About a month ago, the disagreement between the ICO and Experian finally headed towards closure with the following sentence: âThe Information Commissionerâs Appeal is dismissed.â This succinct statement was followed up by 57 closely written pages of explanatory text. You can find it here if you havenât already committed it to memory.
Now that the window for appeal appears to be closed, here at PDV we warmly welcome the new clarity that the Upper Tribunalâs decision delivers.
Our favourite take-out from the ruling (yes, we have one!) is that there really doesnât need to be any further clarification around the reliance on Legitimate Interests for processing data for marketing purposes. It is still, and always has been, perfectly permissible under certain circumstances to rely upon Legitimate Interests when processing data for marketing purposes.
Controllers are reminded of their transparency obligations by the tribunal, which conceded that the GDPR does not rigidly specify exactly how those transparency obligations should be fulfilled. The ruling therefore also reminds controllers they must make a judgement, considering such things as the sensitivity of the data being processed, how intrusive the processing is, and the potential positive or negative consequences the processing might have on the data subject as well as the costs to fulfil them.
You might wonder how a ruling that says âyou have to make a judgementâ is more clear than a ruling that says âthis is the principle you must abide byâ. A fair question.
Another way of looking at it is to say controllers are no longer committed to the highest bar for transparency in circumstances where likely harm is minimal. In other words, no matter what data you are processing while relying upon Legitimate Interests youâd better make bloody sure the data subject can get the information they need, but the method you choose to inform them can vary according to proportionality. It isnât sensible or proportional for example to write to everyone whoâs data you are processing to tell them you may write to them with a marketing offer when youâve already given the data subject access to the information they need if they want it.
The Upper Tribunal decision did leave us with one unanswered question however (because it was not asked to give an opinion). What about the use of the Open Electoral Register (OER) as a source file for marketing purposes? Some organisations believe that people whose data exists on the OER have not been sufficiently informed about controllers’ processing of their data, largely because the controllers in question have not been named. The OER cannot therefore be processed as a source file for marketing.
Other organisations consider that because subjects are given the option to opt out of the marketing-related processing of their data in the OER, they have been sufficiently informed. There could be another fight to come.
PDV doesnât process the Open Electoral Register in this way so weâre settling in with the biggest bag of popcorn.
Graham Tomblin
Twenty-odd years helping clients and growing businesses with Data and Direct Marketing.