Decision imminent in Experian appeal over legitimate interests processing

UPDATE 22/02/23: This ruling has now been issued by the tribunal. See our news coverage of the decision.

The case before the First-Tier Tribunal (General Regulatory Chamber – Information Rights) regards an appeal brought by credit reference agency Experian against an enforcement notice issued by the UK’s data protection authority, the Information Commissioner’s Office (ICO), in 2020.

The appeal was heard by the tribunal in early 2022 but until now there has been little indication of when the decision might be published. However, in response to a query from Out-Law, the tribunal service has confirmed that a draft decision was recently sent to Experian and the ICO to give them an opportunity to review the draft to identify any inaccuracies or inappropriate materials in the judgment and rectify those before publication. It said that whilst it could not give an exact date or timeframe for publication, the tribunal panel had met this week and that a decision could be forthcoming shortly. The draft decision is the subject of an embargo. Out-Law has not seen the draft decision nor is privy to information regarding its substance.

On 27 October 2020, the ICO served an enforcement notice on Experian, confirming that it was requiring the credit reference agency to "make fundamental changes to how it handles people’s personal data within its direct marketing services". The enforcement action against Experian arose out of a wider two-year investigation into a handful of so-called ‘data brokers’ where the ICO identified issues with the way Experian and some other credit reference agencies used data they had collected.

According to the ICO, Experian’s direct marketing arm acquired personal data on data subjects from a variety of sources, including publicly available sources like the electoral register, the credit reference aspect of its own business, and from data suppliers that had acquired data through their own interactions with individuals. Experian then collated the data to build a profile on those individuals – almost 50 million adults – and sold the data on for marketing purposes.

The ICO said the processing was “on a scale and for detailed analytical purposes which few data subjects would expect”. It said the privacy notices of Experian and other organisations who shared data with Experian were not sufficiently clear on the basis for data collection and use for direct marketing.

Experian argued that the processing was not intrusive and likely to have been expected by the data subjects. However, in relation to the data gathered from public sources and third party suppliers, the ICO considered there had been “invisible processing”. It said data subjects had not been made aware of the processing operations and could not have anticipated that data collected about them for some purposes, like for conducting credit checks, would be used for direct marketing purposes.

Experian submitted that it would be disproportionate to require it to directly notify data subjects about its processing of their data collected from public sources and third parties. It said notification would be “extremely costly and ignored by data subjects”. However, the ICO said application of the proportionality principle in data protection law “does not favour prioritising the protection of Experian’s business model over the data rights of the huge number of affected data subjects”.

The ICO also took issue with the lawful basis on which Experian processed the data.

The General Data Protection Regulation (GDPR) sets out six lawful bases for processing personal data. Consent is one of these. However, processing of personal data can be undertaken without consent if one of the other five legal bases can be relied upon, including if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

The ‘legitimate interests’ ground can only be relied upon for processing personal data if the interests cited by the controller are not “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data […]”. A balancing exercise therefore needs to be undertaken by any organisation seeking to undertake legitimate interests processing – the ICO has issued a template legitimate interests assessment (LIA) to support with that.

Experian relied on its ‘legitimate interests’ as the basis for processing all the personal data it held for direct marketing purposes.

The ICO said, though, that the data sourced from third party suppliers was generally obtained from the data subjects on the basis of consent, and that Experian was thereafter unable to rely on its own legitimate interests for further processing that data.

Experian had conducted LIAs and concluded that its commercial interests in processing the data were legitimate interests and that those interests were not overridden by the interests, rights or freedoms of the data subjects. It considered, among other things, that its processing for profiling is not intrusive of privacy.

However, the ICO said that the approach the company took with its LIAs was “unjustified and indicative of a failure to properly balance the interests engaged”. It said that while legitimate interests could be a lawful grounds for processing data in order to profile individuals for direct marketing purposes where the processing was not intrusive, it is “unlikely that a controller will be able to apply legitimate interests for intrusive profiling for direct marketing purposes” since that type of profiling “is not generally in an individua’s reasonable expectations and is rarely transparent enough.”

The ICO also considered that there was “little or no wider public interest in Experian’s processing beyond its own commercial interests, and the commercial interests of its third party clients”. While it described commercial interests as “valid interests”, it said businesses “cannot create an operating model based upon a mass processing of personal data and then rely on that model to seek to avoid any of the requirements of the GDPR”.

Data protection law expert Rebecca Townsend of Pinsent Masons said: “The decision of the General Regulatory Chamber of the First-Tier Tribunal (Information Rights) in this case is eagerly anticipated by businesses from across sectors as they await further clarification on the law around legitimate interests processing and the extent to which commercial interests can be relied upon as a basis for data processing.”

“The Tribunal’s decision may, however, only be the next in a long series of phases of litigation in this case, with the potential for appeals to first the Upper Tribunal, then the Court of Appeal and, possibly the UK Supreme Court too. It has already been five years since the ICO started its investigation, and it could be many years again for a final outcome in this case if it goes all the way through the courts,” she said.

“For now, companies should consider their legitimate interests impact assessments and whether they might be giving undue weight to commercial considerations – the ICO is clear that commercial interests are valid interests and can factor into an overall assessment, but that they need to be appropriately balanced,” Townsend said.

The question of whether purely commercial interests do qualify as legitimate interests is being tested before the EU’s highest court. That question has been referred to the Court of Justice of the EU (CJEU) by a district court in Amsterdam, which has considered there to be merit in fast-tracking a reference to the CJEU rather than for the issue to be litigated all the way through the Dutch courts first.

In the UK, it is possible that data protection law – including provisions relating to legitimate interests – will be updated before there is a final outcome in the Experian case.

Last summer, a new UK Data Protection and Digital Information Bill was introduced into parliament, with changes proposed to the current framework. However, political uncertainty has since delayed the Bill’s second reading and the government has been weighing up amendments to the original draft. Legal news service MLex recently reported that the government was considering changes intended to provide clarity on situations where legitimate interests can be relied on.

In the original Bill, the government proposed introducing a list of recognised legitimate interests that businesses could rely on without having to undertake a balancing test. Commercial interests were not included on the list, however. The list focuses on purposes relating to public interest, security, and safety. One example proposed is where the processing is necessary for detecting, investigating, or preventing crime.