Background

In an appeal brought by the credit reference agency Experian regarding an Enforcement Notice issued by the Information Commissioner's Office (ICO) in 2020, the First Tier Tribunal (the Tribunal) has decided largely in favour of Experian, substantially scaling back the actions that Experian is required to take.

You may recall that we have all been waiting for a big judgement on Experian for some time but you would be forgiven for forgetting what it was all about by now since so it started so long ago. To jog your memory, if you cast your mind back to the pre-pandemic summer of 2018, the ICO carried out an investigation into the data broking sector (specifically looking at the provision of offline direct marketing services by key data brokers including Experian). Two years on, in 2020, the ICO issued an Enforcement Notice to Experian requiring it to make a number of changes to its data practices - largely in relation to transparency and processing on the basis of legitimate interests in respect of personal data originally collected with consent. See our previous coverage on the ICO's data broking investigation here. Experian appealed the decision. 

Below we look at the key findings of the Tribunal and the implications of the ruling.

Transparency

At the core of the ICO’s original case was an argument that the processing undertaken by Experian would be surprising to those individuals whose personal data is processed and also that the processing was intrusive. The Enforcement Notice required Experian to provide an Article 14 GDPR compliant privacy notice to all data subjects who had not received one, and to not process their personal data until such a notice had been sent.  Around 5 million data subjects were in scope of this requirement.

The Tribunal reviewed the decision, stating that "the Information Commissioner should have exercised her discretion differently" and found as follows:

• Sufficient information had already been provided in circumstances where a third party had provided the data subject with its own privacy notice which linked through to Experian's Consumer Information Portal (CIP).  Whilst the ICO originally claimed that the CIP did not sufficiently highlight information which data subjects may find 'concerning or surprising', the Tribunal found that the CIP fulfilled the information requirements set out in Article 14 GDPR, stating that the ICO's position was "not in reality grounded in evidence but in supposition".  It was held that "the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing", noting that section 150(2) of the Data Protection Act 2018 requires the Commissioner to take into account the likelihood or actual occurrence of damage or distress to data subjects.
• It did not agree, however, with Experian's assertions that to provide 5 million data subjects with Article 14 information was disproportionate as per Article 14(5) GDPR. Whilst the information provided by Experian was sufficient to satisfy the information requirements of Article 14, the Tribunal held that the circumstances in which the requirement to give an Article 14 notice may be avoided under Article 14(5) were limited: "the fact that notifying the 5.3 million data subjects would involve a considerable business expense does not mean that it would be a disproportionate effort for the purposes of article 14 GDPR. That is a business expense which should have been incurred over time as a matter of routine compliance. If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing. We find that Experian should have provided the residual cohort with an article 14 privacy notice and did not do so. It was therefore non-compliant in that respect."
• On that basis, the Tribunal found a contravention by Experian, and the Tribunal has given Experian a year to ensure that, where personal data was (and is) obtained from sources where a data subject has not been directly or indirectly provided with access to Experian's CIP (such as through a third party's own privacy notice), a privacy notice should be provided to them.

Legitimate interests as a lawful basis for further processing

Another element of the ICO's original case, and perhaps the one that was most hotly awaited on appeal, was that the assessments undertaken in balancing Experian’s legitimate interests were flawed and, as such, that legitimate interests could not be relied upon to process data originally collected pursuant to a data subject's consent. 

The Tribunal did not agree and found that:

• With respect to the assessments carried out, legitimate interests could still be used for direct marketing purposes, although not where the original lawful basis was consent. 
• Therefore it was found that Experian had breached the GDPR when it processed personal data collected from third parties based on its legitimate interests where the data had been obtained from individuals on the basis of consent: “we do not accept that legitimate interests is a proper means by which that data could have been used by Experian for the purpose it was processed”. However, this point was acknowledged by the Tribunal as academic moving forwards given that Experian no longer operates in this manner and therefore no orders were made by the Tribunal in relation to this.

Takeaways

• This is a common sense approach from the Tribunal taking into account the nexus of factors at play beyond pure GDPR requirements, such as economic impact and data subject expectation. The decision is significant because, as well as overturning the statements regarding the same made in the 2020 Enforcement Notice, it would also suggest that the Tribunal disagrees with the ICO's overarching opinion (set out in its 2020 investigation report) that “mass processing of personal data for these [data broking] purposes, without adequate transparency, is out of line with the reasonable expectations of the public”. It would appear that the Tribunal has taken a more common sense approach to this, accepting that the likelihood of harm to individuals was low, and even then, data subjects may not necessarily care so greatly. The comments made above on measuring the level of 'surprise' of a data subject reflect this.
• This finding also partially rebuts the ICO's 2020 finding that credit reference agencies' processing of personal data can be considered invisible (with the exception of the small number of cases where personal data is processed without the data subject being indirectly or directly provided with a privacy notice, such as where the data has solely been collected from public sources). Again the suggestion in the ICO's 2020 finding was that the invisible processing was significantly wider in remit.
• It is the first decision we have seen focusing so specifically on Article 14(5) and the exceptions to provision of privacy notices where personal data has been received from a third party. Clearly, the threshold for what constitutes 'disproportionate effort' is high, and economics will not be taken into account where steady compliance over a longer period would not have had this effect. Data controllers seeking to rely on the exception should not use Article 14(5) as a means to avoid the inevitable costs associated with data protection compliance. 
• The confirmation that legitimate interests is a valid lawful basis for direct marketing purposes is also a very welcome one, and aligns with recent guidance published by the ICO that legitimate interests can be relied upon for direct marketing falling outside the scope of cookie rules.
• However, there is the clear reminder again that it is not possible to switch from reliance on consent as a lawful basis to legitimate interests at a later date (as has always been the case under the GDPR).