Experian appeals the ICO’s Enforcement Notice – who comes out best?
The ICO’s Enforcement Notice issued to Experian in 2020, claimed the manner in which Experian processed personal data to provide direct marketing services to its clients was unlawful. Experian appealed the decision which was heard by the First-Tier Tribunal (the Tribunal) of the General Regulatory Chamber (Information Rights) (EA / 2020 / 0317). The ICO’s press statement is suggestive of an even decision; looking at the background of the case, this article asks whether the ICO are glossing over what is in fact a crushing decision for the regulator.
Background
Most readers will be familiar with Experian in its function as a credit reference agency, in fact it is near impossible to access certain products without undergoing a credit check. Consequently Experian’s databases hold information on approximately 50 million individuals (nearly every UK adult). Experian has another less well known side to its business: it provides marketing services to clients by making use of its vast datasets through data analytics.
The ICO challenged Experian in relation to the side of its business that processes personal data to provide marketing services and specifically the products that assist clients provide ‘offline’ direct marketing. Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, Experian is a controller for the purpose of these marketing services.
The ICO’s Enforcement Notice concerned three products used by Experian to provide marketing services to third party clients.
- ConsumerView: which holds data on the UK adult population and combines names and addresses with up to 13 attributes. Experian process this data to model information on the demographic, social, economic and behavioural characteristics of individuals and households on a predictive basis;
- ChannelView: which holds the names, postal addresses, email addresses and mobile phone numbers of approximately 24 million individuals. This data is generally provided to Experian from third party websites; and
- Mosaic: which is a system that uses data from public and commercial sources to group people and households into overarching groups and types.
By building a character profile for nearly every UK adult one can see how these tools would enable companies to make their direct marketing more efficient. These products also generated close to £9 million profit for Experian in the financial year before the case was heard.
The ICO’s case
The ICO’s case against Experian’s direct marketing products can be broken down into separate alleged contraventions of the GDPR, we will look at each in turn:
Fair and transparent processing
Article 5(1)(a) GDPR requires controllers to be fair and transparent with data subjects about the data they collect and how that data is processed, without such transparency data subjects cannot properly exercise their rights. The ICO’s Enforcement Notice made the case that Experian was not sufficiently transparent about the scale and extent of its processing. Experian contended their privacy notices and Consumer Information Portal (CIP) met the requirement of fairness and transparency with data subjects. The ICO considered Experian’s measures to fall well short, stating:
The privacy notices and the CIP were insufficiently clear in explaining how data is collected, processed and sold. They did not make clear that credit data is processed in connection with direct marketing…The CIP emphasises the benefits of data broking, without giving any real explanation of potential drawbacks or outcomes that individuals may find undesirable.
Moreover, the ICO considered Experian’s procedures did not make it clear that when they collected data from an individual to run a credit check, that individual’s data would also be processed for the purpose of building direct marketing products. Consequently the ICO took the view that Experian had failed to obtain data subjects’ consent when it used their personal data to this end. The ICO were of the view that Experian should have obtained separate consent for processing for the purpose of providing direct marketing services in addition to the consent they obtained when carrying out credit checks.
Notification of data subjects: Personal data from third parties
Article 14 GDPR sets out the information a controller is required to provide to data subjects when it acquires their personal data from a third party. Experian did not notify data subjects directly that their information would be used in direct marketing products, instead Experian relied on the fact that data subjects had already been notified by the third parties’ privacy policies (thereby meeting the exception under Article 14(5)(a) GDPR). Further, the third parties’ privacy policies would typically contain links to Experian’s CIP.
Notification of data subjects: Publicly available personal data
Experian obtains a proportion of personal data from public available sources such as the Electoral Register, Companies House etc… The provisions of Article 14 GDPR still apply when a controller obtains personal data from a publicly available source. A controller can be exempt from notifying data subjects that their personal data has been obtain and is being processed if they can show the provision of such information would prove impossible or would involve a disproportionate effort (Article 14 (5) (b)).This must be balanced against the data subject’s rights and freedoms and legitimate interests. In applying this test Experian took the view that the cost of notifying millions of UK adults would be disproportionately expensive, the ICO took the opposing view.
The ICO’s argument hinged on the fact that the large numbers of data subjects involved should not in itself be a determinative factor against the proportionality of notification: otherwise controllers are given a perverse incentive to accumulate data about as many individuals as possible, in order to support their case on proportionality and hence reduce the burden of notification.
Further the ICO noted that the process of using publicly available data to supplement personal data it already held or ‘gap-filling’ would also go beyond the reasonable expectation and understanding of the data subject based on the statutory notice provided to them.
It is noteworthy that Experian accepted that approximately 10% of data subjects who’s personal data was acquired from publicly available sources would not have received notifications and links to the CIP. This group numbered around five million individuals and would be referred to by the Tribunal as the ‘residual cohort’.
Unlawful processing
The Enforcement Notice also found Experian to be in breach of the transparency requirements on the basis that its processing did not meet the lawfulness criteria under Article 6(1) GDPR.
The ICO noted that Experian had obtained personal data for its direct marketing products from third party suppliers which had been collected on the lawful basis of consent, it was therefore wrong that Experian was further processing that personal data by relying on its own legitimate interest as a lawful basis for processing. Where personal data was initially acquired and processed on the legal basis of consent, Experian should have obtained consent for the secondary purpose of building direct marketing products.
