First tier tribunal ruling on Experian appeal against the ICO

Landmark case for the direct marketing industry

In a landmark case for the direct marketing industry, the First Tier Tribunal has now ruled on Experian’s appeal against the ICO’s enforcement notice issued in 2020. The case concerns Experian’s use of personal data obtained from various sources, including publicly-sourced data, such as credit reference data, and from third party data suppliers, for direct marketing purposes.

Essentially, the FTT found mostly in Experian’s favour and was critical of the ICO in some respects. Although the key element of the ICO’s case was Experian’s failure to notify data subjects in accordance with the transparency requirements under the GDPR, perhaps most significant was the FTT’s confirmation that legitimate interests can be a lawful basis for processing personal data for direct marketing purposes, provided of course that an appropriate balancing test has been undertaken.

On the notification point, the FTT found that Experian had failed to provide a privacy notice to a small cohort of individuals (5.3 million data subjects from a total of 51 million) in breach of the GDPR (its reliance on the ‘disproportionate effort’ exemption being rejected by the FTT). However, the ICO had not properly exercised her discretion in ordering Experian subsequently to provide a privacy notice to that cohort. She had “got the balance wrong in terms of proportionality” and should have considered whether the failure had caused or would be likely to have caused any person damage or distress. The FTT found that ordering Experian to provide a notice now would be disproportionate.

A small fly in Experian’s ointment was the FTT’s finding that by relying on legitimate interests to process personal data obtained from third party suppliers which had themselves obtained that data based on consent, Experian was in breach of the GDPR, legitimate interests not being “a proper means by which that data could have been used by Experian for the purpose it was processed”. However, the FTT acknowledged that since Experian have ceased to use suppliers relying on the consent basis, the issue is no longer relevant.

In its Substitute Decision Notice, the FTT has given Experian: (i) three months to set up a system enabling it to provide all data subjects whose personal data is obtained from the Open Electoral Register, the Registry Trust Limited or Companies House, with a privacy notice; and (ii) twelve months to provide the notices (either itself or via the relevant third party open source). The FTT imposed no financial penalty.

The ICO says that it will take stock of the judgment and carefully consider next steps, including whether to appeal.

All in all, this looks like good news for direct marketing.

Richard Lindsay | Director of Legal & Public Affairs

For further information, please contact [email protected]

Last updated 07 December 2023