Appellant: The Information Commissioner
Respondent: Experian Limited
DECISION OF THE UPPER TRIBUNAL
THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
UPPER TRIBUNAL JUDGE WIKELEY
UPPER TRIBUAL JUDGE CITRON
Decision date: 22 April 2024
ON APPEAL FROM:
Tribunal: First-tier Tribunal (General Regulatory Chamber)
Tribunal Case No: EA/2020/0317
NCN: [2023] UKFTT 00132 (GRC)
FTT Hearing Dates: 17, 19-21 & 31 January 2022 & 11 February 2022
FTT Decision Date: 20 February 2023
This front sheet is for the convenience of the parties and does not form part of the decision
IN THE UPPER TRIBUNAL Appeal No. UA-2023-000512-GIA
ADMINISTRATIVE APPEALS CHAMBER [2024] UKUT 105 (AAC)
On appeal from the First-tier Tribunal (General Regulatory Chamber)
Between:
The Information Commissioner
Appellant
- v -
Experian Limited
Respondent
Before: The Hon. Mrs Justice Heather Williams DBE
Upper Tribunal Judge Wikeley
Upper Tribunal Judge Citron
Hearing dates: 6-8 February 2024
Decision date: 22 April 2024
Representation:
Appellant: Mr Timothy Pitt-Payne KC and Mr Christopher Knight, instructed by the Information Commissioner
Respondent: Ms Anya Proops KC and Mr Robin Hopkins, instructed by Linklaters LLP
NOTICE OF DECISION
The Information Commissioner’s appeal is dismissed.
This decision is made under section 11 of the Tribunals, Courts and Enforcement Act 2007 and the Tribunal Procedure (Upper Tribunal) Rules 2008.
REASONS
Introduction
The context for this appeal is helpfully summarised by the First-tier Tribunal (‘the FTT’) in paragraph 1 of its decision:
“Experian is a well-known Credit Reference Agency (“CRA”). In that capacity it holds and processes data relating to over 51 million people living in the United Kingdom, effectively the whole of the adult population. What is less well known is that Experian has within it a business unit, Experian Marketing Services (“EMS”), which processes the data of around 51 million people in the UK to provide marketing services which it sells to its third-party clients. It does so by combining their name and address information, with a total of up to thirteen actual attributes. It then processes this data and creates modelled information on the demographic, social, economic and behavioural characteristics of these 51 million individuals on a predictive basis, the profile for each person running to as many as 49 derived data points about individuals and up to 370 modelled points about individuals, with each profile running to many pages.”
The Information Commissioner, having found concerns with the extent and nature of Experian’s data processing in the light of the transparency requirements of the General Data Protection Regulation (“GDPR”), issued Experian with an enforcement notice (“EN”) after a prolonged investigation. Experian appealed to the FTT against the EN. Following hearings in January and February 2022, the FTT allowed Experian’s appeal in large part, in its decision of 20 February 2023. The Information Commissioner now appeals to the Upper Tribunal, permission to appeal having been granted by Upper Tribunal Judge Wikeley on 2 May 2023. The Chamber President subsequently directed that a three-judge panel be convened to determine the appeal as it raises a point of law of special difficulty or an important point of principle.
This appeal is primarily concerned with the principle of transparency, both the overarching duty in Article 5(1)(a) and the detailed obligations in Article 14 GDPR. It is common ground that the provision of transparency in the processing of personal data is foundational to data subjects’ rights. We understand from counsel that the transparency principle has not been the subject of any detailed judicial consideration by the Upper Tribunal or by the appellate courts so far. The Information Commissioner alleges that the FTT’s decision involved multiple errors of law and that it failed to address, or adequately address, a number of relevant issues. Experian contends that the FTT’s decision should be upheld and that the appeal essentially seeks to re-litigate unassailable findings of primary fact and evaluative assessments that were made below.
Our decision is to dismiss the appeal for the reasons that we set out.
The structure of the Upper Tribunal’s decision
The following Table signposts the structure of our decision:
Subject matter | Paragraph(s) |
Introduction | 1-4 |
The structure of the Upper Tribunal’s decision | 5-6 |
Abbreviations | 7 |
Glossary | 8 |
The nature of Experian’s data processing | 9-12 |
The Information Commissioner’s Enforcement Notice | 13-21 |
Experian’s appeal to the First-tier Tribunal | 22-27 |
The Information Commissioner’s case before the First-tier Tribunal | 28-31 |
The hearing before the First-tier Tribunal | 32-33 |
The First-tier Tribunal’s decision: | |
The structure of the decision | 34 |
The First-tier Tribunal’s findings | 35-41 |
The First-tier Tribunal’s conclusions | 42-46 |
The Substituted Enforcement Notice | 47-48 |
The Information Commissioner’s grounds of appeal to the Upper Tribunal | 49-58 |
The legal framework: | 59 |
The Upper Tribunal’s “error of law” jurisdiction | 60-62 |
Adequacy of reasons | 63-66 |
Enforcement notices and appeals against them | 67-70 |
The GDPR | 71-82 |
Recitals to the GDPR | 83-88 |
Proportionality | 89-90 |
The EDPB: decisions and guidelines | 91-94 |
Summary of relevant aspects of the transparency principle in the GDPR | 95-96 |
The parties’ overarching submissions | 97-103 |
Ground 1: | |
The Information Commissioner’s submissions | 104-108 |
Experian’s submissions | 109-114 |
Alleged overarching errors: discussion and conclusions | 115-131 |
Alleged specific errors: discussion and conclusions | 132-142 |
Concluding observations on Ground 1 | 143 |
Ground 2: | |
The Information Commissioner’s submissions | 144-149 |
Experian’s submissions | 150-155 |
Alleged overarching error: discussion and conclusions | 156-160 |
Alleged specific errors: discussion and conclusions | 161-179 |
Concluding observations on Ground 2 | 180-181 |
Ground 3: | |
The Information Commissioner’s submissions | 182 |
Experian’s submissions | 183 |
Discussion and conclusions | 184-188 |
Ground 4 | 189 |
Ground 5: | |
The Information Commissioner’s submissions | 190-191 |
Experian’s submissions | 192 |
Discussion and conclusions | 193-196 |
Outcome | 197-198 |
We start our decision by dealing with some matters of terminology.
Abbreviations
The following abbreviations are used in this decision:
CAIS | Credit Account Information Sharing |
CMA | Competition and Markets Authority |
CRA | Credit Reference Agency |
CRAIN | Credit Reference Agency Information Notice |
DPA 2018 | Data Protection Act 2018 |
ECS | Experian Consumer Services |
EDPB | European Data Protection Board |
EMS | Experian Marketing Services |
EN | Enforcement Notice |
FTT | First-tier Tribunal |
GDPR | General Data Protection Regulation |
LIA | Legitimate Interest Assessment |
NMR | No Marketing Request |
OER | Open Electoral Register |
SEN | Substituted Enforcement Notice |
Glossary
The following definitions apply in this decision:
CAIS | Credit Account Information Sharing service is a closed user group database, forming part of the Experian CRA, used for sharing credit account information between those entitled to access that database |
ChannelView | A database principally used by Experian to link contact details with existing names and address profiles held in ConsumerView |
CIP | Consumer Information Portal is the website maintained by Experian providing transparency information to data subjects about EMS’s activities (https://www.experian.co.uk/cip) |
ConsumerView | A database which combines name and address information with actual, derived and modelled information on the demographic, socio-economic and behavioural characteristics of individuals and households |
Mosaic | A database which uses ConsumerView as well as third party datasets to build non-identifiable segments illustrating demographic and lifestyle attributes at postcode and household levels. If an attribute from Mosaic is appended to an individual in ConsumerView, that attribute is then considered to be personal data |
non-prospectable | Data acquired from the CRA business where Experian will not share the name and address data with their clients for the purposes of reaching prospective new customers or ‘prospects’ |
propensities | The likelihood of a characteristic in the form of a score added to the Experian database against individuals |
prospectable | Data not acquired from the CRA business where Experian will share the name and address data with their clients for the purposes of reaching prospective new customers or ‘prospects’ |
The nature of Experian’s data processing
The extensive nature of Experian’s data processing, sketched out only very briefly at [1] above, was further summarised by the FTT at [2]-[10] of their decision:
“2. The enforcement notice relates to Experian’s processing of personal data for marketing services for its offline, not online, marketing services.
