Experian, the well-known Credit Reference Agency (CRA), holds and processes data relating to over 51 million people living in the UK, effectively the whole of the adult population. Experian also processes this data to provide offline marketing services, which it sells to its third-party clients. Experian does this by combining name and address information with a total of up to thirteen actual attributes. It then processes this data and creates modelled information on the demographic, social, economic and behavioural characteristics of these 51 million individuals on a predictive basis, the profile for each person running to up to 49 derived data points about individuals and up to 370 modelled points about individuals. Experian’s third-party clients purchase this enhanced data and use it to enrich their own marketing activities.

Experian acquires the personal data of individual data subjects from three sources: (i) publicly available information available on the Open Electoral Roll (OER), Companies House and the register of County Court Judgments; (ii) third parties, such as the Gardeners’ Club; and (iii) its CRA business. Experian processes the data to create three different database products: (i) ConsumerView; (ii) ChannelView; and (iii) Mosaic.

Experian uses data derived from its CRA business in the following ways:

• to add names and addresses to ConsumerView (about 25.1 million individuals are added to ConsumerView by this route);
• to ensure the accuracy of the 25.9 million records in ConsumerView;
• to match and link records from different sources; and
• to build the derived and modelled attributes within ConsumerView.

In 2020, following a two-year investigation by the ICO into how data broking businesses such as Experian, Equifax and TransUnion use personal data gathered from their data broking businesses for direct marketing purposes, the ICO issued Experian with an Enforcement Notice on the basis that Experian had breached the GDPR under Articles 5(1)(a) (lawful, fair and transparent processing) and Article 6(1) (lawfulness of processing).

The ICO said that Experian’s activities constituted data profiling under Article 4(4) of the GDPR. It also said that Experian had not been transparent with data subjects as to where it had obtained their personal data from and the ways in which it was being used, which meant that data subjects were precluded from being able to exercise their rights under the GDPR. In addition, the ICO said that Experian had processed all personal data held for direct marketing purposes based on the “legitimate interest” ground for processing, but that the information provided by third party suppliers was provided on the basis that the data from those third parties data subjects had been obtained by consent. The ICO was not satisfied that in circumstances where a very large amount of personal data was being processed in highly targeted ways and where there were significant issues of non-transparency, Experian had correctly or properly concluded there was a lawful basis for processing the personal data. Further, the ICO found that Experian’s processing for profiling was intrusive of privacy and that little weight could be attached to the supposed benefit of the data subject receiving direct marketing communications that were more appropriate to them. In the ICO’s view, this was a consequence of processing and profiling to which the data subjects had not consented and it was unlikely that a controller could apply legitimate interests for such intrusive profiling for direct marketing purposes. In any event, the ICO said, the assessments undertaken in balancing Experian’s legitimate interests were flawed.

The Enforcement Notice required Experian to provide all data subjects with an Article 14 GDP-compliant privacy notice informing them how it was using or intended to use their personal data for marketing purposes, and to cease processing the personal data of any data subject to whom an Article 14 compliant notice had not been sent.

Experian appealed the ICO’s decision.

It should be noted at the outset that overall the Tribunal found that the ICO’s witness evidence was flawed in various respects and of limited assistance. In fact, one of the ICO’s witnesses accepted that in certain core parts of his evidence what he had said in his witness statement was not just wrong, but that the position was in fact the direct opposite of what he had said. Given that for weight to be attached to the ICO’s opinions it had to be based in evidence, the Tribunal found that some of the ICO’s arguments were not supported by any reliable evidence and were supposition.

The Tribunal noted that at Recital 47 the GDPR recognises that direct marketing may be regarded as a legitimate interest. In any event, the legitimate interest test, i.e. balancing the interests of the data controller and the individual, must be carried out to determine whether direct marketing does amount to a legitimate interest in the circumstances.

Looking at the specific ways in which Experian in fact used CRA data to produce its three database products, bearing in mind that its processing of personal data was not based on consent but on legitimate interests, the Tribunal found that that the Information Commissioner had not properly appreciated the limited extent to which it was used. In fact, the Tribunal said, contrary to the ICO’s opinion, there was utility in the way the data was used that benefitted data subjects.

As for how a data subject could discover what happened to their data acquired via Experian’s CRA activities, the Tribunal found that following consultation with the Information Commissioner, Experian had, contrary to the ICO’s opinion, developed its Customer Information Portal (CIP) to provide good transparency and that the ICO had not provided evidence that allowed the Tribunal to conclude that the CIP was defective at the time of the Enforcement Notice. Therefore, the processing of CRA derived data was now sufficiently transparent in the context of the privacy notices that were served on data subjects: the relevant information was sufficiently prominently displayed on the CIP and was accessible to data subjects.

Experian accepted that around 5.3 million data subjects out of the circa 51 million data subjects whose information was processed by Experian had not received a privacy notice, but the Tribunal rejected Experian’s contention that it did not need to provide privacy notices because it would involve a disproportionate effort.

The Tribunal said that under the GDPR, the fact that notifying data subjects would involve a considerable business expense did not mean that it would be a disproportionate effort for the purposes of Article 14. That was a business expense that should have been incurred over time as a matter of routine compliance. If the costs of compliance were higher than Experian considered acceptable, then Experian could decide not to undertake the processing. Accordingly, the Tribunal found that Experian should have provided the 5.3 million data subjects with an Article 14 privacy notice and had not done so. It had therefore breached the GDPR in that the processing had not been transparent, fair or lawful. However, the Tribunal found that to order notification of this residual cohort now would be disproportionate, as it would involve considerable expense that Experian would have to bear all at once, rather than over time. That said, the Tribunal stressed that Experian must comply with the requirements of Article 14 in respect of its future personal data collections. The Tribunal also said that any further processing of personal data collected in circumstances where an Article 14 privacy notice should have been given and had not been given would continue to be non-compliant and Experian should consider what it can do to discontinue this processing.

The Tribunal also found that there had, in the past, been a contravention of the GDPR with respect to the data obtained from third-party suppliers where that material was obtained on a consent basis. Further, the Tribunal did not accept that legitimate interests was a proper means by which that data could have been used by Experian for the purpose it was processed. However, it accepted that this no longer occurred due to the work Experian had done following the ICO’s investigations.

Overall, the Tribunal found that the Information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against: (i) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects; (ii) the economic impact that the expense would have on Experian when incurred at once rather than over months or years; and (iii) the likely reaction of the data subjects to receiving an “out of the blue” notification, which reaction was likely to be either disinterest or possibly confusion or distress. In the Tribunal’s view, the Information Commissioner got the balance wrong in terms of proportionality in exercising her discretion because she had fundamentally misunderstood the actual outcomes of Experian’s processing.

The Tribunal was also satisfied that it was unlikely that any person had suffered damage or distress due to Experian’s failure to provide an Article 14 privacy notice. (Experian Ltd v The Information Commissioner [2023] UKFTT 132 (GRC) (20 February 2023) — to read the judgment in full, click here).