Consumer data has become one of the most valuable currencies in the world. As a result, privacy regulators are going to great lengths, such as issuing record-breaking fines, in order to keep consumer data safe and businesses in check. For reference, the Information Commissioner’s Office (ICO) alone has taken enforcement action against over 100 businesses for violating data protection regulations.
When the ICO issues an enforcement notice or any other kind of regulatory action, the receiving party has the right to appeal within 28 days. This appeal is handled by the First-tier Tribunal for Information Rights, in the general regulatory chamber of the UK’s legal system. The Tribunal is responsible for handling appeals to decisions made by government regulatory bodies, such as the ICO, in cases relating to information rights.
Tribunal appeals are important as it allows the ICO’s rulings to be challenged to ensure their interpretation of the law is aligned with both the interests of industry and the expectations of the data subjects the law is designed to protect.
This article covers the details of the Tribunal’s findings and what they mean for the direct marketing industry.
The ICO Investigation of Credit Reporting Agencies
In 2018, the ICO audited the direct marketing practices at three of the main Credit Reference Agencies (CRAs) in the UK: Equifax, TransUnion and Experian. The purpose of this audit was to ensure that the CRAs were in compliance with UK data protection laws.
The initial ICO investigation and report found a fundamental lack of transparency across the CRA sector. The investigation concluded that consumers in the UK were unaware that their credit reference data was being used for marketing purposes.
The ICO investigation resulted in formal enforcement action against Experian, with both Equifax and TransUnion opting to withdraw products the ICO viewed as non-compliant to avoid formal enforcement action. Experian appealed, which ultimately led to a ruling from the First-tier Tribunal for Information Rights.
What does this ruling mean for businesses?
The Tribunal was critical of the ICO’s investigation and ruled in favor of Experian in many aspects, including the use of legitimate interests for direct marketing purposes. However, the Tribunal also held Experian accountable for multiple transparency failures. The details of the Tribunal’s findings can be a great reference for organizations making decisions on how to collect and process personal data for marketing purposes.
Legitimate Interest for Direct Marketing
The ruling states that the ICO failed to fully account for the benefits of direct marketing for data subjects when considering Experian’s Legitimate Interest Assessment (LIA). Some of the benefits that Experian espoused included methods that:
- Ensure individuals would not be offered products they could not afford
- Prevent underage individuals from gambling
- Help identify individuals who might be in fuel poverty and enable utility companies to support them
The Tribunal reflects that a context-driven decision is the most helpful when assessing legitimate interests. If the processing activity has a positive impact on the consumer, it can help satisfy the requirements of the Legitimate Interests balancing test.
Why this matters: This decision is a big win for the direct marketing industry. It strengthens the argument that legitimate interest is a valid lawful basis for processing data for marketing purposes, with real-life examples of when the Legitimate Interests balancing test may be met.
Transparency is Key
The appeal also extensively covers Article 14 of the GDPR, which outlines the requirement to notify data subjects that you are processing indirectly collected personal data. The Tribunal found that Experian failed to notify 5.3 million data subjects that their personal data was processed from publicly available sources, such as the electoral roll, in clear contravention of Article 14.
Article 14 is a key compliance consideration if your business is processing data that is not obtained directly from data subjects, such as data that is obtained from public sources such as the electoral roll, companies’ house records, or third-party data providers.
Why this matters: Transparency is a key principle of data protection law and is the cornerstone of this whole case. The decision by the Tribunal reinforces:
- The need for a fair, clear and transparent notification program
- That data subjects must be aware of your company’s processing activities
- That data subjects must understand the purpose of the processing
Further, the Tribunal found it would be unlikely for any of the data subjects to successfully claim damages over Experian’s failure to provide them with an Article 14 notice, following last year’s Lloyd v. Google decision by the UK Supreme Court.
What happens next?
The revised Decision Notice requires that Experian stop processing data of consumers who have not received a privacy notice. No monetary penalty is included in the revised Decision Notice. If the ICO’s notice was upheld, the ICO could have imposed a fine of either £20m or 4% of Experian’s total annual worldwide turnover. With profits of $5.2 billion, the ICO claimed more than £208m could have been demanded.
The ICO can appeal the decision of the First-tier Tribunal within 28 days, and is still considering whether to do so. Otherwise, the current decision stands.
Please note that the above is for informational purposes only. ZoomInfo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of US or international laws, rules, or regulations. To understand how the GDPR, EU marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.