Experian effectively wins appeal against ICO Enforcement Notice

The First-Tier Tribunal (General Regulatory Chamber - Information Rights) (the FTT) has partly allowed an appeal by credit reference agency Experian against an Information Commissioner’s Office (ICO) GDPR Enforcement Notice issued in October 2020 in relation to data processing operations of Experian’s marketing business.

Appeal of ICO Enforcement Notice

The FTT found that the ICO had “fundamentally misunderstood” the true nature of Experian’s data processing when it issued its Enforcement Notice regarding “significant invisible processing” which would have required Experian to make changes to its data processing practices, take corrective action and could have led to a c.£40m fine (see our commentary on the original investigation and Notice here). The FTT also found that the ICO had been remiss in not considering the potential benefits to consumers of Experian’s data processing, required as part of the regulatory decision making process.

The original Enforcement Notice required Experian to, amongst other things, amend its online privacy notices, cease using information from its credit reference agency business line for direct marketing purposes and ensure all data subjects are directly provided with a privacy notice compliant with GDPR article 14. In challenging the decision, Experian accepted that it had failed to ensure privacy notices were seen by some 5.3 million individuals whose data it had collected from open sources, but denounced the wider measures imposed by the ICO as “exorbitant” and “oppressive”. As part of the favourable substitute decision issued by the FTT, Experian must now set up a system to enable them to send privacy notices to open source data subjects going forward, a group which, according to Experian, represents “a very small percentage of our UK marketing database”. This requires notification on a significantly smaller scale than under the original Enforcement Notice, which had required Experian to ensure all data subjects (which could comprise almost the entire UK adult population) were sent a privacy notice directly.

No order for retrospective notification

The FTT found that it would be disproportionate to require the retrospective notification of the 5.3 million unnotified open-source data subjects, citing three key reasons: (i) the fact that the use of the personal data did not result in adverse outcomes for data subjects; (ii) the disproportionality of the economic impact on Experian of making the notifications all at once; and (iii) the likely neutral or negative reactions of the data subjects to receiving an ‘out of the blue’ notification.

Notably, the FTT also considered Lloyd v Google, and its finding that compensation should only be awarded to a data subject who has suffered “material damage or distress” (see our discussion of which, here), and commented that Experian’s data subjects similarly were unlikely to be successful in separate claims for damages as it was doubtful that any had suffered damage or distress as a result of the failure to provide notice. This gives weight to the consideration that, since Lloyd v Google, data subjects are likely finding it more challenging to succeed in a claim for damages even if their data has been misused.

Conclusion

The FTT’s decision emphasises the key principal of proportionality in relation to GDPR and was critical of several aspects of the ICO’s Enforcement Notice and evidence. The decision represents a significant win for Experian in that it has greatly reduced the notification burden that would have been imposed on them under the original Notice.

Even so, in finding that Experian had breached GDPR, the FTT highlighted the paramount importance of transparency of data processing, and in that light rejected any attempt by Experian to rely on the argument that compliance with GDPR would have been unduly costly. The FTT’s decision therefore highlights the complex balancing act that data controllers must undergo in determining if, and under what conditions and cost, personal data can be used.

The ICO has indicated that it will carefully consider an appeal – this would be one to watch and we will keep you updated via UpData, our online service which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.