On Monday this week, the First-Tier Tribunal published its judgment on Experian’s appeal against the ICO’s enforcement notice. The tribunal allowed the appeal in part and made a substitute decision with such minor ramifications for Experian that some have suggested the industry can “keep calm and carry on.”
The enforcement notice, first issued in 2020, followed the lengthy investigation into key players involved in processing large volumes of data for Direct Marketing purposes. Involved were the UK’s 3 major Credit Reference agencies, Experian, Equifax and TransUnion, alongside so-called data brokers GB Group, DLG & PDV and Acxiom.
Equifax and TransUnion quickly removed their marketing products to avoid enforcement, but in 2020 Experian was issued with an enforcement notice against which they appealed. DLG & PDV’s audit was completed to the ICO’s satisfaction back in 2021, and the remaining 2 (GBG and Acxiom) are yet to be confirmed.
The tribunal’s ruling on Monday has thrown up a few interesting precedents which are worth direct marketers taking a closer look at. This is a slightly deep dive because it’s an important topic for us direct marketers so grab your cuppa and settle in.
Firstly, the good news.
The use of legitimate Interests (LI) as a lawful basis for Direct Marketing has never been in doubt. What the tribunal has clarified, is that considering the benefits to the individual of receiving relevant offers within the balancing test is acceptable and that the receipt of such offers is unlikely to cause distress or harm (dependent on the subject matter of course!). Therefore, the likelihood of LI being the most appropriate lawful basis for processing just got a bit higher.
Data aggregators like Experian rely upon their data sources to use their privacy notice to inform individuals that Experian will process their data for direct marketing purposes. The implication being that Experian does not have to notify people again, upholding the exemption within Article 14 which states you don’t have to tell people what they already know.
Keep Calm and Carry On then…
Well, perhaps.
It does however raise the question of how often you should remind individuals that you are processing their data. Should this be annual, every two or three years, or is once enough?
There are another couple of important reminders within the ruling.
Disproportionate Efforts
First and most obvious is that if you want to process data from the Open Electoral Register, you must fulfil your Article 14 obligations.
“If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing.”
The tribunal ruled that Experian’s reliance on disproportionate efforts was not acceptable – an Article 14 notification must still be fulfilled. And with the cost of such notification being extraordinarily expensive, the impact on more than a few data aggregators who use the Open Electoral Register is going to be very significant.
Experian has 3 months to decide what to do and may choose not to process that data anymore. If you are using data that is sourced from the Open Electoral Register, you should ask for evidence that your data provider has fulfilled an Article 14 notification otherwise you may also be in breach of GDPR.
Changing Legal Basis
The Tribunal also found Experian to be in breach of GDPR as a result of a change in the legal basis for processing data. This is where their data providers collect data under consent for onward processing under legitimate interest.
“There is a significant difficulty in moving data acquired on a consent basis – the model by which the third-party suppliers acquire it, and that data being used by Experian on the grounds of legitimate interests.”
Fortunately for Experian, this was a historical matter that no longer occurs, so the subject was closed. However, for other marketers this still exists. We see many data collectors that continue to collect data under consent and either don’t reference processing under legitimate interest or mix up the language so completely that transparency is destroyed.
Marketers need to be certain that if they want to rely upon LI, their data provider has covered Legitimate Interests with individuals at the point of data collection. This is easier to audit when using data collectors who collect first-party data directly from individuals. But for any supplier, ensuring that lawful bases are clear on the originating source is crucial to avoid the risk of being in breach of GDPR.
More Keep Concentrating and Carry on then, it seems.
Overall, Experian has done well to help the rest of us maintain a focus on the DPA 2018 as it is written in law rather than get caught up in some of the more far-reaching interpretations of the legislation. A victory for common sense you might say. For more detail, you can find the full published report here.
