DMA boosts fight to finally clear up 'legitimate interests'

The DMA is ramping up its campaign to finally overcome widespread confusion over the use of “legitimate interests” for marketing following the Upper-tier Tribunal’s recent judgment which threw out the Information Commissioner’s Office appeal against an Experian enforcement notice.

The industry body, which perhaps unsurprisingly welcomed the decision, said it gives greater certainty to the market, adding that the “milestone case establishes important legal precedents”.

The issue dates back to 2017, when the ICO began a major investigation into the data broking industry, with Experian, Equifax and TransUnion coming under close scrutiny over how they used personal data for direct marketing purposes.

The ICO’s probe claimed to have found how the three companies were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people, the regulator said.

Equifax and TransUnion changed their practices but Experian refused, and, in 2020, it was issued with an enforcement notice, compelling the company to make changes within nine months – and delete all “unlawful data”. The ICO threatened further action for breaching GDPR, including a potential fine of up to £20m or 4% of the organisation’s total annual worldwide turnover of $5.2bn, £208m.

However, Experian successfully appealed the decision at the First-tier Tribunal in a ruling which was published in early 2023. Claiming the decision was “wrong”, the ICO then launched its appeal.

April’s ruling is especially pertinent to brands which use offline direct marketing and the providers of third-party data and data solutions to enhance profiles or create prospecting files.

Experian Marketing Services managing director Colin Grieves, said: “We’re pleased the Upper Tier Tribunal saw fit to agree with the findings of the First Tier Tribunal which largely overturned the Enforcement Notice issued by the regulator.

“We have been consistent in our position that Experian shares the ICO’s belief in transparency in data use and choice for consumers. We have worked hard to deliver that and the FTT agree with us on the quality and extent of our approach, and the UTT did not interfere with those conclusions. As such the findings give clarity that Experian’s approach meets GDPR requirements. Critically marketing data provided by Experian based on legitimate interests is safe for brands to use.”

The DMA has long campaigned for legal certainty for the use of legitimate interests as a lawful basis for the majority of direct marketing data processing and claims that Government amendments to the Data Protection & Digital Information Bill – currently going through the House of Lords – provide even greater certainty.

However, the organisation is now seeking legislative clarity on the transparency requirements for use of data from the Open Electoral Register for direct marketing. The original FTT ruling supported the ICO in a very narrow interpretation of the Article 14.5.b exception for disproportionate effort, and specifically that “costs” could not be considered a “disproportionate effort”.

A legislative amendment developed by DMA and a broad coalition of members led by CACI has been tabled in the House of Lords by Lady Harding and Lord Clement Jones with support from Baroness Jones, Lord Black and supported by many peers including Lord Arbuthnot, Lord Kamall, Baroness Stowell and Lord McNally.

The amendment widens the scope of what is considered disproportionate effort to include to include “the effort and cost of compliance, the damage and distress to the data subjects, the reasonable expectations of the data subject and whether information has been collected and made publicly available by a public body”.

The DMA stated: “We believes that exception that ‘the data subject already has the information’ in Article 14.5. applies to the Electoral Register data as a result of the data notification and opt-out provided by local councils at the point of voter registration.

“The acceptance in the UTT judgment that links from third party websites meet the threshold of ‘already has the information’ strengthens our belief that voters already have the information.”

For the avoidance of doubt, the same coalition of peers working with the DMA has tabled a further amendment to DPDI which adds a clause 14.5.aa to GDPR. This clause that states that “the data is from the Open Electoral Register” as a further exception to the transparency and notification requirements.

The DMA said: “We welcome the Upper Tier Tribunal judgement which has completely rejected the ICO’s appeal in its case versus Experian. The UTT ruling confirms the DMA’s interpretation of GDPR in the important areas of transparency and legitimate interests, giving greater certainty to the market. This is a milestone case that establishes important legal precedents.”