The First-Tier Tribunal (Information Rights) has ruled on Experian's appeal against an ICO enforcement notice. The notice required Experian to improve transparency and direct marketing practices.
From July 2018 the Information Commissioner carried out an investigation into the data broking sector, specifically the provision of offline direct marketing services by key data brokers including the three largest credit reference agencies - Equifax, Experian and TransUnion.
The ICO issued an Enforcement Notice to Experian Limited in October 2020 following its two-year investigation into how the credit reference agencies were using the personal information of UK adults for direct marketing purposes. Organisations issued with an ICO Enforcement Notice have the right to appeal to the First-Tier Tribunal (Information Rights) within 28 days of receiving the notice. The core of the Information Commissioner's case was that the processing undertaken by Experian will be surprising to those individuals whose personal data is processed, the processing is intrusive, and that the assessments undertaken in balancing Experian's legitimate interests are flawed.
Experian appealed, and the First-Tier Tribunal (Information Rights) has now ruled on the Experian's appeal against the Enforcement notice.
The Tribunal agreed with the ICO that Experian had not processed the personal data of over five million individuals transparently, fairly or lawfully, because it had failed to notify them that it was processing their data to carry out direct marketing. Experian processed information about approximately 51 million data subjects, but the group of five million had not historically received a privacy notice. The Tribunal said that the fact that notifying the 5.3 million data subjects would involve a considerable business expense does not mean that it would be a disproportionate effort under Article 14 GDPR. That is a business expense which should have been incurred over time as a matter of routine compliance. If the business expense which should have been incurred over time as a matter of routine compliance. If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing. The Tribunal found that Experian should have provided the 5.3 million with an article 14 privacy notice and did not do so. It was therefore non-compliant in that respect.
However, the Tribunal was wary of some ICO witness evidence. It did not agree with the ICO that Experian should now have to provide a privacy notice to the five million people. It doubted that anyone had suffered damage or distress due to the lack of Experian providing a notice and to order notification now would be disproportionate. It said that the ICO should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects, (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years, and (c) the likely reaction of the data subjects to receiving an 'out of the blue' notification, which reaction was likely to be either disinterest resulting, for example, in the data subject just putting it in the bin or possibly some confusion or even distress.
The Tribunal was cognisant of the fact that some of the personal data has been used to build models from which Experian may continue to derive a commercial benefit. Any processing of personal data collected in circumstances where an article 14 privacy notice should have been given and has not been given will continue to be non-compliant and Experian should consider what it can do to discontinue this processing. This applies even where the personal data has ceased to be personal data because its inclusion in the models is anonymised. Taking personal data and anonymising it is a form of processing of personal data and that processing must be compliant. However, the Tribunal cannot order steps which are unclear or incapable of implementation.
The ICO says that it will take stock of the judgment and carefully consider next steps, including whether to appeal. It may also need to review its direct marketing guidance. It may also take a different approach in future as it is now led by Jonathan Edwards rather than Elizabeth Denham. An appeal against a decision of the First-Tier Tribunal can be made to the Upper Tribunal.