3. The direct marketing services business is operated by EMS, which is a separate business unit within Experian but is not a separate legal entity. For that reason, we refer in this decision to Experian, not EMS, as it is the legal entity which is the appellant. Broadly, Experian does not carry out marketing in its own name, but its data processing furthers the direct marketing of third parties, that is, Experian’s customers.
4. For the purpose of the EMS business, Experian acquires the personal data of individual data subjects from a variety of sources in broadly three strands. It obtains publicly available information from sources such as the Open Electoral Roll (“OER”), Companies House and the register of County Court Judgments. It also acquires data from third parties such as Gardeners’ Club. It also acquires data from its CRA business. It does not process the data from these three strands in the same way.
5. Experian processes the data to create three different products which are relevant to the notice and the appeal: ConsumerView, ChannelView and Mosaic. There is, in addition to those services, a credit pre-screening product that uses some elements of CRA data only offered to members of Credit Account Information Sharing service (“CAIS”).
6. Broadly, Experian has no direct relationship with individuals whose data it processes for the purpose of these products, except in a limited number of cases when individuals contact Experian via the Experian website or where they have a direct relationship with Experian via Experian Consumer Services (“ECS”).
7. ConsumerView contains entries at an individual level for some 51 million adults in the United Kingdom, that number changing from time to time due to changes in the UK adult population, as a result of deaths and people turning 18. ConsumerView combines name and address information, with a total of up to thirteen actual attributes. It then processes this data and creates modelled information on the demographic, social, economic and behavioural characteristics of individuals and households on a predictive basis. The actual information reflects known characteristics of a given individual; the derived information reflects characteristics that are calculated or ascertained from other data, the modelled information reflecting predicted characteristics.
8. ChannelView’s database contains names, postal addresses, email addresses and mobile phone numbers are predominantly provided to Experian by various third data suppliers who between them collect data from data subjects via some 148 websites in return for access to offers and discounts, price comparison services, the ability to participate in surveys and so on. The total number of records will vary from time to time, but it contains details of at least 24 million individuals.
9. Mosaic uses data from public and commercial sources in order to attribute households into fifteen overarching groups, 66 household types and 155 person types. Some of the information through which Mosaic is created is taken from the individual profiles on ConsumerView but there are other non-personal data sources which read into that. Mosaic codes are appended to the individual level profiles within ConsumerView.
CRA-Derived Data
10. Experian uses data derived from Experian’s CRA business in the following ways:
(1) to add names and addresses to ConsumerView (about 25.1 million individuals are added to ConsumerView by this route);
(2) to ensure the accuracy of the 25.9 million prospectable records included in ConsumerView;
(3) to match and link records from different sources;
(4) to build the derived and modelled attributes within ConsumerView.
In this context, “prospectable” means that a name and postal address will be shared by EMS with customers who do not already have that name and address, to help those customers reach new business and supporters. Others are non-prospectable which means that the name and address data will not be shared in this way, but information concerning them can be shared with customers who already have those individuals name and address.
Experian treats the records obtained from the CRA as “non-prospectable”. With the exception of the credit pre-screening product, the only data points derived from Experian’s CRA business that are used by Experian are name, address and date of birth. The CRA derived data is also used to offer a credit pre-screening product to customers who were a member of the CAIS which operates to remove people from the marketing lists through credit, products and circumstances where they would likely be declined if they were to make an application for the product.”
The FTT, in the section of their decision headed “Findings”, recorded several further features of Experian’s data processing activities which were not in dispute and so can be rehearsed here. Thus, “Experian has no direct relationship with the individuals whose data it processes save for those with whom it may also have a direct relationship through ECS” (FTT at [140]). As regards Experian’s data processing products the FTT added:
“141. ConsumerView is, as is noted above, a product which combines the name and address information for some 51 million UK adults with predicted socio-economic and behavioural characteristics. Not all of the profiles will contain the maximum number of thirteen actual attributes and many of those are obtained from sources which are publicly accessible such as the open electoral register, the Registry Trust (in respect of county court judgments), and Companies House. Three data points (buildings insurance renewal month, contents insurance renewal month and motor insurance renewal month) are not derived from public sources and one data point, that is prospectable, being a person’s date of birth, can be derived either from a public source (the OER) or from a non-public source such as a third party suppliers.
…
144. We accept, as is clear from the sample profiles shown to us, that ConsumerView profiles will include up to 49 derived data points about individuals and up to 370 modelled points about individuals. These are, as Experian submits, predictions about the likelihood of people having certain characteristics. …
…
146. … It is important to note that the data obtained via CRA is not prospectable. We note also Ms Shearman’s evidence that data may be marked as non-prospectable if individuals appear on Experian’s NMR file or other industry suppression files such as mail preference and telephone preference. That said, if an individual is marked as non-prospectable, then that will not affect the nature and range of that data that is held about the person unless they apply to have their data removed which, as the evidence demonstrates, applies only to a very small number of people.
147. With regard to how the ConsumerView database is used by clients of Experian, if they send a list of individual names and ask Experian to enrich it from the ConsumerView database, Experian will use both prospectable and non-prospectable records in answering the request albeit that the information provided to the customer will only have attributes and propensities added and not the name and address (unless of course this is already held). In other circumstances, Experian’s clients may request records containing those attributes and propensities which are of most relevance to their organisation, e.g. whether a customer is more or less likely than average to be interested in direct mail, or what age group they might be in. In response, Experian will provide such clients with prospectable records.
148. The information held on ChannelView is predominately provided to Experian by various third-party data suppliers … It is used in order to link information held in ConsumerView with records provided to Experian by its customers and suppliers.”
Experian has created a Consumer Information Portal (“the CIP”) on its website, setting out the ways in which it processes data (https://www.experian.co.uk/cip). The adequacy (or otherwise) of the CIP in terms of its transparency was one of the central issues raised by the Information Commissioner’s EN and so also on the appeal before the FTT.
As the FTT noted at [13], in relation to CRA derived data, Experian relies upon the Credit Reference Agency Information Notice (“the CRAIN”), which is the general note produced by and used by CRAs “which sets out the wide variety of sources used by Experian and the other CRAs to obtain data about individuals and how the data may be used”. The CRAIN contains hyperlinks to the CIP. The third party data suppliers display privacy information on their websites with hyperlinks to the CIP. The accessibility of these routes to the CIP was also a central area of dispute before the FTT.
The Information Commissioner’s Enforcement Notice
On 12 October 2020 the Information Commissioner issued Experian with an EN under sections 149(2)(a) and (b) of the DPA 2018. The EN made detailed findings that Experian had contravened, and was still contravening, Articles 5(1)(a), 6 and 14 of the GDPR. The EN imposed a series of requirements on Experian, set out in an Annex, to be completed within either three or nine months. These requirements were organised into five categories. Category A requirements were based on alleged breaches of GDPR Article 5(1)(a) and the obligation to process personal data fairly and transparently. Category B requirements were derived from alleged breaches of GDPR Article 14, while Category C requirements were founded on alleged breaches of GDPR Article 5(1)(a) and Article 6 and the obligation to process personal data lawfully. The Category D and E requirements related to matters where by the time of the FTT the Information Commissioner no longer considered that enforcement action was required, and so they are not discussed further here.
Here we just summarise the main import of those various stipulations – we refer a little later to the full text of the most significant requirements, namely A1, B4-B5 and C6-C8. (The requirements at A2 and C3 are no longer live issues, as we will come on to explain.)
• A1 – to revise the CIP in certain respects;
• A2 – to cease using credit reference derived-data for any direct marketing purposes;
• C3 – to delete data supplied on the basis of consent which is now processed on the basis of Experian’s legitimate interests;
• B4-B5 – to directly provide all data subjects with an Article 14-compliant privacy notice where Experian has acquired their personal data from any source other than the data subject, which informs the data subject that their personal data has been obtained by Experian for purposes which include direct marketing and the form that processing for marketing purposes takes; and to cease processing of any personal data of any data subject to whom such a notice is not sent;
• C6 – to cease processing any personal data where the objective legitimate interest assessment cannot be said to favour the interests of Experian, having particular regard to the transparency of the processing and the intrusive nature of profiling;
• C7 – to review the compliance with the GDPR of the privacy notices and data capture mechanisms of all third party data suppliers and collect data from them only where they meet the same standards of transparency as Experian’s own material;
• C8 – to cease the processing of any personal data where there is insufficient evidence that it was collected in a compliant manner.
The EN is a detailed and lengthy document – and indeed the FTT’s summary of the EN in their decision runs to six pages – but we will highlight the main features.
