for a new purpose can be considered compatible with the original purpose, the first of which is consent,” Nance said. “It then includes additional purposes, but most of these relate to public security, emergency responses, and safeguarding – although powers are provided for to allow the government to add to the list via secondary legislation.”

“The only additional purpose that could be of assistance in a wider range of business activities is processing ‘carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so’.  This might be relied on, for example, for anonymisation of personal data, which, as the FTT has highlighted, still constitutes processing of personal data,” she said.

Another notable finding by the FTT was its view that it would be “unlikely” for any of the individuals who did not receive a privacy notice from Experian to succeed with a damages claim over the company’s failure to provide them with one, following the UK Supreme Court’s 2021 ruling in the Lloyd v Google case.

In a statement, the ICO said it will “take stock” of the tribunal’s decision and “carefully consider next steps, including whether to appeal”.

The question of whether purely commercial interests qualify as legitimate interests is being tested before the EU’s highest court. That fact that question has been referred to the Court of Justice of the EU (CJEU) shows that – in light of the FTT’s decision and with possible reforms to come with the UK Bill – the UK and the EU are at a crossroads of potential divergence on the issue of processing based on the lawful basis of legitimate interests, said data protection law expert Kathryn Wynn of Pinsent Masons.