Experian’s GDPR appeal: lawfulness, fairness, and transparency
Ibrahim Hasan looks at the lessons to be learned from Experian’s successful appeal against an enforcement notice issued by the Information Commissioner’s Office.
On 20 February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO).
This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications.
The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject).
Fair and Transparent Processing: Art 5(1)(a)
The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to:
- Provide an up-front summary of Experian’s direct marketing processing.
- Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice.
- Use clearer and more concise language.
- Disclose each source and use of data and explain how data is shared, providing examples.
The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects.
Lawful Processing: Arts. 5(1)(a) and 6(1)
All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to:
- Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests.
- Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits.
- Review the GDPR compliance of all third parties providing Experian with personal data.
- Stop processing any personal data that has not been collected in a GDPR-compliant way.
Transparency: Art. 14
Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14.
Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”.
The ICO did not agree that these exceptions applied to Experian, and ordered it to:
- Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source.
- Stop processing personal data about Data Subjects who had not received an Art. 14 notice.
The FTT Decision
The FTT found that Experian committed only two GDPR violations:
- Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources.
- Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this).
The FTT said that the ICO’s Enforcement Notice should have given more weight to:
- The costs of complying with the corrective measures.
- The benefits of Experian’s processing.
- The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice.
The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources.
FTT on Transparency
Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices.
However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources.
FTT on Risks of Processing
An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data.
The ICO’s Planned Appeal
The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.
The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms.
Ibrahim Hasan is a solicitor and director of Act Now Training.
This and other data protection developments will be discussed in detail on Act Now's forthcoming GDPR Update workshop. There are only 3 places left on its next Advanced Certificate in GDPR Practice.