In relation to the Category A and Category B requirements, the Information Commissioner considered that the collation of a wide range of personal data about a huge number of data subjects constituted processing on a scale and for detailed analytical purposes which few data subjects would expect and constituted data profiling within the meaning of Article 4(4) GDPR. On that basis, the Information Commissioner considered it was incumbent on Experian to ensure that it was as transparent as possible about the data it was using; where it had been obtained from; and the ways in which it was used. In the Information Commissioner’s view, data subjects were precluded from being able to exercise their GDPR rights without clear detailed and transparent information, provided in a way that a data subject could readily understand. The Information Commissioner considered that the requirement of transparency in Article 5(1)(a) went beyond simple compliance with Article 14 and was context dependent. The Information Commissioner recognised that improvements had been made to the CIP, but considered that even in its most recent version it still failed to achieve the necessary transparency (in the respects summarised by the FTT at [18(a)]-[18(l)] of their decision). In sum, the Information Commissioner concluded that the extensive processing carried out by Experian, coupled with what she characterised as the largely invisible nature of that process (in particular the profiling of data subjects), was intrusive. Although not the most intrusive type of processing, it nonetheless involved the compilation of a wide range of data from public and private sources so as to build a profile of approximately 50 million data subjects, few of whom would expect such processing on a mass scale.
The Information Commissioner accepts that the requirement at A2 of the EN was overturned by the FTT and does not seek to challenge this. Accordingly, we need say no more about that aspect.
As regards the Category C requirements, the Information Commissioner considered that Experian had contravened both Article 5(1)(a) and Article 6(1) GDPR. Experian processed all of the personal data held for direct marketing purposes on the basis of its legitimate interest, but the information provided by third party suppliers was provided on the basis that those third parties data subjects’ data was obtained by consent. However, by the time of closing submissions before the FTT, it was accepted that data was no longer processed on the basis of consent. Thus the requirement at C3 became academic, and we focus on the requirements relating to processing on the basis of legitimate interests. In this respect, the Information Commissioner was not satisfied, in circumstances where a very large amount of personal data was being processed in highly targeted ways and where there were significant issues of non-transparency, that Experian had correctly or properly concluded there was a lawful basis for processing the personal data. The Information Commissioner rejected Experian’s assertion that the processing for profiling was not intrusive of privacy. The Information Commissioner’s case was that little weight could be attached to the supposed benefit of the data subject receiving direct marketing communications that were more appropriate to them and that this was a consequence of processing and profiling which they would not have anticipated. The Information Commissioner considered that it was unlikely that a controller would be able to rely on legitimate interests for intrusive profiling for direct marketing purposes.
As mentioned above, the Annex to the EN then set out the detailed requirements imposed on Experian. The Category A1 requirement, which was required to be met within three months, was framed in the following terms:
“Category A
1) Revise the CIP to:
a) set out clearly in one place and at the forefront of the privacy information an "at a glance" summary of the direct marketing processing that Experian undertakes, including what attributes (actual and modelled) Experian processes about individual data subjects;
b) place information that is likely to surprise individuals (for example, that connect together multiple data sources to build a marketing profile) more prominently than in the third or fourth layers;
c) include language concise, clear and not unduly euphemistic or industry-based language (such as "insight") to ensure it is intelligible to data subjects; and
d) include intelligible information about each source of data (including modelled data), each use of data and the onward disclosure of data and illustrate them with examples and possible outcomes.”
The further requirements under Categories B and C were stipulated to be met within a nine month timescale:
“Category B
4) Directly provide all data subjects with an Article 14-compliant privacy notice (by mail or other acceptable means of communications) where Experian has acquired their personal data from any source other than the data subject, which clearly and directly informs the data subject that their personal data has been obtained by Experian for purposes which include direct marketing and the form that processing for marketing purposes takes, in terms and form consistent with paragraph 1) above (save that no notice is required to be sent where Experian's processing concerns only the retention or sale of the Open Electoral Register and no other processing of the personal data in that Open Register has occurred, or relates to the obtaining and use of directory enquiry databases like BT OSIS or suppression databases like the TPS).
5) Cease the processing of the personal data of any data subject to whom an Article 14-compliant notice is not sent.
Category C
6) Cease processing any personal data where the objective legitimate interest assessment cannot be said to favour the interests of Experian, having particular regard to the transparency of the processing and the intrusive nature of profiling.
7) In the case of all suppliers of personal data to Experian, review the compliance with the GDPR of the privacy notices and data capture mechanisms of those suppliers and collect data from only those suppliers where it is the case that:
a) the suppliers' notices provide the same standard of transparency as the CIP,
b) the suppliers' consent capture mechanisms are sufficient to constitute valid consent (including being informed and specific) to the collection, disclosure and onward processing of the data; and
c) the suppliers' privacy information is clear and intelligible, with processing that the individual is unlikely to expect or would be surprised by to the fore and not buried in lengthy and jargon-heavy text.
8) Cease the processing of any personal data where there is insufficient evidence that it was collected in a compliant manner.”
We now outline the main features of Experian’s challenge to the EN.
Experian’s appeal to the First-tier Tribunal
The overarching ground of challenge by Experian in its appeal to the FTT was that the EN was an attempt by the Information Commissioner to impose its subjective preferences as if they were legal requirements under the GDPR, and that those subjective preferences were based on a mischaracterisation of Experian’s business and its impact on individuals’ privacy. The result, it was said, would be that Experian would be compelled to adopt an unworkable, purely consent based, model for offline marketing services and this would, if complied with, force Experian to shut down its offline marketing services business. As such it was argued that the Information Commissioner had applied the law incorrectly and/or reached flawed conclusions on the facts. In sum, it was contended that the requirements of the EN were disproportionate and unfair and the notice should be set aside in its entirety. In support of this overarching challenge Experian advanced five more specific grounds of appeal before the FTT.
Experian’s first ground of appeal was essentially an economic argument, namely that effective and efficient marketing was fundamental to the achievement of a successful marketing consumer economy. In this respect it was argued that Experian’s data processing activities served the interests of data subjects, by ensuring that they received marketing materials which were more likely to be relevant to them, limiting the scope for them to receive irrelevant marketing communications, and in helping to deliver lower prices due to more efficient marketing and competition.
The second ground of appeal was that the Information Commissioner’s assertion that Experian’s processing activities would not be expected by the data subjects and would be likely to cause distress was unevidenced. Furthermore, Experian contended, it was incorrect as it used data from public sources to build statistical models from which attributes could be inferred – it did not process actual data relating to individuals’ behaviour and nor did it track their internet activity.
Experian’s third ground of appeal was that the Information Commissioner had proceeded on the basis of wrong assumptions as to the nature of Experian’s business model (e.g. the false assumption that Experian conducted its business so as to ensure its data processing activities remained invisible).
The fourth ground of appeal before the FTT was that the Information Commissioner’s approach was out of step with the requirements of Article 14 and that it was disproportionate in all the circumstances to require a privacy notice to be sent directly to all data subjects.
Experian’s fifth and final ground of appeal was that the effect of the Information Commissioner’s approach was that its privacy notice would be rendered less and not more meaningful as it would then lack effective, user friendly layering and structuring. Furthermore, it was alleged that Experian and its clients would be hampered in an effort to ensure that financially vulnerable people were not unduly exposed to inappropriate marketing materials. In addition, Experian would need to send communications to data subjects which would be likely to be viewed by them as unnecessary and irritating (if the recipients bothered to read them at all), as well as being environmentally unsound.
The Information Commissioner’s case before the First-tier Tribunal
The Information Commissioner resisted Experian’s appeal, reiterating her argument that Experian was engaged in invisible processing of personal data on a mass scale. She contended that the lack of transparency involved meant that data subjects’ GDPR rights were rendered less effective, if not wholly ineffective. It was not accepted that compliance with the EN would require Experian to shut down its offline marketing business.
With regard to the requirements set out in the EN, the Information Commissioner denied she was imposing too high a standard, arguing that Experian’s case failed to recognise that the principal requirement of transparency is a high level obligation and it is the necessary role of the national supervisory authority under the GDPR scheme to form a view on compliance. It was denied that the EN required excessive detail which would diminish transparency nor was it accepted that what was required was too vague.
We note that by the time of the FTT hearing there was no dispute that the CIP displayed an Article 14 ‘pop-up’ privacy notice containing the requisite information. However, the Information Commissioner contended that the content and layout of the CIP did not comply with the Article 5 transparency requirements, given both the nature of Experian’s data processing and the layering of the CIP’s web pages. The Information Commissioner further submitted that the data subjects’ routes to the CIP via both the CRAIN and the third party suppliers did not comply with Article 14.
