First-Tier Tribunal overturns ICO enforcement notice against Experian

Credit giant Experian has had an ICO enforcement overturned by the First-Tier Tribunal (FTT), who heard the appeal against the findings of a 2-year investigation by the regulator.

Responding to the ICO’s accusation that Experian’s privacy notice was not transparent, the Tribunal said supporting evidence presented by the regulator was “flawed”. The Tribunal criticised the regulator for over-exaggerating risk of potential harm to customers and for not taking into account the benefits of direct marketing. This part of the ruling is critical to Legitimate Interest balancing tests for direct marketing as it makes clear that benefits of the processing must also be taken into account, including the positive benefits to the consumer of receiving relevant offers. The ruling states:

“We accept also that in reaching a decision, the Commissioner and this panel must have regard to the regulatory decisions in respect of the economy, the environmental impact and positive benefits for the consumers of processing”

Critically, the Tribunal also concluded that a direct marketing segmentation does not target specific individuals but groups that are more likely to respond to an offer. The ruling stated:

“We accept also Experian’s submission that what its clients are seeking to do is not to target particular individuals but merely to have a list of those who are more likely to respond to the offer their client intends to send. That is to say that the chances of direct mail marketing being effective are higher by sending mail to a list of individuals who may have particular characteristics, which is better than sending them at random.”

Experian UK&I managing director Jose Luiz Rossi said:

“Today’s decision by the First Tier Tribunal substantially overturns the ICO’s enforcement notice issued against Experian in 2020. It represents a welcome development for the consumers, small businesses and charities across the UK that rely on the services provided by Experian. The Tribunal found, in contrast to the ICO’s enforcement notice, that the vast majority of our practices meet GDPR requirements, including the transparency that we provide consumers through our Credit Reference Agency Information Notice and our Consumer Information Portal. We are very pleased with this outcome.”

The Tribunal did issue clarificatory judgement about the provision of notifications to people when their data has been collected solely from public records - for instance the electoral register - for marketing purposes. Experian did accept that around 5.3 million of 51 million customers whose information it processes from public record had not received an appropriate privacy notice but argued that this fell under the disproportionate effort. The Tribunal did not accept this stating “If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing.”

Crucially, the Tribunal concluded that the absence of this Article 14 notification did not cause any actual harm “The Tribunal is also satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice” while Experian said they need only make minor adjustments to comply with this going forward.

DMA CEO Chris Combemale said:

“The Tribunal ruling reaffirms key principles for the use of Legitimate Interests for direct marketing, particularly that any balancing test must take into account the economic benefits and the benefits to the individual of receiving the relevant offers. The DMA agrees fully with the Tribunal’s judgement that receiving more relevant offers are unlikely to cause any distress or harm and are more likely to create benefits”.

An ICO fine would have seen a fine of either £20m or 4% of Experian’s total annual worldwide turnover. With profits of $5.2bn, the ICO claimed more than £208m could have been demanded. The ICO can appeal this decision within the next 28 days.

DMA Membership will provide your business with fantastic benefits, including advocacy, legal and compliance support, best practice guidance, research, insight and events.

Plus, with access to an online learning platform containing a range of qualification and bitesize learning modules, you’ll gain a cost-effective and simple way to keep your team upskilled.

Find out how DMA Membership will help your business thrive here.