DMA Analysis: Summary of the key issues in the Upper Tier Tribunal decision and how they benefit DMA members | DMA

Filter By

Show All

Connect to


DMA's full analysis of the Upper Tier Tribunal judgement and how they benefit DMA members


Please find a summary of the key issues in the Upper Tier Tribunal decision and how they benefit DMA members.

The balance between economic benefits and potential harms

The Upper Tier Tribunal have confirmed that the economic benefit of using data to create relevant customer communications is an important consideration and that any potential harms to customers were “innocuous”. The balance between economic benefits and harms must be considered in any balancing test such as a legitimate interest impact assessment. The DMA has long argued that the economic benefits are a critical component of impact assessments and a foundation of the proportionality.

The UTT confirmed the First Tier Tribunal belief that the ICO had exaggerated the harms of direct marketing and failed to consider the benefits to customers and companies. The judgement states: “We accept the submission that the worst outcome of Experian’s processing in terms of what happens to the data at the end of the process is that an individual is likely to get a marketing leaflet which might align to their interests rather than being irrelevant.” It goes further: “We find that the information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects………….We are satisfied that the Information Commissioner got the balance wrong in terms of proportionality…..because the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing”.

Transparency and proportionality

The UTT reinforced the importance of Recital 4 to the interpretation of GDPR, a main theme of DMA’s advocacy on behalf of the industry. On page 30 the UTT notes that “Recital 4 to the GDPR states that the right to the protection of personal data is not an absolute right: it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”

The right to conduct a business is one of the fundamental rights, and it is not possible to conduct a business without the right to attract and retain customers, which has been reinforced by the judgement.

The finding that offline direct marketing has economic benefits for the consumer, the company and the economy which must be considered and will transform the ICO’s interpretation of balancing tests. This ensures that the ICO must recognise the benefits of direct marketing when reviewing balancing tests.

The principle of proportionality applies to transparency unless a specific detailed obligation is specified in GDPR. This is critical to DMA members when they are considering how best to fulfil their transparency obligations. The level of detail required in data notifications and privacy policies must be proportionate to the level risks in the processing. If the processing has a low level of risk then less detail is required. The UTT states “where GDPR is not prescriptive, the answer to transparency will be context specific and underpinned by principles of proportionality.”

Layered Privacy Policies

The UTT confirmed that layered privacy policies are appropriate and valid, giving the customer choice about how much information about data processing they want. The UTT also confirmed that the first layer of a privacy policy could highlight the benefits of the data processing to the customer, whereas the ICO had argued that any potential harms should be given a higher standing. This is consistent with the court’s belief that economic benefits must be considered.

Transparency does not mean the customer must have read the privacy policy

Critically, the court ruled that people understood hyperlinks and how to use them to navigate deeper into the detail if they wanted more information on a privacy policy.

The UTT states that “having the information is not confined to actually reading the information” and that people were able to express their choice about how much information they want to know. Low volumes of site traffic to the privacy policy does not mean the transparency was not met. It is the opportunity to know more for those who wish to dig deeper that is important. The UTT finding was based upon CMA research evidence adduced by Experian before the FTT about customer attitudes to privacy (which mirrors the DMA’s own findings).

Modelled data has lower risks than personal data

Personal data in the form of specific attributes is used to underpin data modelling. When companies are determining a combination of attributes that might identify a propensity to purchase it creates a cluster of people that is selected for a campaign. The brand using the data is interested in identifying a group of people that are likely to be interested in their products or services.

Crucially for DMA members, particularly data providers and the brands, the UTT confirmed that modelled data is less risky than personal data.

The ICO had argued that the number of attributes Experian had within its model created the risk to individuals in the processing. The UTT confirmed that the number of attributes in a model was not relevant to the core nature of the processing, nor to the level of harm the processing might create.

This is summarised by the UTT on page 40: “The FTT went on to find that the modelled data points used by Experian were less intrusive than the processing of actual data. In light of this finding, the number of modelled data points used by Experian was not of particular significance. In any event, the FTT were clearly aware of the scale of this and that 370 points were used………………Accordingly, we reject the contention that the FTT failed to have regard to the intrinsic nature of Experian’s processing.”

Links from a third-party site to a privacy policy are transparent and valid

The UTT ruled that links from third party data providers to Experian’s Customer Information Portal provided adequate transparency and rejected the ICO’s belief that Experian would have to make their own direct notification in all circumstances. On page 51 the UTT states “ Given that the route to the CIP involved clicking only one hyperlink from the third party website to the CIP……it would have been very surprising if the FTT had arrived at the opposite conclusion as to the applicability of 14.5a”

In short, the UTT confirmed that the exception in 14.51 “the data subject already has the information” had been properly achieved through the link from the third-party website and that Experian did not need to send their own direct notification to each individual.

Hear more from the DMA

Please login to comment.