On
February
20,
2023,
in
the
case
of
Experian
Limited
v
The
Information
Commissioner,
the
First-Tier
Tribunal
in
the
UK
(the
“Tribunal”)
ruled
on
the
ICO’s
action
to
require
Experian
to
make
changes
to
how
it
processes
personal
data
for
direct
marketing
purposes.
While
the
Tribunal
supported
the
ICO
in
certain
respects,
it
largely
ruled
in
favor
of
Experian
and
issued
a
Substituted
Decision
Notice,
as
detailed
further
below.
Background
The
case
relates
to
an
ICO
investigation
that
began
in
July
2018
into
how
Experian
and
two
other
credit
reference
agencies
(“CRAs”)
used
the
personal
data
of
UK
data
subjects
for
direct
marketing
purposes.
The
investigation
resulted
in
an
ICO
enforcement
notice
in
October
2020,
further
details
of
which
can
be
read
here.
Experian
appealed
the
enforcement
notice,
which
was
heard
by
the
Tribunal.
Substituted
Decision
Notice
While
the
Tribunal
largely
ruled
in
Experian’s
favor,
it
did
issue
a
Substituted
Decision
Notice,
which
requires
the
following:
-
Within
three
months
of
the
Tribunal
decision
date
(the
“Decision
Date”),
Experian
must
implement
a
system
designed
to
provide
all
data
subjects
whose
personal
data
Experian
obtains
from
the
Open
Electoral
Register,
the
Registry
Trust
Limited
or
Companies
House
with
a
GDPR-compliant
privacy
notice. -
Within
12
months
of
the
Decision
Date,
Experian
must
provide
the
privacy
notice
to
all
such
existing
relevant
data
subjects.
It
also
must
continue
to
provide
the
privacy
notice
to
all
new
relevant
data
subjects. -
Experian
does
not
need
to
provide
a
privacy
notice
where
Experian:
(1)
obtains
personal
data
from
its
CRA
business,
consumer
services
business
or
third-party
commercial
suppliers;
(2)
limits
its
processing
of
personal
data
to
the
retention
or
sale
of
data
from
the
Open
Electoral
Register;
(3)
processes
personal
data
solely
in
connection
with
its
directory
enquiry
or
suppression
databases;
or
(4)
ceases
to
process
personal
data
about
a
data
subject
(who
would
otherwise
be
sent
the
privacy
notice)
for
direct
marketing
purposes
at
any
time
within
12
months
of
the
Decision
Date.
The
Substituted
Decision
Notice
requires
notification
to
data
subjects
on
a
significantly
smaller
scale
than
was
required
by
the
original
ICO
enforcement
notice.
In
issuing
the
Substituted
Decision
Notice,
the
Tribunal
stated
that
it
“must
stand
in
the
shoes
of
the
Information
Commissioner
and
ask
whether
the
Information
Commissioner
should
have
exercised
her
discretion
differently.”
With
respect
to
the
ICO
enforcement
notice,
the
Tribunal
held
that
the
ICO
incorrectly
balanced
the
objectives
of
issuing
the
enforcement
notice
against
certain
factors,
including
that
Experian’s
processing
of
personal
data
did
not
result
in
adverse
outcomes
for
data
subjects.
The
Tribunal
found
that
the
ICO
“fundamentally
misunderstood
the
actual
outcomes
of
Experian’s
processing.”
The
Tribunal
found
persuasive
Experian’s
argument
that
its
clients
do
not
seek
to
target
particular
individuals
but
instead
seek
a
“list
of
those
who
are
more
likely
to
respond
to
the
offer”
sent
by
clients.
The
Tribunal
also
found
persuasive
Experian’s
assertion
that
the
“worst
outcome
of
Experian’s
processing
.
.
.
is
that
an
individual
is
likely
to
get
a
marketing
leaflet
which
might
align
to
their
interests
rather
than
be
irrelevant.”
Key
Takeaways
-
Transparency-
In
opining
on
how
Experian
complies
with
its
transparency
requirements
under
the
GDPR,
the
Tribunal
found
that,
in
this
case,
notice
through
third
parties
is
sufficient.
Specifically,
the
Tribunal
found
that
–
(1)
the
Credit
Reference
Agency
Information
Notice
(CRAIN),
which
is
made
available
by
lenders
to
individuals
whose
data
is
acquired
via
the
CRA,
and
(2)
Experian’s
Consumer
Information
Portal
(CIP),
which
details
how
the
Experian
Marketing
Services
uses
personal
data
–
together
provide
data
subjects
with
an
understanding
of
Experian’s
business.
The
CRAIN
provides
a
link
to
the
CIP
and
therefore
offers
a
layered
approach
to
providing
notice
on
how
CRA
data
is
used
for
the
Experian
Marketing
Services.
-
In
coming
to
this
conclusion,
the
Tribunal
noted
that
there
is
a
“tension
between
providing
large
amounts
of
information…with
the
aim
of
improving
transparency
and
accessibility
of
information
and…the
resultant
information
overload,”
and
that
this
tension
is,
to
an
extent,
met
by
layering
information.
The
Tribunal
further
stated
that,
“common
sense
would
tend
to
suggest
that
it
is
only
those
who
are
actually
interested
in
what
happens
to
their
data
who
would
read
beyond
the
first
part
of
a
privacy
notice.”
Applying
this
to
the
CIP,
the
Tribunal
found
that
there
is
a
“sufficiently
easy”
trail
of
hyperlinks
to
the
CIP
that
allows
those
concerned
to
learn
more.
-
While
the
Tribunal
did
acknowledge
that
consumers
likely
would
be
surprised
by
the
“very
large”
scale
and
nature
of
Experian’s
data
processing
activities,
it
found
that
the
information
disclosed
to
consumers
in
the
two
notices
was
“sufficiently
prominently
displayed
and
accessible
to
data
subjects
who
want
to
understand
how
their
data
will
be
processed.”
-
In
-
Article
14(5)
Exemption-
Experian
sought
to
rely
on
the
exemption
provided
by
Article
14(5)
of
the
GDPR
to
not
provide
notice
to
approximately
5.3
million
data
subjects,
by
asserting
that
providing
the
notice
would
involve
disproportionate
effort.
The
Tribunal
disagreed
with
Experian,
acknowledging
that
while
notifying
5.3
million
data
subjects
would
incur
a
considerable
expense,
it
would
not
involve
disproportionate
effort.
-
The
Tribunal
therefore
concluded
that
Experian
violated
Article
14
and
stated
that
it
“fully
expects
that
Experian
will
rectify
this
non-compliance
in
respect
of
its
future
personal
data
collections”
and
“should
consider
what
it
can
do
to
discontinue”
processing
of
personal
data
that
should
have
been
the
subject
of
an
Article
14
notice
but
was
not.
The
Tribunal
stated
that
it
was
“satisfied
that
it
is
unlikely
that
any
person
has
suffered
damage
or
distress
as
a
result
of
Experian’s
failure
to
provide
an
article
14
notice.”
-
Experian
Next
Steps
In
its
statement
on
the
case,
the
ICO
indicated
it
is
considering
whether
it
will
appeal
the
Tribunal’s
decision.
About Author