The Information Commissioner also maintained that Experian’s approach to the legitimate interests assessment (“LIA”) was deficient in that it had failed to have regard to relevant considerations, in particular the expectations of data subjects, the scale and intrusive nature of its profiling and processing, and the lack of sufficient transparency.
The hearing before the First-tier Tribunal
The FTT (Upper Tribunal Judge Rintoul, Tribunal Judge Griffin and Tribunal Member Grimley Evans) heard extensive evidence and submissions over six days (17, 19-21 & 31 January 2022 & 11 February 2022), with the hearing bundles running to several thousands of pages, supplemented by skeleton arguments and closing submissions which in themselves ran to several hundred pages. Experian’s witnesses were Ms Shearman (senior product manager), Mr Bendon (product director), Mr Cresswell (data protection and privacy lead), Mr Grieves (managing director of UK marketing services business) and Mr Parker (economist and expert witness). The Commissioner’s witnesses were Mr Hulme (director of regulatory assurance) and Mr Reynolds (economist and expert witness). After the conclusion of the evidence and at the request of the FTT, the parties provided a Schedule of agreed and disputed facts.
Although the parties made their closing submissions on 11 February 2022, the FTT’s decision was not signed off until just over a year later on 17 February 2023 and promulgated on 20 February 2023. No apology or explanation was evident on the face of the FTT’s decision for this lengthy and most regrettable delay.
The First-tier Tribunal’s decision
The structure of the decision
As we have indicated, the FTT allowed the appeal in part. The decision itself commenced with a substituted Decision Notice in the form of the SEN. The FTT’s reasons then ran to some 45 pages and 187 paragraphs. The FTT started with an introduction and a review of background matters, focussing on the Information Commissioner’s EN ([1]-[30]). This was followed by a detailed account of Experian’s grounds of appeal ([31]-[46]) and the Information Commissioner’s response ([47]-[55]). The FTT then dealt with the hearing and in particular reviewed the oral evidence tendered on behalf of the parties at some length ([57]-[110]). In the next section, entitled “The Tribunal’s Function”, the FTT included relevant provisions of the DPA 2018, followed by Articles 4-7, 12 and 13-14 of the GDPR ([111]-[129]). The FTT set out their “Findings” at [130]-[171] and then their conclusions in a section headed “Has there been a breach as the Information Commissioner submits?” at [172]-[187].
The First-tier Tribunal’s findings
As well as the bare statutory provisions, the section at [111]-[129] also included some commentary by the FTT, as follows:
“119. We accept the Information Commissioner’s submission that the right to transparency in the processing of personal data is foundational as it enables data subjects to access and exercise their own GDPR rights. We accept it is essential to affording data subjects autonomy and to achieving the purpose of the GDPR that a person should have control of their own personal data.
...
121. With respect to the requirements of transparency, we find that Mr Hulme’s evidence on this makes little sense. Given how it is defined, what is or is not transparent will be fact-specific and context related. The level of transparency required, for example, when sharing intimate health details will not be the same as people consenting to the processing of, for example, data about their preferred supermarket.
…
128. Whilst we understand why counsel for the Information Commissioner would wish to distance himself from Mr Hulme’s evidence, nonetheless, it has the effect of there being little or no evidence to support some of the positions taken in the enforcement notice; and, for reasons to which we will turn below, there are a number of factual errors identified in the enforcement notice. In addition, in his cross-examination Mr Hulme accepted that the scenarios set out in his witness statement as to how people would be distressed by the data processing were incorrect to the extent that he accepted his evidence in his witness statement was “completely wrong, completely misleading and perverse”. Despite this, we did not feel the need to give ourselves a “Lucas” direction.”
Under the heading ‘Findings’ the FTT indicated that they would set out their findings “as to what Experian does with the data it collects”. They began with some observations about the extent to which the data processing aspects of Experian’s business were well-known:
“133. We accept that Experian’s credit reference agency business is well-known. We take notice of the fact that we have observed marketing carried out on television and on billboards. We consider, however, that it would be speculative to consider how well-known their marketing business, EMS, is. We note Mr Grieves’ evidence that Experian presents itself as a business that processes credit data, sharing data and providing access to offers. We note the submission that over 17 million individuals will have interacted with third party websites that supply data to Experian and will thus have seen the reference to the Experian privacy notice, but we do not accept that that is good evidence that that number of people will be aware of EMS. That is because of the other evidence, on which Experian relies. We accept also that approximately 10 million people will have been notified of the existence of Experian if they had been in direct contact with ECS but how much that impinged on their awareness we do not know.”
The FTT then returned to the subject of Mr Hulme’s evidence, about which they were highly critical:
“135. The core of the Information Commissioner’s case is that the processing undertaken by Experian will be surprising to those individuals whose personal data is processed, the processing is intrusive, and that the assessments undertaken in balancing Experian’s legitimate interests are flawed.
136. We found Mr Hulme’s evidence to be significantly flawed in a number of respects. As noted above he accepted that in certain core parts of his evidence what he had said in his witness statement was not just wrong but that the position was in fact the direct opposite of what he had said in that witness statement to which his statement of truth had been appended.
…
138. We accept the submission that in order for weight to be attached to the Information Commissioner’s opinion that it has to be based in evidence. We accept also that in reaching a decision, the Commissioner and this panel must have regard to the regulatory decisions in respect of the economy, the environmental impact and positive benefits for the consumers of processing (which appear from Mr Hulme’s evidence not to have been taken into account in the enforcement notice).”
The FTT referred to whether Experian’s processing would be surprising to data subjects in the following terms:
“142. It is part of the Information Commissioner’s case that individuals on the OER would find Experian’s use of their data surprising. The source for that is primarily Mr Hulme whose evidence is, for the reasons set out above, less than reliable. It is not in reality grounded in evidence but is supposition. Further, the mere fact that some people might subjectively find some things “surprising” is not a particularly useful yardstick.”
The FTT then found that the use of modelled data points was less intrusive than the processing of actual data:
“145. We bear in mind the evidence, as accepted to an extent by Mr Hulme, that modelled data points may not in fact reflect a person’s actual characteristics. This, we find, makes them less intrusive than processing actual data...”
Under the heading “CRA derived data”, the FTT addressed the use made of data subjects’ data as follows:
“152. We accept that the CRA-derived data is used to validate or update address data, and in the creation of Experian’s models. It is important to note that EMS does not have access to any account transaction data. We accept the evidence that there are benefits to data being used in such a way. It ensures that the mailing lists are up-to-date, which in turn means that mailing is not sent to former addresses which may in itself be problematic if it were then to be accessible by those who should not have access to it, depending on what material is in a mailshot. We accept also that it has a utility in that it allows businesses to, as Experian’s evidence indicates, cut down on duplicate names, misspellings and similar errors. There are therefore benefits to this. We note that Mr Hulme accepted these were benefits, and we note that offering a service to check accuracy is supporting compliance with the accuracy principle.
153. Looking at the evidence as a whole we consider that the Information Commissioner did not properly appreciate the limited extent to which CRA data was used. However, we do note that this source of data is used to produce the ConsumerView profiles even if the address information is not prospectable. The CRA data is therefore, to an extent, used in the building up of Experian’s products.
154. We consider that the credit pre-screening product is of use in that it removes people from marketing lists for credit products in circumstances where they would likely to be declined as is the evidence from Experian’s witnesses. We accept that this does not prevent people from applying for the credit product, merely that material is not sent to them. We consider that there is a utility in this because it means that they will not be offered products which (a) might not be affordable for them (b) where a refusal may cause difficulties for their credit score with an ongoing difficulty, spiralling, in obtaining credit... We accept that the FCA does not require firms to process data held by CRA to screen people out, but Experian has never said that that is a requirement, and we note that the PRA and the FCA have confirmed that the service offered is beneficial and helps lenders comply with the FCA’s rules which we consider is a matter in the public interest.
155. We do not accept the emotive evidence from Mr Hulme that the use of CRA data to screen individuals stigmatises poor people...
156. We accept also Experian’s submission that what its clients are seeking to do is not to target particular individuals but merely to have a list of those who are more likely to respond to the offer their client intends to send. That is to say that the chances of direct mail marketing being effective are higher by sending mail to a list of individuals who may have particular characteristics, which is better than sending them at random. Experian’s customers are, we accept, interested in the aggregated picture and we bear in mind that this is not a situation, unlike some direct online marketing, where the buying habits of particular individuals are known. We accept Mr Grieves’s evidence that retailers do not pore over the names and addresses from ConsumerView.
