About a month ago, the disagreement between the ICO and Experian finally headed towards closure with the following sentence: “The Information Commissioner’s Appeal is dismissed.” This succinct statement was followed up by 57 closely written pages of explanatory text. You can find it here if you haven’t already committed it to memory.
Now that the window for appeal appears to be closed, here at PDV we warmly welcome the new clarity that the Upper Tribunal’s decision delivers.
Our favourite take-out from the ruling (yes, we have one!) is that there really doesn’t need to be any further clarification around the reliance on Legitimate Interests for processing data for marketing purposes. It is still, and always has been, perfectly permissible under certain circumstances to rely upon Legitimate Interests when processing data for marketing purposes.
Controllers are reminded of their transparency obligations by the tribunal, which conceded that the GDPR does not rigidly specify exactly how those transparency obligations should be fulfilled. The ruling therefore also reminds controllers they must make a judgement, considering such things as the sensitivity of the data being processed, how intrusive the processing is, and the potential positive or negative consequences the processing might have on the data subject as well as the costs to fulfil them.
You might wonder how a ruling that says “you have to make a judgement” is more clear than a ruling that says “this is the principle you must abide by”. A fair question.
Another way of looking at it is to say controllers are no longer committed to the highest bar for transparency in circumstances where likely harm is minimal. In other words, no matter what data you are processing while relying upon Legitimate Interests you’d better make bloody sure the data subject can get the information they need, but the method you choose to inform them can vary according to proportionality. It isn’t sensible or proportional for example to write to everyone who’s data you are processing to tell them you may write to them with a marketing offer when you’ve already given the data subject access to the information they need if they want it.
The Upper Tribunal decision did leave us with one unanswered question however (because it was not asked to give an opinion). What about the use of the Open Electoral Register (OER) as a source file for marketing purposes? Some organisations believe that people whose data exists on the OER have not been sufficiently informed about controllers’ processing of their data, largely because the controllers in question have not been named. The OER cannot therefore be processed as a source file for marketing.
Other organisations consider that because subjects are given the option to opt out of the marketing-related processing of their data in the OER, they have been sufficiently informed. There could be another fight to come.
PDV doesn’t process the Open Electoral Register in this way so we’re settling in with the biggest bag of popcorn.
Graham Tomblin
Twenty-odd years helping clients and growing businesses with Data and Direct Marketing.