Tribunal reaffirms the status of legitimate interests in Experian appeal case



The First Tier Tribunal judgment today in Experian v Information Commissioner EA/2020/0101 confirmed legitimate interests as a processing ground which can be used for marketing related processing.

The case relates to an ICO investigation commenced in July 2018 on the use of personal data by Experian’s Marketing Services (EMS) for marketing by post. EMS processes the data of around 51 million people in the UK to provide marketing services which it sells to its third-party clients.

In October 2020, the ICO ordered Experian to stop using credit referencing-derived data for direct marketing purposes, and to write to every UK household with an explanation of how Experian uses their data. Experian argued at the time that the processing was not intrusive, and was likely to be expected by individuals. It also already provides a privacy notice in its Consumer Information Portal.

The Tribunal has now struck out the ICO’s original Enforcement Notice. Notification by third parties is deemed sufficient - a Substitute Enforcement Notice requires Experian to send a more detailed privacy notice only to a very small percentage of the original number.

Those notifications relate to individuals whose data is obtained from publicly available sources such as the Open Electoral Register. It is clear that such information can be used for marketing purposes, but only where notification above and beyond the current scheme – known as “the form of words” - is used. This will have implications for the wider marketing industry, law firm Linklaters (which represented Experian) observes.

Richard Cumbley, Partner in Linklaters’ Technology practice said: “After more than four years of uncertainty, this judgment confirms that the marketing services Experian have provided for many years to UK businesses, government and the third sector remain legitimate and fair under the UK’s data protection regime. The judgment contains useful analysis of the question of “indirect” transparency – i.e. the extent to which a controller who does not have a direct relationship with individuals can rely on third parties to notify those individuals of its processing. It also includes insightful commentary on the tension between having to provide large amounts of information in a privacy notice and not overloading the recipient. More generally, while transparency is central to the UK GDPR, the Tribunal notes many individuals do not spend a great deal of time examining privacy notices and you can’t force people to read them.”

The Tribunal, which found almost entirely in Experian’s favour, said: “We are satisfied that the [ICO] got the balance wrong in terms of proportionality in exercising [its] discretion because the [ICO] had fundamentally misunderstood the actual outcomes of Experian’s processing”.

The ICO says that it will take stock of today’s judgment and carefully consider next steps, including whether to appeal.

See the judgment of 20 February

Linklaters’ lawyers will speak about the decision and its wider implications at Privacy Laws & Business 36th International Conference in Cambridge, 3-5 July 2023. Very Early Bird Registration Fee is available until 30 March 2023.