ICO (mostly) loses data broking appeal

Before AI was the Next Big Thing, the use and re-use of personal information by data brokers and credit reference agencies was a hot regulatory topic in Europe.  All the way back in October 2020, following an audit of the UK’s three largest CRAs, the Information Commissioner’s Office (ICO) issued a report which found that the industry was often not processing personal data in compliance with the GDPR — namely, because its processing was not transparent, was done without a lawful basis and breached UK marketing rules.

As part of its investigation, the ICO issued an enforcement notice against one of those CRAs, Experian Limited, which challenged the notice before the First-Tier Tribunal (Information Rights), the judicial body to which decisions of public authorities, including the ICO, can be appealed.

The Tribunal issued its judgment yesterday.  It makes for grim reading for the ICO and is unlikely to burnish the legacy of the previous Information Commissioner, whose tenure was characterised by an uneven approach to enforcement. 

Indeed, the manner in which the Tribunal discusses the flaws in the ICO’s investigative and decision-making processes — that it “had fundamentally misunderstood the actual outcomes of Experian’s processing” and there was “little or no evidence to support some of the positions taken in the enforcement notice” — will probably embolden companies to challenge enforcement notices that they think are based on a distorted view of their business practices.

The decision is somewhat specific to its facts, but picking through the bones there are a couple of interesting wider takeaways.

• Direct marketing.  A controller can have a legitimate interest (LI) in sending marketing for the purposes of the GDPR.  This isn’t new information, and the ePrivacy / PECR requirements also need to be considered, but the Tribunal nevertheless issued helpful guidance in distinguishing between where LI is appropriate (in this case, using credit reference agency information for marketing) versus where it is not (reusing third party-data that has been obtained via consent).

• Privacy notices.  The limitations of relying on the Art. 14(5) GDPR exemption to providing a privacy notice where doing so would involve a “disproportionate effort” come up regularly in practice.  The Tribunal’s decision shows that companies can expect to receive little sympathy for complaining about the costs of compliance: providing privacy notices to more than five million people was considered not to involve a disproportionate effect, but simply was the cost of running a commercial operation, should cause businesses to think twice before dismissing regulatory requirements.

That being said, the Tribunal found that although Experian did breach its transparency obligations under the GDPR, it took the view that individuals whose data had already been collected would likely not suffer damage or distress as a result of Experian’s failure to provide its privacy notice and recognised the “considerable expense and practical difficulties” that the company would face in attempting to do so. 

More damningly, the Tribunal said that individuals who received a privacy notice out of the blue in this context would be confused, distressed or “just [put] it in the bin”.  That’s never the outcome that one hopes for when drafting privacy notices.

It would seem unlikely that the ICO will appeal, given the extent to which its original decision-making was rejected by the Tribunal.  But even if that is the case, we can add another useful decision to the growing body of UK data protection jurisprudence.