TDP Agency Logo

In a recent development, credit reference agency Experian has successfully appealed an enforcement notice issued by the Information Commissioner’s Office (ICO) in the UK. This decision has significant implications for data processing practices and the interpretation of the General Data Protection Regulation (GDPR).


The ICO had previously issued an enforcement notice against Experian, alleging several violations of the GDPR. These violations centered on Experian’s offline direct marketing business, where they obtained personal data from third parties and used it for marketing purposes without explicit consent from the individuals.

The Appeal and Outcome:

Experian challenged the ICO’s findings and appealed the enforcement notice. The First-Tier Tribunal (Information Rights) sided with Experian in February 2023, and the Upper Tribunal recently dismissed the ICO’s subsequent appeal, upholding the original decision.

Key Takeaways:

  • Transparency: The tribunal found that Experian’s privacy notice was sufficiently transparent regarding data processing for marketing purposes.
  • Legitimate Interests: The tribunal allowed Experian to rely on legitimate interests for processing data acquired from third parties, provided it wasn’t considered “surprising” or “invisible” to the individuals involved.
  • Data Sharing: The specific details regarding data sharing practices remain unclear, requiring further interpretation of the GDPR’s framework.

What it Means:

This decision sets a precedent for data processing practices in the UK and potentially beyond. While it provides some clarity on transparency and legitimate interests, it raises questions about data sharing practices and how they align with GDPR principles. Organisations should carefully review their data processing practices and privacy notices in light of this ruling.

Further Considerations:

  • It’s important to note that this is a specific case and may not apply to all data processing activities.
  • Organisations should continue to monitor developments in data privacy regulations and best practices.

Looking Ahead:

The Experian vs ICO case highlights the ongoing debate surrounding data privacy regulations and their interpretation. This decision is likely to be further analysed by legal professionals and may influence future data protection enforcement actions.

A word from our Director, Vic Pooley:

This is an interesting development for the industry, not least because there has always been a lot of disagreements in relation to whether “legitimate interest” or “consent” is the most appropriate basis for processing consumer marketing data. That coupled with the fact a Legitimate Interest Assessment (LIA) is an internal risk assessment document very much open to interpretation.

The biggest surprise for me though was the Tribunals allowing Experian to rely on third-party privacy policies, even when they did not mention Experian as a brand (I always believed it was a requirement to have our brand and our clients named on the privacy policies). This confirms that if you can prove LI as a lawful basis, processing is permissible, whether the data subject has been informed where & with whom the information will be shared, or not. They agreed that even though some data was initially collected under consent, Experian could process it under legitimate interest. Again, this was surprise!

Whichever side of the fence you fall, this case just highlights the fact that ICO need to provide further clarity to avoid the ambiguous interpretations between these two data processing positions, which has plagued the industry since 2018. It also highlights that marketing, when done well, is considered as much of a legitimate interest to the consumer as well as the brand advertising.

Either way, I’ve had my popcorn out on this one!