157. With regard to the amount of data sent out, we accept the evidence from Experian that on average four attributes are provided to clients; that data representing the last twenty attributes and that impact of this fact is that they do not sell the entire data profile of a cohort of data subjects. We accept Ms Shearman’s evidence that each disclosure of data by Experian to a client is considered on a case-by-case basis subject to controls including whether it is to be used for a permitted purpose as agreed in the contract. We accept also that there is some auditing of the use to which the data is put and Experian contracts with data brokers contain audit rights requiring the brokers to provide monthly reports on the use of data. We accept also that there are red and amber lists of organisations with whom Experian will not do business or may well not do business, and we note the evidence that the only gambling company which is a customer of Experian uses the service to prevent underage people from gambling. One might have thought that was in the public interest but that too must be balanced.
158. We consider it difficult to quantify how much material would or would not be sent if Experian’s activities were curtailed. We consider the suggestion that Experian’s products help stop one billion communications to be excessive and not properly sourced in evidence. We accept Mr Grieves’ evidence that some of the suppression services may act to prevent stress in certain circumstances and we note, worryingly, that Mr Hulme accepted that proposition and, in the example, whereby marketing was sent to pregnant mother who had suffered a miscarriage that his statement was perverse, wrong and misleading in this regard.
159. With regard to the evidence whereby those who might be in fuel poverty are identified, and the suggestion that may be problematic, we note that such data might, if used by utility companies and relevant service providers be in the public interest.
160. Finally, we accept the submission that the worst outcome of Experian’s processing in terms of what happens to the data at the end of the process is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant. To some extent we accept that the effect of suppression lists and removing certain types of data may result in some people not receiving distressing or inappropriate communication. That does not of course mean that there has been compliance with the DPA or the GDPR but, following Lloyd v Google LLC [2021] UKSC 50, it is unlikely that there would, in this scenario, be a data subject who is likely to succeed in a damages claim.”
As regards the CRAIN and then the CIP, the FTT made the following findings:
“CRAIN
161. The route for an individual to learn what happens to data acquired via the CRA involves following a link from material supplied by, for example, a bank to the CRAIN and from there to the CIP maintained by Experian. The great majority of lenders make the CRAIN available to individuals by providing them with a link from their own privacy notice. We accept Experian’s position that this route was decided after consultation with the Information Commissioner. The Information Commissioner were also, we accept in the light of the evidence of Mr Cresswell and Mr Hulme, involved in the development of the CRAIN and considered that it was a good transparency notice. We find, examining it that it provides individuals with an understanding of Experian’s business and links to further material.
162. The route noted above will usually be facilitated by hyperlinks if the material from the bank, as is often the case, is supplied in electronic form. We consider that the reasonable data subject will be familiar with hyperlinks and how to follow them.
Consumer Information Portal
163. We were taken at length through the consumer information portal (CIP) which we accept now includes a freestanding notice collating the information required to be provided by Article 14. That was introduced in October 2020 at the same time as the issue was noticed by the Information Commissioner. It has been amended so that it no longer pops up only on a user’s first visit but also on subsequent visits to the site.
164. The Information Commissioner’s case is that Experian made no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP.
165. Stepping back from the particular circumstances of this case, there is a tension between providing large amounts of information on the one hand with the aim of improving transparency and accessibility of information and on the other the resultant information overload. To an extent that is met by layering which is the staggering of provision of information to the customer, which is more easily adapted to a website scenario. That is because an individual accessing it can see headlines and click on them for more information. Whether, and to what extent, a particular piece of information is surprising or for that matter important or unusual will be a matter of judgment. It is self-evident that not all users will take the same view, nor will their knowledge as to how data is processed in general be the same. Put bluntly, what surprises one person may not surprise another but what is in issue is an individual’s reasonable expectations.
166. We accept the evidence that Experian’s website receives some 7 million visits per month but equally that only 130,000 unique IP addresses have visited the CIP since April 2018. There is no evidence regarding the number of visitors to the CIP who have gone beyond the first layer. This is borne out to an extent by the research data which shows that actually most people do not care about what happens to their data.
167. With regard to the opt out option we do not consider that people are improperly pushed towards not opting out totally.
168. We note the evidence that a report from the Competition & Markets Authority suggests that on average individuals spend 73 seconds reading a privacy policy. In that context, it is more likely than not that most people will not assimilate the substance of the entire policy in that time. That is of course a matter of individual choice.
169. Common sense would tend to suggest that it is only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice and, if they were concerned to read further, we consider that there is a sufficiently easy to follow trail through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more. If people are not concerned about their privacy or what happens to their data, and they must be assumed to know those people are going to process it, then to a significant extent that is their choice. It may not be the choice of others or particularly data professionals but you cannot force people into reading privacy policies and the data controller is still obligated to provide a privacy notice. The processing must still be fair, lawful and transparent. Compliance with Data Protection law is the core focus and function of the Information Commissioner and therefore the Tribunal on appeal.
170. There are, we consider, difficulties with the basis upon which data obtained by third-party suppliers was previously processed by Experian. We do, however, note the evidence that the model used is now that data is processed on the basis of legitimate interests and not on the basis of consent. That issue would thus appear now to be academic.”
The First-tier Tribunal’s conclusions
The following passage contained many of the FTT’s central conclusions (we have omitted the FTT’s citation of the text of Article 14(5) in paragraph [175]):
“172. We turn next to whether, in the light of these findings, Experian has failed to comply with the GDPR as the Information Commissioner claims.
173. The Enforcement Notice required Experian to provide all data subjects with an article 14 GDPR compliant privacy notice and to cease processing the personal data of any data subject to whom an article 14 compliant notice has not been sent.
174. Experian, in ground 4 of its appeal, says that the requirements of the Enforcement Notice are disproportionate and unfair. The Information Commissioner says that the requirement of transparency is a high-level obligation.
175. The Tribunal finds that transparency is central to the GDPR. The relevant transparency requirement here is the requirement to provide an article 14 notice. The GDPR is clear about the limited circumstances in which the requirement to give an article 14 notice may be avoided. …
176. The Tribunal was presented with some difficulty in assessing the historic position in terms of what the CIP actually said at the time the Enforcement Notice was issued by the Information Commissioner because Experian had made changes during negotiations with the Information Commissioner in the course of the investigation. We note that the position is that both articles 13 and 14 lay down a timescale for the provision of privacy notices. Neither party assisted us on the issue of the relevant version for us to consider.
177. We do not consider that the Information Commissioner has provided us with evidence that would allow us to conclude that the CIP was defective at the time of the enforcement notice. We note also the relevance of the current position to the steps which the Tribunal may now order. We find that the processing, so far as it relates to CRA derived data, is now sufficiently transparent in the context of the privacy notices which are served on those data subjects who provide CRA data to lenders. The hyperlinks and websites are simple to follow, and we find, having considered the CIP in detail, that in its current form, as provided to us, it is adequately clear. We do accept that the scale of the processing undertaken is very large, and that is something which would be surprising to data subjects as indeed would be the uses to which that data is put when considering the purposes for which it was collected. But, having considered the CIP, we consider that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed.”
The FTT then addressed the sub-group of data subjects who had not been provided with either a copy of or a link to Experian’s privacy notice as their data had been taken from public sources, primarily the OER. The parties referred to this sub-group as “the residual cohort” (and the remainder of the data subjects as “the main cohort”). The FTT found that there had been a breach of Article 14 in respect of this cohort, reasoning as follows:
“178. Experian has accepted that around 5.3 million data subjects, out of the circa 51 million data subjects whose information is processed by Experian, have not received a privacy notice but contends that Experian can rely on paragraph 5 of article 14 on the basis that the provision of such information would involve a disproportionate effort. The GDPR is clearly written so that the article 14 privacy notice requirement cannot be easily avoided and so that ‘disproportionate effort’ is to be construed narrowly. Whilst we note that we are not bound by it, we have had regard to the Article 29 Working Party guidance on Transparency as adopted by the European Data Protection Board. In the context of the GDPR, the fact that notifying the 5.3 million data subjects would involve a considerable business expense does not mean that it would be a disproportionate effort for the purposes of article 14 GDPR. That is a business expense which should have been incurred over time as a matter of routine compliance. If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing. We find that Experian should have provided the residual cohort with an article 14 privacy notice and did not do so. It was therefore non-compliant in that respect.
