The Information Commissioner’s Office has been left battered and bruised following a ruling by the First-Tier Tribunal (Information Rights) over an enforcement notice issued to Experian, which, although lengthy and complex, has mostly upheld the appeal.
The enforcement notice, first issued in 2020, followed a two-year investigation into the three major credit reference agencies in the UK, Experian, Equifax and TransUnion. It claimed that the companies were trading, enriching and enhancing people’s personal data without their knowledge.
Equifax and TransUnion agreed to make changes but the ICO ruled Experian had not gone far enough and slapped it with an enforcement notice, compelling it to make changes within nine months or risk further action.
This could have included a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover of $5.2bn, the ICO claimed, which could be more than £208m.
However, Experian launched the appeal, which was heard in early 2022 but has, until now at least, been kept firmly under wraps. Today, the 47-page, 23,400-word document has been published.
Some of the most startling parts of the ruling are how the tribunal interprets the role of the Information Commissioner (who was then Elizabeth Denham) and ICO director of regulatory assurance Ian Hulme, who has held the position since 2018. The judges blasted much of their evidence as “flawed” and criticised the regulator for over-exaggerating the harm the firm was causing consumers.
Experian has accepted that around 5.3 million customers, out of the around 51 million whose information it processes, have not received a privacy notice but contends that it can rely on paragraph 5 of article 14 on the basis that the provision of such information would involve a disproportionate effort.
While the Tribunal disputed this, it did admit that anyone who was contacted about the privacy notice now would likely throw the letter in the bin. The Tribunal also disagreed that Experian’s privacy notice was not transparent and that using credit reference data for direct marketing purposes was unfair.
The ruling stated: “We find that the Information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects, (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years, and (c) the likely reaction of the data subjects to receiving an ‘out of the blue’ notification, which reaction we find was likely to be either disinterest resulting, for example, in the data subject just putting it in the bin or possibly some confusion or even distress.”
It added: “We are satisfied that the Information Commissioner got the balance wrong in terms of proportionality in exercising her discretion because the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing.
“The Tribunal is also satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice.”
Experian UK&I managing director Jose Luiz Rossi said: “Today’s decision by the First Tier Tribunal substantially overturns the ICO’s enforcement notice issued against Experian in 2020. It represents a welcome development for the consumers, small businesses and charities across the UK that rely on the services provided by Experian.
“The Tribunal found, in contrast to the ICO’s enforcement notice, that the vast majority of our practices meet GDPR requirements, including the transparency that we provide consumers through our Credit Reference Agency Information Notice and our Consumer Information Portal. We are very pleased with this outcome.
“We also welcome the clarification concerning the provision of notifications to people whose data we collect solely from public records, who represent a very small percentage of our UK marketing database. We will build this into our processes in accordance with the Tribunal’s time requirement.
“We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. As we have stated throughout these proceedings, we remain deeply committed to transparency, safeguarding privacy, and helping consumers to better understand and control the use of their data.”
In response, the ICO said it will take stock of today’s judgment and carefully consider next steps, including whether to appeal.
ICO deputy commissioner Stephen Bonner said: “The credit reference agency industry holds data on almost every adult in the UK. Information is screened, traded, profiled and enhanced to provide direct marketing services, and that process must happen in line with the law and in an open and honest way.
“Since we began our work with credit reference agencies, we’ve seen companies make significant changes to improve how they respect people’s information rights, notably being clearer in how data is used.”
Where will we be in 2023…with data-driven marketing?
Experian lawyers set for long battle against ICO ruling
Experian given ultimatum to delete dodgy data or else
UK data giants ‘off the hook’ over Cambridge Analytica
Top UK data firms still under investigation, 2 years on
Bounty ditches broker deals after £400,000 ICO fine
Major UK data firms under scrutiny as watchdog bites
Privacy group calls for probe of seven data companies
Data firms under cosh as ICO ramps up political probe