The First-Tier (Information Rights) Tribunal (the Tribunal) has ruled (largely) in favour of Experian in its appeal against the Information Commissioner’s Office (ICO), in relation to the ICO’s enforcement notice relating to how Experian uses personal data for direct marketing purposes. The enforcement notice followed a two-year investigation into data protection compliance in the direct marketing data broking sector.
To recap:
- Experian Marketing Services, a business unit within Experian, processes the personal data of around 51 million people in the UK (most of the adult population) to provide marketing services to its clients.
- It does so by combining their name and address information, with a total of up to thirteen “actual attributes”, which it then processes to create modelled information (predictions) on the characteristics of the 51 million individuals. Experian’s data sources include publicly available information (e.g. from Companies House and the Open Electoral Roll), third parties and from its own Credit Rating Agency (CRA) business.
- In April 2019 Experian received a draft enforcement notice from the ICO (revised in April 2020) relating to Experian’s processing of personal data for offline (not online) marketing services. A final enforcement notice was issued in October 2020.
In the Tribunal’s words, the core of the ICO’s case is that the processing undertaken by Experian will be surprising to individuals, the processing is intrusive, and that assessments undertaken in balancing Experian’s legitimate interests are flawed.
Amongst other things, the ICO considered that it was not appropriate for data obtained by Experian in the context of its CRA credit reference data to be processed for direct marketing purposes, and that Experian’s existing fair processing notices fail to achieve the necessary level of transparency.
However, during the six-day hearing before the Tribunal, the ICO’s key witness made a number of concessions which were detrimental to the ICO’s case. For example:
- He agreed that Experian did not know in any particular case whether Experian’s assumptions about individuals were right or wrong, and he could not state whether the ICO made any efforts to ascertain the proportion of actual (true to life) data points being processed as opposed to the assumptive data points.
- He did not know if the ICO was aware of the fact that Experian’s CRA data was never provided to clients, which he also agreed was a “hugely important consideration”.
- He accepted that consumers benefitted from some of Experian’s processing activities, for example that they ensured that Experian’s clients respect the marketing choices made by consumers and that the activities can protect against distressing outcomes, a matter which was not considered in the ICO’s decision notice.
- He accepted that the ICO’s report into the data broking sector (not specifically Experian) failed to present a balanced account of Experian’s processing, and he accepted it did not include any of the benefits of its processing for data subjects in a wider society. However, he did not accept that the report was “as good as useless”.
Suffice to say, the ICO’s witness had a bad day in the office. The Tribunal found that his evidence made “little sense” and had the effect of there being “little or no evidence to support some of the positions taken in the [ICO’s] enforcement notice”.
However, the Tribunal didn’t stop there, noting that the witness “worryingly” accepted that his own witness statement was “completely wrong, completely misleading and perverse” as regards his evidence that persons would find Experian’s data processing distressing. Ouch.
Against that characterisation, the Tribunal found:
- That individuals would not find Experian’s processing surprising; “It is not in reality grounded in evidence but is supposition. Further, the mere fact that some people might subjectively find some things “surprising” is not a particularly useful yardstick”.
- That modelled data points may not reflect actual characteristics and, therefore, the processing of that data is less intrusive than processing actual data.
- While data held by Experian’s CRA business is “sensitive” and “individuals have little or no choice about providing their data to Experian”, it is important to bear in mind that Experian treated it as “non-prospectable” (meaning Experian will not share the name and address data with their clients for the purposes of reaching potential new customers or prospects).
- That there are benefits to wider society in its further use for direct marketing purposes (and that the ICO failed to appreciate either of these points). For example, Experian’s marketing services help organisations to comply with the accuracy principle, and prevent individuals from being marketed financial products that are not affordable to them (and where a refusal may cause difficulties for their credit score).
- The worst outcome of Experian’s processing is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant. Following Lloyd v Google LLC [2021] UKSC 50, it is unlikely that there would, in this scenario, be a data subject who is likely to succeed in a damages claim.
- Experian’s transparency information is sufficient; if people were concerned (can be bothered!) to read it, there is a sufficiently easy to follow trail through hyperlinks which enables people to learn more.
Accordingly, the Tribunal repealed much of the ICO’s enforcement notice.
However, there was some silver lining for the ICO; the Tribunal did find that Experian failed to provide transparency information to a cohort of around 5 million individuals and that this should be remedied. Therefore the ICO’s conclusion that the Tribunal “supported aspects of the ICO's decision, while allowing Experian’s appeal in other areas” is accurate if not a relatively generous spin on the matter.
So - what can we learn?
The decision is in keeping with a general trend that's emerging of legitimate interests being more readily available as a lawful basis, provided individuals are informed of the processing, the processing is within the reasonable expectations of those individuals, and individuals' rights (especially the right of objection) are respected.
It remains to be seen whether the ICO will appeal to the Upper Tribunal, although we recently learned from a speech given by John Edwards (the Information Commissioner) that the ICO is seeking leave to do so.
While the Tribunal gave short shrift to the ICO’s arguments that individuals would not expect Experian’s processing activities, they didn’t clearly explain how those processing activities satisfy all elements of a legitimate interests assessment. However, this decision seems to follow a general pattern that’s emerging from the ICO (and/or the UK Government) giving weight to legitimate interests as a more readily available lawful basis; a challenge to this decision may contradict the agenda of the day.
On the other hand, this decision is a blistering attack on the ICO's previous work and a green light to processing activities that some may find intrusive, which it seems that the ICO may look to curtail through an appeal. If the ICO is granted leave to appeal (and do indeed decide to appeal), it will be interesting to see the basis upon which it chooses to do so.
We accept the submission that in order for weight to be attached to the Information Commissioner’s opinion that it has to be based in evidence. We accept also that in reaching a decision, the Commissioner and this panel must have regard to the regulatory decisions in respect of the economy, the environmental impact and positive benefits for the consumers of processing (which appear from [the witness's] evidence not to have been taken into account in the [ICO's] enforcement notice).