Businesses may feel more secure when relying on “legitimate interests” as a lawful processing ground, following a data protection ruling by the First Tier Tribunal (FTT).
Experian Marketing Services (EMS), a business unit within the wider Experian company, processes the personal data of around 51 million people in the UK, and sells this data to third parties for marketing purposes. The data is collected from public sources like the electoral roll, data suppliers, and Experian’s own credit reference agency business.
The General Data Protection Regulation permits the processing of personal data if this is necessary to fulfil the "legitimate interests" of the data controller, however, these legitimate interests must be balanced with the fundamental rights and freedoms of the data subjects. The Information Commissioner’s Office (ICO) investigated Experian’s processing in relation to its EMS business and concluded that it was extensive and intrusive of privacy, and that people would not expect this type of processing on such a large scale. The ICO did not therefore consider that Experian should be relying on the legitimate interests basis of processing and also did not accept as adequate Experian’s Consumer Information Portal on its website, which sets out the way in which Experian processes data.
Following its investigation, the ICO issued a wide-ranging enforcement notice ordering Experian to stop using data from its credit referencing agency (CRA) business for direct marketing purposes. It also required Experian to provide its privacy notice directly to every data subject, suggesting that it would be difficult to achieve "acceptable compliance" with this requirement other than by sending direct mail to each data subject. This would have required Experian to send a letter to almost every household in the UK, given that the number of data subjects is effectively the whole of the adult population.
The FTT struck out the enforcement notice, finding that the Information Commissioner “did not properly appreciate the limited extent to which CRA data was used” and that some intrusion in large scale data profiling does not necessarily prevent reliance on legitimate interests. When balancing legitimate interests against data subjects’ rights and freedoms, due weight should be given to the benefits of the controller’s processing to society. The FTT further held that the ICO “had fundamentally misunderstood the actual outcomes of Experian’s processing” and that the worst outcome of Experian’s processing “is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant.” A Substitute Enforcement Notice will still require Experian to send data subjects its privacy notice, albeit to a fraction of the recipients envisaged in the original Enforcement Notice.
The decision will be welcomed by businesses seeking to rely on the legitimate interests ground for processing personal data, but may also encourage businesses to challenge future Enforcement Notices issued by the ICO if they consider that these do not accurately reflect their business’ operations. However, the ICO has recently confirmed that they plan to appeal the FTT’s decision.