On February 20, 2023, in the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK (the “Tribunal”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian and issued a Substituted Decision Notice, as detailed further below.
Background
The case relates to an ICO investigation that began in July 2018 into how Experian and two other credit reference agencies (“CRAs”) used the personal data of UK data subjects for direct marketing purposes. The investigation resulted in an ICO enforcement notice in October 2020, further details of which can be read here. Experian appealed the enforcement notice, which was heard by the Tribunal.
Substituted Decision Notice
While the Tribunal largely ruled in Experian’s favor, it did issue a Substituted Decision Notice, which requires the following:
- Within three months of the Tribunal decision date (the “Decision Date”), Experian must implement a system designed to provide all data subjects whose personal data Experian obtains from the Open Electoral Register, the Registry Trust Limited or Companies House with a GDPR-compliant privacy notice.
- Within 12 months of the Decision Date, Experian must provide the privacy notice to all such existing relevant data subjects. It also must continue to provide the privacy notice to all new relevant data subjects.
- Experian does not need to provide a privacy notice where Experian: (1) obtains personal data from its CRA business, consumer services business or third-party commercial suppliers; (2) limits its processing of personal data to the retention or sale of data from the Open Electoral Register; (3) processes personal data solely in connection with its directory enquiry or suppression databases; or (4) ceases to process personal data about a data subject (who would otherwise be sent the privacy notice) for direct marketing purposes at any time within 12 months of the Decision Date.
The Substituted Decision Notice requires notification to data subjects on a significantly smaller scale than was required by the original ICO enforcement notice. In issuing the Substituted Decision Notice, the Tribunal stated that it “must stand in the shoes of the Information Commissioner and ask whether the Information Commissioner should have exercised her discretion differently.” With respect to the ICO enforcement notice, the Tribunal held that the ICO incorrectly balanced the objectives of issuing the enforcement notice against certain factors, including that Experian’s processing of personal data did not result in adverse outcomes for data subjects. The Tribunal found that the ICO “fundamentally misunderstood the actual outcomes of Experian’s processing.”
The Tribunal found persuasive Experian’s argument that its clients do not seek to target particular individuals but instead seek a “list of those who are more likely to respond to the offer” sent by clients. The Tribunal also found persuasive Experian’s assertion that the “worst outcome of Experian’s processing . . . is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant.”
Key Takeaways
- Transparency
- In opining on how Experian complies with its transparency requirements under the GDPR, the Tribunal found that, in this case, notice through third parties is sufficient. Specifically, the Tribunal found that – (1) the Credit Reference Agency Information Notice (CRAIN), which is made available by lenders to individuals whose data is acquired via the CRA, and (2) Experian’s Consumer Information Portal (CIP), which details how the Experian Marketing Services uses personal data – together provide data subjects with an understanding of Experian’s business. The CRAIN provides a link to the CIP and therefore offers a layered approach to providing notice on how CRA data is used for the Experian Marketing Services.
- In coming to this conclusion, the Tribunal noted that there is a “tension between providing large amounts of information…with the aim of improving transparency and accessibility of information and…the resultant information overload,” and that this tension is, to an extent, met by layering information. The Tribunal further stated that, “common sense would tend to suggest that it is only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice.” Applying this to the CIP, the Tribunal found that there is a “sufficiently easy” trail of hyperlinks to the CIP that allows those concerned to learn more.
- While the Tribunal did acknowledge that consumers likely would be surprised by the “very large” scale and nature of Experian’s data processing activities, it found that the information disclosed to consumers in the two notices was “sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed.”
- Article 14(5) Exemption
- Experian sought to rely on the exemption provided by Article 14(5) of the GDPR to not provide notice to approximately 5.3 million data subjects, by asserting that providing the notice would involve disproportionate effort. The Tribunal disagreed with Experian, acknowledging that while notifying 5.3 million data subjects would incur a considerable expense, it would not involve disproportionate effort.
- The Tribunal therefore concluded that Experian violated Article 14 and stated that it “fully expects that Experian will rectify this non-compliance in respect of its future personal data collections” and “should consider what it can do to discontinue” processing of personal data that should have been the subject of an Article 14 notice but was not. The Tribunal stated that it was “satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice.”
Next Steps
In its statement on the case, the ICO indicated it is considering whether it will appeal the Tribunal’s decision.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code