Moreover the ICO considered Experian should not be able to rely on its legitimate (business) interests as a lawful basis where the processing of personal data amounted to intrusive profiling for direct marketing purposes. The ICO noted that Experian’s profiling was intrusive by reference to: the quality and quantity of personal data involved and that the extent of profiling would not have been in the expectations of the data subjects involved.
When issuing an Enforcement Notice the ICO is required to consider whether the unlawful activity in question was harmful to the data subjects involved. The ICO’s assessment concluded Experian’s activities were harmful as it was likely that (a) data subjects would have been distressed by the perceived loss of control of their data and (b) a significant number of data subjects would have received direct marketing which they did not expect to receive.
What the Tribunal decided
Firstly, it should be noted that the Tribunal examined witnesses from both parties and made findings of fact as to the nature and extent of Experian’s processing of personal data. It should also be noted that the Tribunal found the evidence provided by the ICO’s main witness to be significantly flawed in a number of respects.
The Tribunal took issue with the ICO’s assertion that data subjects would be ‘surprised’ that their personal data was being used for the purpose of direct marketing and considered that this should not hold much weight when balanced against Experian’s legitimate interest. That Experian processed personal data by relying on its legitimate interest when that data had in fact had been collected by third parties on the consent basis was not missed by the Tribunal. The Tribunal held Experian had acted improperly in this regard but was of the view that this was now an academic point as Experian had stopped doing that already.
The Tribunal honed in on Experian treating personal data it had acquired through its credit referencing as non-prospect-able – meaning Experian would not share such personal data with third party clients for direct marketing purposes. Conversely, only personal data that was obtained from open sources or third parties would be prospect-able. The Tribunal took the view the ICO had failed to properly appreciate that the personal data Experian had derived from credit checks was only used to build its direct marketing products to a limited extent.
The Tribunal also found Experian’s direct marketing products were not prejudicial to those with poor credit ratings rather, by precluding people from being targeted for products they could not afford, pre-screening was in fact in the public interest.
In stark contrast to the ICO, the Tribunal considered data subjects had not suffered any harm or distress from not being retrospectively notified of Experian’s processing; in fact the Tribunal considered an ‘out of the blue’ notification would at best be ignored by data subjects and at worse would cause them confusion or distress.
The Tribunal found that Experian’s method of notifying data subjects through third party privacy notices, which then linked to the CIP, met the requirements of notification under Article 14. In spite of the extent and nature of Experian’s data processing, the CIP was sufficiently clear and the process of hyperlinking was easy to follow. The Tribunal noted the research data which shows that actually most people do not care about what happens to their data and that a controller cannot force data subjects to read their privacy policies. In fact, a privacy policy starting with a broad explanation of a data subject’s rights was more appropriate.
The Tribunal did find that the ‘residual cohort’ of five million data subjects whose data had been obtained from publicly available sources had not been notified in compliance with Article 14 and in this regard it found that Experian had contravened the GDPR. However, the Tribunal did not consider Experian should be required to issue such notices to the residual cohort retrospectively as the cost would now be disproportionate. The Tribunal added that in any event the cohort had not suffered damage or distress as a result of Experian’s failure to provide an Article 14 notice. The Tribunal did however order that Experian would in future need to ensure it notifies data subjects that their personal data will be used for the provision of direct marketing services but only when Experian obtain the personal data from a publicly available source.
Lastly, the Tribunal broadly accepted that Experian had obtained a commercial advantage from processing personal data that had been obtained without providing an Article 14 notice – however the Tribunal stated that it could not impose a sanction or require Experian to take steps to rectify this as any steps would be unclear and incapable of implementation.
Conclusion
For the Tribunal to hold that the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing will come as a chastening blow to the regulator. The ICO’s Enforcement Notice took issue with how Experian processes personal data in providing direct marketing services. If the Tribunal had reaffirmed the main thrust of the Enforcement Notice, Experian would have had to change its notification processes and reapproach the legitimate basis on which it has been relying. Experian argued that the cost of implementation and retrospectively obtaining consent from swathes of the UK adult population would have been huge, it would also have outweighed the profit Experian derive from the direct marketing side of its business.
The decision tells us that a Tribunal may be unwilling to impose sanctions where a controller has relied on the wrong legal basis but has subsequently rectified its position.
Another key takeaway from this decision is that controllers can legitimately rely on linking their own privacy policies to the policies of third parties, to satisfy the notification requirements under Article 14 GDPR, provided of course a controller’s own policy is sufficiently transparent.
The most striking thing about the decision is that the Tribunal was not prepared to accept the ICO’s assertions about the effect of the data processing on the data subjects. The ICO had argued that Experian’s processing was likely to cause distress to data subjects. The Tribunal expected the ICO to provide evidence to support that view, and the ICO seems to have struggled. One of the factors the ICO takes into account when deciding whether to exercise its enforcement powers is the distress suffered as a result of a breach. Will the Tribunal’s decision alter the ICO’s approach in those cases, and will we start to see the ICO being challenged more frequently as a result of this decision?
To hear more from our Technology and Innovation team, visit their homepage.