Privacy & Information Security Law Blog

On February 20, 2023, in the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK (the “Tribunal”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian and issued a Substituted Decision Notice, as detailed further below.

Background

The case relates to an ICO investigation that began in July 2018 into how Experian and two other credit reference agencies (“CRAs”) used the personal data of UK data subjects for direct marketing purposes. The investigation resulted in an ICO enforcement notice in October 2020, further details of which can be read here.  Experian appealed the enforcement notice, which was heard by the Tribunal.

Substituted Decision Notice

While the Tribunal largely ruled in Experian’s favor, it did issue a Substituted Decision Notice, which requires the following:

• Within three months of the Tribunal decision date (the “Decision Date”), Experian must implement a system designed to provide all data subjects whose personal data Experian obtains from the Open Electoral Register, the Registry Trust Limited or Companies House with a GDPR-compliant privacy notice.
• Within 12 months of the Decision Date, Experian must provide the privacy notice to all such existing relevant data subjects.  It also must continue to provide the privacy notice to all new relevant data subjects.
• Experian does not need to provide a privacy notice where Experian: (1) obtains personal data from its CRA business, consumer services business or third-party commercial suppliers; (2) limits its processing of personal data to the retention or sale of data from the Open Electoral Register; (3) processes personal data solely in connection with its directory enquiry or suppression databases; or (4) ceases to process personal data about a data subject (who would otherwise be sent the privacy notice) for direct marketing purposes at any time within 12 months of the Decision Date.

The Substituted Decision Notice requires notification to data subjects on a significantly smaller scale than was required by the original ICO enforcement notice. In issuing the Substituted Decision Notice, the Tribunal stated that it “must stand in the shoes of the Information Commissioner and ask whether the Information Commissioner should have exercised her discretion differently.” With respect to the ICO enforcement notice, the Tribunal held that the ICO incorrectly balanced the objectives of issuing the enforcement notice against certain factors, including that Experian’s processing of personal data did not result in adverse outcomes for data subjects. The Tribunal found that the ICO “fundamentally misunderstood the actual outcomes of Experian’s processing.”

The Tribunal found persuasive Experian’s argument that its clients do not seek to target particular individuals but instead seek a “list of those who are more likely to respond to the offer” sent by clients.  The Tribunal also found persuasive Experian’s assertion that the “worst outcome of Experian’s processing . . . is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant.”

Key Takeaways

• Transparency
  • In opining on how Experian complies with its transparency requirements under the GDPR, the Tribunal found that, in this case, notice through third parties is sufficient.  Specifically, the Tribunal found that – (1) the Credit Reference Agency Information Notice (CRAIN), which is made available by lenders to individuals whose data is acquired via the CRA, and (2) Experian’s Consumer Information Portal (CIP), which details how the Experian Marketing Services uses personal data – together provide data subjects with an understanding of Experian’s business. The CRAIN provides a link to the CIP and therefore offers a layered approach to providing notice on how CRA data is used for the Experian Marketing Services.
  • In coming to this conclusion, the Tribunal noted that there is a “tension between providing large amounts of information…with the aim of improving transparency and accessibility of information and…the resultant information overload,” and that this tension is, to an extent, met by layering information. The Tribunal further stated that, “common sense would tend to suggest that it is only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice.”  Applying this to the CIP, the Tribunal found that there is a “sufficiently easy” trail of hyperlinks to the CIP that allows those concerned to learn more.
  • While the Tribunal did acknowledge that consumers likely would be surprised by the “very large” scale and nature of Experian’s data processing activities, it found that the information disclosed to consumers in the two notices was “sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed.”
• Article 14(5) Exemption
  • Experian sought to rely on the exemption provided by Article 14(5) of the GDPR to not provide notice to approximately 5.3 million data subjects, by asserting that providing the notice would involve disproportionate effort. The Tribunal disagreed with Experian, acknowledging that while notifying 5.3 million data subjects would incur a considerable expense, it would not involve disproportionate effort.
  • The Tribunal therefore concluded that Experian violated Article 14 and stated that it “fully expects that Experian will rectify this non-compliance in respect of its future personal data collections” and “should consider what it can do to discontinue” processing of personal data that should have been the subject of an Article 14 notice but was not. The Tribunal stated that it was “satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice.”

Next Steps

In its statement on the case, the ICO indicated it is considering whether it will appeal the Tribunal’s decision.