179. On that basis, we find that there has been a contravention of the GDPR in respect of that cohort in that the processing has not been transparent, fair or lawful.”
The FTT then referred to the now academic consent issue:
“180. We find also that there has, in the past, been a contravention of the GDPR with respect to the data obtained from third-party suppliers where that material was obtained on a consent basis, and we do not accept that legitimate interests is a proper means by which that data could have been used by Experian for the purpose it was processed. But we accept that this no longer occurs.”
After this the FTT gave a composite indication that:
“181. We do not find that there has been any other material contravention.”
In concluding, the FTT turned to consider the terms of any EN to be substituted and what steps it should order, bearing in mind the need for any steps to be proportionate:
“183. In so doing, we must stand in the shoes of the Information Commissioner and ask whether the Information Commissioner should have exercised her discretion differently. A broader concept of proportionality comes into the exercise of discretion by the Information Commissioner which involves a consideration of what could be achieved by imposing a requirement that Experian should rectify its non-compliance by providing a privacy notice to the residual cohort. The answer to that question is that it would be informing the data subjects about the use of their personal data as they were entitled to be informed previously and that this could enable them to object if they so wished. It would also prevent Experian from benefitting from non-compliance by having saved business costs by not providing an article 14 notice. It would also potentially dissuade other Data Controllers from non-compliance, but the main object of the enforcement notice would be to make sure that Experian would comply with the GDPR in the future.
184. We find that the Information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects, (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years, and (c) the likely reaction of the data subjects to receiving an ‘out of the blue’ notification, which reaction we find was likely to be either disinterest resulting, for example, in the data subject just putting it in the bin or possibly some confusion or even distress. We are satisfied that the Information Commissioner got the balance wrong in terms of proportionality in exercising her discretion because the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing. We note in particular that section 150(2) provides ‘In deciding whether to give an enforcement notice in reliance on section 149(2), the Information Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress’.
185. The Tribunal must also consider what steps it will order now, and we find that to order notification of the residual cohort now would be disproportionate. However, the Tribunal would stress that it has made a finding that Experian did not comply with the requirements of article 14 and it fully expects that Experian will rectify this non-compliance in respect of its future personal data collections. The Tribunal recognises the considerable expense and practical difficulties which Experian would face in attempting to identify the residual cohort and issue them with an article 14 notice.
186. The Tribunal is cognisant of the fact that some of the personal data has been used to build models from which Experian may continue to derive a commercial benefit. Any processing of personal data collected in circumstances where an article 14 privacy notice should have been given and has not been given will continue to be non-compliant and Experian should consider what it can do to discontinue this processing. This applies even where the personal data has ceased to be personal data because its inclusion in the models is anonymised. It is clear that taking personal data and anonymising it is a form of processing of personal data and that processing must be compliant. However, the Tribunal cannot order steps which are unclear or incapable of implementation.
187. The Tribunal is also satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice.”
The Substituted Enforcement Notice
The FTT’s SEN was accordingly in the following terms:
“SUBSTITUTE DECISION NOTICE
1. By the date that is three months after the date of this decision (the “Relevant Date”), Experian must set up a system that enables it to provide all data subjects whose personal data is obtained by Experian from one or more of the Open Electoral Register, the Registry Trust Limited or Companies House (those data subjects being the “Relevant Data Subjects, and those sources together being the "Open Sources”) with a privacy notice (a “Relevant Notice”).
2. The Relevant Notice must: (i) inform the Relevant Data Subject that their personal data has been obtained by Experian and is being processed by it for direct marketing purposes, and (ii) otherwise comply with Article 14 of the UK GDPR. For the avoidance of doubt:
(a) A Relevant Notice may be provided to the Relevant Data Subject by Experian either (i) through any form of direct communication by Experian with the Relevant Data Subject (e.g. through the post or, if Experian has the relevant contact details for the Relevant Data Subject, via email or text message) or (ii) through the medium of the notifications given to Relevant Data Subjects by the Open Sources.
(b) No Relevant Notice is required to be sent where: (i) Experian has obtained personal data about the Relevant Data Subject from its CRA business, its consumer services business or from third party commercial suppliers, or (ii) Experian’s processing of the personal data of the data subject is confined to the retention or sale of the Open Electoral Register, or (iii) Experian’s processing of the personal data of the data subject relates solely to the obtaining and use of directory enquiry databases such as BT OSIS or suppression databases like the TPS, or (iv) Experian ceases to process personal data about the data subject for direct marketing purposes at any time prior to the point at which, pursuant to this Substitute Enforcement Notice, a Relevant Notice would otherwise be required to be sent to the data subject.
3. Subject to paragraph 2 above, the Relevant Notices must be sent to the Relevant Data Subjects as follows:
(a) Within twelve months of the Relevant Date, Experian must provide a Relevant Notice to all data subjects whom it identified as being Relevant Data Subjects as at the Relevant Date.
(b) In circumstances where Experian obtains personal data from the Open Sources in respect of data subjects who: (i) were not identified by Experian as having been Relevant Data Subjects as at the Relevant Date, but (ii) are identified by Experian as being new Relevant Data Subjects, Experian must provide those individuals with a Relevant Notice.
4. Nothing in this Enforcement Notice requires Experian to provide more than one Relevant Notice to a Relevant Data Subject.
5. No financial penalty is imposed.” (Emphasis in the original text.)
In his order granting the Information Commissioner permission to appeal, Upper Tribunal Judge Wikeley suspended the effect of the SEN pending the determination of this appeal.
The Information Commissioner’s grounds of appeal to the Upper Tribunal
The Information Commissioner advances five grounds of appeal before the Upper Tribunal.
Ground 1 is an overarching transparency ground, alleging that the FTT failed to address what the principle of transparency, enshrined especially in Article 5(1)(a) GDPR, required as a matter of law, and furthermore failed adequately to apply a legally accurate interpretation of that principle to the issues of fact, law and assessment which arose, including failing to take into account the adverse impact on transparency from the way in which Experian processed data. The Commissioner submitted that these overarching errors were manifested in four specific errors, namely: (i) the FTT’s failure to take into account the absolute Article 21(2) GDPR right to object to direct marketing processing; (ii) the apparent assessment that Experian’s transparency obligation could be secured through the use of a series of hyperlinks, an assessment that was unlawfully inconsistent with the legal principle of transparency; (iii) the FTT’s apparent conclusion that individuals do not care about how their personal data is processed by Experian; and (iv) concluding that data subjects would not find Experian’s processing surprising, notwithstanding a finding elsewhere in the FTT’s reasoning that the processing was indeed surprising.
Ground 2 concerns the data subject’s journey to the CIP. Again, both overarching and specific errors are relied upon. As to the former, it is argued that the FTT failed to distinguish and analyse the separate legal issues arising from each of Articles 14(1), (5)(a) and (5)(b) GDPR. This is said to have led to the following specific errors: (i) the FTT failed to make a finding in respect of the Article 14(1) duty; (ii) in consequence, the FTT did not have regard to the significance of Experian’s non-compliance with Article 14(1); (iii) in relation to its apparent application of Article 14(5)(a), the FTT erred in holding that the provision of hyperlinks to privacy information was sufficient to constitute the data subject ‘having’ that information already; (iv) the FTT wholly failed to address the Article 14 position of data subjects whose personal data had been supplied to Experian by third party data suppliers; and (v) had the FTT properly rejected the application of Article 14(5)(a), it would have been bound – consistent with its findings relating to the residual cohort – to refuse to apply Article 14(5)(b) and to find a general breach of Article 14 on the part of Experian.
Ground 3 deals with the content of the CIP. It is said that the FTT erred in law by failing to address the pleaded issue of the compliance of the CIP with Article 5(1)(a) GDPR, or making any findings on the criticisms made in the EN of the CIP’s approach to layering of important privacy information and so its accessibility.
Ground 4 is that the FTT’s approach to the terms of the SEN in respect of the breach of Article 14 that it did find was flawed, because of the errors of law identified in Grounds 1 and/or 2. It was accepted that Ground 4 stood or fell with Grounds 1 and 2.
Ground 5 is that the FTT failed to address the pleaded issue as to the requirement laid on Experian to re-conduct its LIAs, notwithstanding the findings it had made against Experian’s case.
Whilst Mr Pitt-Payne criticised the adequacy of the FTT’s reasoning in developing the grounds of appeal, he submitted that his reasons challenge was secondary to the errors that he foregrounded.
