Ruling in Experian GDPR case thrusts ‘legitimate interest’ into spotlight

In October 2020, following a two-year investigation, the ICO issued Experian an enforcement notice—rather than a fine—for breaching the European Union’s General Data Protection Regulation (GDPR) by processing and selling personal data for postal and telephone marketing campaigns without people’s knowledge or consent.

Through its direct marketing arm, Experian acquired personal data on people from a mix of publicly available sources like the electoral register, other data suppliers, and its own credit reference business, according to the ICO. Rather than try to gain consumers’ consent, Experian allegedly relied on the concept of “legitimate interest” to use personal data to build a profile on around 50 million adults, which it then sold to third parties to help target marketing promotions more effectively.

While the ICO’s investigation also examined the practices of the U.K.’s other two largest credit reference agencies, Equifax and TransUnion, then-Information Commissioner Elizabeth Denham took no action against them since they showed a “willingness to change their practices and put people’s legal rights first” and withdrew some of their products and services.

Following an appeal by Experian, the First-Tier Tribunal (Information Rights) ruled Feb. 20 that while the company had not processed the personal data of around 5.3 million individuals transparently, fairly, or lawfully—and that it was “not disproportionate” to notify them—it rejected the ICO’s view Experian’s privacy notice was not transparent or that it was unfair for the company to use credit reference data for direct marketing purposes.

The tribunal also disagreed with the ICO’s finding Experian did not properly assess the lawful basis of the data use.

In a comment that might cause confusion over the way companies notify consumers about data collection and use in future, the tribunal said, “Common sense would tend to suggest that it is only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice and, if they were concerned to read further, we consider that there is a sufficiently easy-to-follow trail through hyperlinks.

“… If people are not concerned about their privacy or what happens to their data … then to a significant extent that is their choice. It may not be the choice of others or particularly data professionals, but you cannot force people into reading privacy policies,” even though “the data controller is still obligated to provide a privacy notice.”

The ICO is considering whether to appeal.

“This decision provides useful judicial commentary for data controllers in relation to the appropriateness of using ‘legitimate interests’ as a lawful basis for processing undertaken for direct marketing purposes, transparency obligations, and the practical application of the GDPR.”

Simon Davis, Associate, Womble Bond Dickinson

José Luiz Rossi, Experian’s managing director of the U.K. and Ireland region, said in a statement the tribunal found the “vast majority of our practices meet GDPR requirements” and that the legal decision “substantially overturns” the ICO’s enforcement notice. The ruling “represents a welcome development for the consumers, small businesses, and charities across the U.K. that rely on the services provided by Experian,” he added.

Simon Davis, associate at law firm Womble Bond Dickinson, said he had “no doubt” Experian and other data controllers involved in large-scale processing for direct marketing purposes “will be considering the terms of this judgment carefully.”

“This decision provides useful judicial commentary for data controllers in relation to the appropriateness of using ‘legitimate interests’ as a lawful basis for processing undertaken for direct marketing purposes, transparency obligations, and the practical application of the GDPR,” he said.

Sarah Pearce, partner at law firm Hunton Andrews Kurth, said the ruling was not clear cut.

“While the tribunal’s findings confirm any balancing test used in the context of a legitimate interest assessment should take into account the economic benefits and the benefits to the individual of receiving the relevant offers, it does not offer a blanket confirmation legitimate interests is always a lawful basis for direct marketing,” she said “The balancing test still needs to be carried out.”

Robert Lands, partner at law firm Howard Kennedy, said companies should take away from this decision “the cost of compliance must factor into their commercial modeling. If the decision to process personal data is a commercial one, then the cost of providing privacy notices is unlikely to ever be disproportionate.”