Hello, Mauven Here: Why the ICO's Experian Loss Matters More Than You Think
Hello, Mauven here.
I want to talk about a regulatory outcome that has been underread outside specialist legal and privacy circles, and which has direct implications for the subject of this week’s podcast.
The outcome is Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC). The Upper Tribunal’s judgment was handed down on 23 April 2024. The ICO confirmed in May 2024 that it would not pursue a further appeal. I think people who are not data protection lawyers have not fully processed what this outcome signals.
What the Case Was About
The case originated from a complaint filed by Privacy International in November 2018, shortly after UK GDPR came into force. The complaint addressed the data broker practices of Experian, Equifax, and TransUnion, specifically their use of personal data for direct marketing purposes without what Privacy International argued was adequate transparency or consent.
The ICO investigated. In October 2020, it published findings describing “widespread and systemic data protection failings across the sector.” Between the three credit reference agencies operating as data brokers, the data of almost every adult in the UK was being screened, traded, profiled, enriched, or enhanced for direct marketing, without most individuals knowing it happened.
Equifax and TransUnion withdrew non-compliant services and avoided formal enforcement action. Experian maintained its position. The ICO issued an enforcement notice requiring fundamental changes to Experian’s offline direct marketing practices.
The Tribunal Proceedings
Experian appealed to the First-tier Tribunal. On 20 February 2023, the First-tier Tribunal ruled substantially in Experian’s favour. It rejected the ICO’s positions on transparency, fairness, and lawful basis for most of the challenged processing. It replaced the enforcement notice with a narrower substitute notice requiring Experian to provide Article 14 privacy notices to a cohort of 5.3 million individuals whose data came from certain open sources, while finding it would be disproportionate to require that notification immediately.
The ICO appealed to the Upper Tribunal on five grounds. On 23 April 2024, the Upper Tribunal dismissed all five grounds. The judgment is careful and detailed. It does not say that data broker processing is uniformly lawful. What it establishes is that the ICO’s specific positions on transparency, fairness, and the application of legitimate interests in this case were not sustained.
The ICO then confirmed it would not pursue a further appeal.
Why the Timeline Matters
From Privacy International’s complaint in 2018 to the Upper Tribunal judgment in 2024 is six years. Adding the period from the original 2020 enforcement notice to the 2024 judgment is four years.
For regulatory enforcement, that timeline is not unusual. But for an industry assessing its risk exposure, a six-year process that concludes without a monetary penalty and without a binding ruling that the core processing was unlawful provides a specific kind of information.
The signal is not that data broker processing is automatically lawful. The signal is that challenging ICO enforcement in this area is viable, that the legal basis of legitimate interests is more defensible than the ICO had argued, and that the financial risk of enforcement action is lower than it might appear from the law’s stated maximum penalties.
I am not advocating for this conclusion. I am describing what rational market participants, advised by lawyers who have read the judgment, will have taken from it.
The Comparative Context
The UK outcome sits alongside a different enforcement trajectory in Europe.
The CNIL fined Criteo €40 million in June 2023 for consent failures in its adtech and data processing operations. Criteo appealed. France’s Council of State upheld the fine in March 2026. The Dutch Authority for Personal Data fined Clearview AI €30.5 million in 2024 with an additional daily non-compliance penalty of €5.1 million.
These are different cases against different companies for different violations. But the contrast in enforcement posture is real. EU supervisory authorities have demonstrated willingness to impose substantial monetary penalties against companies in the broader data processing and brokering sector. The ICO’s approach in the Experian case, as it turned out, involved enforcement notices rather than financial penalties, and those notices were ultimately substantially reduced through the tribunal process.
What the DUAA Changes and Does Not Change
The Data (Use and Access) Act 2025, in force from 5 February 2026, restructured the ICO as the Information Commission and gave it enhanced powers, including binding assessment notices and strengthened investigatory tools under PECR.
The DUAA also clarified that direct marketing can constitute a legitimate interest, providing statutory footing for a position the data broker industry already relied on. This works in two directions: it gives the industry more certainty about its lawful basis, while also potentially giving the Information Commission clearer grounds on which to test the adequacy of balancing tests.
What the DUAA cannot do is reverse the signal that the Experian outcome sent. Enhanced powers matter only if they are exercised, and in a way that changes market behaviour. That requires a visible enforcement action that results in a substantial penalty and withstands challenge.
Until that happens, the data broker market has a reference point from 2024 that it will continue to apply when assessing UK regulatory risk.
What This Means for Directors and SMBs
For a UK SMB director whose personal data sits in commercial broker databases, the Experian outcome means the following in practical terms.
The individual rights framework remains your primary tool. Subject access requests, erasure requests, and objection rights exist and are worth exercising. The ICO provides template letters.
The systemic remedy, meaningful enforcement that changes market behaviour, has not yet arrived at the scale required. Waiting for it is not a reasonable approach to protecting your own exposure.
The Information Commission’s enhanced powers under the DUAA represent a genuine potential change, but it is a potential that has not yet been demonstrated through action.
Manage your exposure actively. Exercise your rights. Document everything. Report non-compliance. And do not assume that because rights exist on paper, they are being enforced at the scale that would make your individual exercise of them unnecessary.
How to Turn This Into a Competitive Advantage
Understanding the Experian case and its implications is genuinely specialised knowledge that most business advisers and MSPs do not have. Being able to place a client’s data rights questions within the actual regulatory context, rather than citing GDPR provisions as if they automatically protect anyone from anything, is a marker of genuine competence.
For business owners, awareness of the enforcement gap means being realistic about what the regulatory environment currently provides, and taking individual action accordingly.
How to Sell This to Your Board
The Experian case is board-level material because it describes the regulatory environment your directors are operating in.
The law contains rights and the regulator has powers. The enforcement record to date has not produced the market-level change those rights and powers were designed to create. The DUAA may change that. It has not changed it yet. Your board should understand both halves of that sentence, and approve an approach to director data exposure that does not depend on regulatory improvement arriving before action is needed.
What to Do This Week
- Read a summary of the Upper Tribunal judgment in Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC). Understanding what was argued and decided helps calibrate expectations for future regulatory action.
- Submit subject access requests to any UK-operating data brokers whose names appear in searches for your directors.
- Track responses and document non-compliance for potential ICO complaint.
- Monitor ICO enforcement action in the data broker sector for indications that the Information Commission’s enhanced powers are being applied differently.
- Treat the enforcement gap as a governance variable, not a fixed permanent condition. It can change, and your individual documentation supports collective pressure for change.