Mr Pitt-Payne confirmed to us during the appeal hearing that he did not challenge any of the following findings made by the FTT: (i) the negative assessment of Mr Hulme’s evidence ([128],[136], [142], [155] and [158] of their decision in particular); (ii) that using modelled data points was less intrusive than processing actual data [145]; (iii) the benefits that resulted from the uses of the data and the conclusion that the worst outcome of Experian’s processing was that an individual was likely to get a marketing leaflet which might align to their interests rather than be irrelevant ([152] and [154]-[160]); (iv) as to the controls that were operated by Experian ([157]); and (v) that it was unlikely that any person suffered damage or distress ([187]). The appeal therefore proceeds on the basis of those findings.
Mr Pitt-Payne did not advance the time that it had taken the FTT to provide their decision as a free-standing ground of appeal, but he submitted that this was relevant to our evaluation of the FTT’s reasoning and it meant that we should approach their reasoning with particular care.
Finally, we record that there was no cross-appeal by Experian in relation to the FTT’s decision insofar as it related to the residual cohort.
The legal framework
This section sets out the legal framework for the issues in this appeal. In so far as the grounds of appeal raise contentious issues of legal interpretation – for example, as to the meaning of ‘has’ in Article 14(5)(a) GDPR – these are addressed when we come to determine the relevant ground of appeal.
The Upper Tribunal’s “error of law” jurisdiction
The first task of the Upper Tribunal in an appeal such as this is to decide whether the FTT’s decision involved the making of an error on a point of law. The Court of Appeal’s brief summary of the most commonly encountered such legal errors, in R (Iran) v SSHD [2005] EWCA Civ 982, is well known. Also of assistance is the Supreme Court’s recent summary of the correct approach to challenges on appeal to first-instance evaluative judgements in Lifestyle Equities CV v Amazon UK Services Ltd [2024] UKSC 8, handed-down after the hearing of this appeal, but not, we think, making any material change to the law in this area:
“The Correct Approach on Appeal
46. This is another important matter, and it is appropriate to summarise the correct approach at this stage. A finding that an activity is or is not targeted at consumers in the UK necessarily involves an evaluation by the judge of a range of different facts and matters. It requires, in other words, a multifactorial assessment of the documents, the evidence and the submissions made by the parties. The evaluation is also one which, when made in that way, the trial judge is peculiarly well placed to carry out.
47. Conversely, an appeal court is inevitably at a disadvantage, as Lord Hoffmann explained in Biogen Inc v Medeva plc [1997] RPC 1 at 4, and so, where the application of a legal standard such as negligence or obviousness involves no question of principle, but is simply a matter of degree, an appellate court should be very cautious in differing from the judge’s evaluation.
48. We consider that the position was well summarised by Lewison LJ in Fage UK Ltd v Chobani UK Ltd [2014] EWCA Civ 5; [2014] FSR 29; [2014] ETMR 26 in these terms at para 114:
“Appellate courts have been repeatedly warned, by recent cases at the highest level, not to interfere with findings of fact by trial judges, unless compelled to do so. This applies not only to findings of primary fact, but also to the evaluation of those facts and to inferences to be drawn from them. The best known of these cases are: Biogen Inc v Medeva plc [1977] R.P.C. 1; Piglowska v Piglowski [1999] 1 W.L.R. 1360; Datec Electronics Holdings Ltd v United Parcels Service Ltd [2007] UKHL 23; [2007] 1 W.L.R. 1325; In re B (A Child) (Care Proceedings: Threshold Criteria) [2013] UKSC 33; [2013] 1 W.L.R. 1911 and, most recently and comprehensively, McGraddie v McGraddie [2013] UKSC 58; [2013] 1 WLR 2477. These are all decisions either of the House of Lords or of the Supreme Court. The reasons for this approach are many. They include:
i) The expertise of a trial judge is in determining what facts are relevant to the legal issues to be decided, and what those facts are if they are disputed.
ii) The trial is not a dress rehearsal. It is the first and last night of the show.
iii) Duplication of the trial judge’s role on appeal is a disproportionate use of the limited resources of an appellate court, and will seldom lead to a different outcome in an individual case.
iv) In making his decisions the trial judge will have regard to the whole of the sea of evidence presented to him, whereas an appellate court will only be island hopping.
v) The atmosphere of the courtroom cannot, in any event, be recreated by reference to documents (including transcripts of evidence).
vi) Thus even if it were possible to duplicate the role of the trial judge, it cannot in practice be done.”
49. That does not, however, mean the appeal court is powerless to intervene where the judge has fallen into error in arriving at an evaluative decision such as whether an activity was or was not targeted at a particular territory. It may be possible to establish that the judge was plainly wrong or that there has been a significant error of principle; but the circumstances in which an effective challenge may be mounted to an evaluative decision are not limited to such cases. Many of the important authorities in this area were reviewed by the Court of Appeal in In re Sprintroom Ltd [2019] EWCA Civ 932; [2019] BCC 1031, at paras 72–76. There, in a judgment to which all members of the court (McCombe LJ, Leggatt LJ and Rose LJ) contributed, the court concluded, at para 76, in terms with which we agree, that on a challenge to an evaluative decision of a first instance judge, the appeal court does not carry out the balancing exercise afresh but must ask whether the decision of the judge was wrong by reason of an identifiable flaw in the judge’s treatment of the question to be decided, such as a gap in logic, a lack of consistency, or a failure to take into account some material factor, which undermines the cogency of the conclusion.
50. On the other hand, it is equally clear that, for the decision to be “wrong” under CPR 52.21(3), it is not enough to show, without more, that the appellate court might have arrived at a different evaluation.”
“Perversity” challenges (i.e. ones based on a finding of fact by the first-instance tribunal being perverse or one which no reasonable tribunal could have reached on the evidence before it) must also bear in mind the expertise of the first-instance tribunal: as was said by Lloyd Jones LJ (as he then was) in Department for Work and Pensions v Information Commissioner & Zola [2016] EWCA Civ 758 at [34]:
“The approach to be followed in perversity challenges to decisions of specialist Tribunals … is simply a reflection of the respect which is naturally paid to the decisions of a specialist Tribunal in an area where it possesses a particular expertise. Given such expertise in a Tribunal, it is entirely understandable that a reviewing court or Tribunal will be slow to interfere with its findings and evaluation of facts in areas where that expertise has a bearing. This may be regarded not so much as requiring that a different, enhanced standard must be met as an acknowledgement of the reality that an expert Tribunal can normally be expected to apply its expertise in the course of its analysis of facts ….”
Where, having completed its “first task” as just described, the Upper Tribunal finds that the making of a decision by the FTT did involve the making of an error on a point of law, the Upper Tribunal may (but need not) set aside the FTT decision and, if it does, must either (i) remit the case to the FTT with directions for its reconsideration, or (ii) re-make the decision.
Adequacy of reasons
There are many appellate authorities on the adequacy of reasons in a judicial decision. In this chamber of the Upper Tribunal, the principles were summarised in, for example, Oxford Phoenix Innovation Ltd v Information Commissioner & Medicines and Healthcare Regulatory Agency [2018] UKUT 192 (AAC) at [50-54]. At its most succinct, the duty to give reasons was encapsulated at [22] in Re F (Children) [2016] EWCA Civ 546 (one of the authorities cited there), as follows:
“Essentially, the judicial task is twofold: to enable the parties to understand why they have won or lost; and to provide sufficient detail and analysis to enable an appellate court to decide whether or not the judgment is sustainable.”
As is well-known, the authorities counsel judicial “restraint” when the reasons that a tribunal gives for its decision are being examined. In R (Jones) v FTT (Social Entitlement Chamber) [2013] UKSC 19 at [25] Lord Hope observed that the appellate court should not assume too readily that the tribunal below misdirected itself just because it had not fully set out every step in its reasoning. Similarly, “the concern of the court ought to be substance not semantics”: per Sir James Munby P in Re F (Children) at [23]. Lord Hope said this of an industrial tribunal’s reasoning in Shamoon v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 11 at [59]:
“ … It has also been recognised that a generous interpretation ought to be given to a tribunal’s reasoning. It is to be expected, of course, that the decision will set out the facts. That is the raw material on which any review of its decision must be based. But the quality which is to be expected of its reasoning is not that to be expected of a High Court judge. Its reasoning ought to be explained, but the circumstances in which a tribunal works should be respected. The reasoning ought not to be subjected to an unduly critical analysis.”
The reasons of the tribunal below must be considered as a whole. Furthermore, the appellate court should not limit itself to what is explicitly shown on the face of the decision; it should also have regard to that which is implicit in the decision. R v Immigration Appeal Tribunal, ex parte Khan [1983] QB 790 (per Lord Lane CJ at page 794) was cited by Floyd LJ in UT (Sri Lanka) v SSHD [2019] EWCA Civ 1095 at [27] as explaining that the issues which a tribunal decides and the basis on which the tribunal reaches its decision may be set out directly or by inference.
The following was said in English v Emery Reimbold & Strick Ltd [2002] 1 WLR 2409 (a classic authority on the adequacy of reasons), on the question of the context in which apparently inadequate reasons of a trial judge are to be read:
“26. Where permission is granted to appeal on the grounds that the judgment does not contain adequate reasons, the appellate court should first review the judgment, in the context of the material evidence and submissions at the trial, in order to determine whether, when all of these are considered, it is apparent why the judge reached the decision that he did. If satisfied that the reason is apparent and that it is a valid basis for the judgment, the appeal will be dismissed. … If despite this exercise the reason for the decision is not apparent, then the appeal court will have to decide whether itself to proceed to a rehearing or to direct a new trial.
….
118. ... There are two lessons to be drawn from these appeals. The first is that, while it is perfectly acceptable for reasons to be set out briefly in a judgment, it is the duty of the judge to produce a judgment that gives a clear explanation for his or her order. The second is that an unsuccessful party should not seek to upset a judgment on the ground of inadequacy of reasons unless, despite the advantage of considering the judgment with knowledge of the evidence given and submissions made at the trial, that party is unable to understand why it is that the judge has reached an adverse decision.”
Enforcement notices and appeals against them
Under s149(1) DPA 2018, where the Information Commissioner is satisfied that a person “has failed, or is failing” in one of the ways set out in sub-section (2), the Information Commissioner may give the person a written notice (the EN) which requires the person
to take steps specified in the notice, or
to refrain from taking steps specified in the notice, or both.
The types of “failure” set out in s149(2) include where a controller or processor has failed, or is failing to comply with a provision of Part II or Articles 12 to 22 of UK GDPR.
An EN must state what the person has failed or is failing to do and give the Information Commissioner’s reasons for reaching that opinion: s150(1). Under s150(2), in deciding whether to give an EN in reliance on s149(2), the Information Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress. An EN given in reliance on subsection (2) may only impose requirements which the Commissioner considers appropriate for remedying the failure: s149(6).
Section 163 confers a right of appeal to the FTT on a person who is given an EN. The FTT may review any determination of fact on which the EN was based. If the FTT considers –
that the EN is not in accordance with the law, or
to the extent that the EN involved an exercise of discretion by the Information Commissioner, that the Information Commissioner ought to have exercised the discretion differently,
the FTT must allow the appeal or substitute another enforcement notice which the Information Commissioner could have given. Otherwise, the FTT must dismiss the appeal.
The GDPR
As the FTT decision noted in their “chronology”, the GDPR came into force on 25 May 2018. The GDPR remained the data protection regime in the UK until 31 December 2020 (the end of the transitional period that followed the UK leaving the EU); from that point onwards, a modified data protection regime, “UK GDPR”, came into effect. It appeared to be common ground in this appeal that nothing turns on any differences between the GDPR and UK GDPR (in general, the differences between the two are modest); reference in what follows will be to the GDPR, as the regime in force when the EN was issued.
In the words of Article 1, the GDPR “lays down rules relating to the protection of persons with regard to the processing of personal data” (as well as rules relating to the free movement of such data); it also “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.
Personal data is defined in Article 4 to mean “any information relating to an identified or identifiable natural person (‘data subject’)”; and “processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data …” (the definition then gives a number of examples).
Chapter II of the GDPR is headed “Principles”, and within this is Article 5, headed “Principles relating to processing of personal data”. Article 5(1)(a) provides that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. Article 5(1) (b) to (f), in high-level summary (in order to give context to Article 5(1)(a)), provide that personal data shall be
collected for specified, legitimate purposes
adequate, relevant and limited to what is necessary
accurate
kept in a form which permits identification of data subjects for no longer than necessary
processed in a manner that ensures security of the personal data.
Article 5(2) provides that the controller shall be responsible for, and able to demonstrate compliance with, Article 5(1).
Article 6 (also within Chapter II) is headed “Lawfulness of processing”. Article 6(1) provides that processing shall be lawful only if and to the extent that one of (a) to (f), which follow, applies. Article 6(1)(f) provides that processing is lawful if and to the extent it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).
Chapter III of the GDPR is headed “Rights of the data subject”. Within this is Section 1 (headed “Transparency and modalities”), and Article 12, headed “Transparent information, communication and modalities for the exercise of the rights of the data subject.” Article 12(1) provides that the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject “in a concise, transparent, intelligible and easily accessible form, using clear and plain language …”. Article 12(2) states that the controller shall “facilitate the exercise of data subject rights” under Articles 15 to 22.
Articles 13 and 14, also within Chapter III, are complementary, as can be seen from their headings: “Information to be provided where personal data are collected from the data subject” (Article 13), as against “Information to be provided where personal data have not been obtained from the data subject” (Article 14). Before the FTT and on this appeal the parties were agreed that Article 14, rather than Article 13, was the applicable provision, as Experian did not itself collect the personal data from the data subjects, but obtained them via the three strands described by the FTT at [4] of their decision.
The text of Article 14 (as material) is as follows:
“1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation ...
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) ...
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data ...
...
4. ...
5. Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the condition and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) ...
(d) ...”
Article 13(1) and (2) require the provision of comparable information to the data subject, albeit the timescale for provision of the information is more rigorous. Both Articles disapply the obligation to provide the data subject with information “where and insofar as” the data subject “already has the information” (Article 13(4) and Article 14(5)(a)). We address the correct interpretation of Article 14(5)(a) when we consider Ground 2. Articles 14(1) and 14(2) are also disapplied where and insofar as the provision of such information proves impossible or would involve a disproportionate effort (Article 14(5)(b)) and in the circumstances identified in Articles 14(5)(c) and 14(5)(d). Experian relies upon Article 14(5)(b), if Article 14(5)(a) does not apply. Article 13(4) provides the only basis for disapplying the Article 13 duties.
Articles 15-18 and 20-22, all within Chapter III, give data subjects specific rights.
One of these provisions, Article 21, is headed “Right to object”. Article 21(2) provides that where personal data are processed for direct marketing purposes, “the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing”. Article 21(3) provides that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. (This is in contrast to the right to object in Article 21(1), relating to processing of personal data based on point (e) or (f) of Article 6(1) where, in certain circumstances, the controller does not have to stop processing the personal data after the data subject objects).
Recitals to the GDPR
As the FTT stated at [118] of their decision, recitals to a directive are an aid to interpretation; but, as was said in R(M) v Chief Constable of Sussex Police [2021] EWCA Civ 42 at [87], “they cannot be treated as if they were operative provisions giving rise to substantive obligations, or be used to create such obligations in the guise of interpretation”. We will set out the recitals which were particularly relied upon by the Information Commissioner as bearing on the obligations of transparency.
Recital (39) states:
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data ...”.
Recital (58) states:
“The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising …”.
Recital (60) states:
“The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling …”.
Recital (62) includes this:
“However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information ….”
Recital (70) states:
“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”
Proportionality
Proportionality is an overarching principle of EU law; as this is well-known, we were not taken to any particular authorities by the parties, but in essence the principle is that measures adopted by EU institutions must not exceed what is appropriate and necessary for attaining the objective pursued.
Recital (4) to the GDPR states that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
The European Data Protection Board: decisions and guidelines
Section 3 of Chapter VII of the GDPR creates a European Data Protection Board (“EDPB”). Article 70 tasks the EDPB with ensuring consistent application of the GDPR, including by issuing guidelines. The GDPR’s references to EDPB have been removed in UK GDPR.
The EDPB’s “Binding Decision 1/2021 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR” (2 September 2021) considered the inter-relationship between the obligations in Article 5(1)(a) and Articles 12-14 GDPR. The decision is persuasive rather than binding upon us. The EDPB’s analysis including the following:
“190. Thus, it is apparent that, under the GDPR, transparency is envisaged as an overarching concept that governs several provisions and specific obligations...
191. ... it is important to differentiate between obligations stemming from the principle of transparency and the principle itself. The text of the GDPR makes this distinction, by enshrining transparency as one of the core principles under Article 5(1)(a) GDPR on the one hand, and assigning specific and concrete obligations linked to this principle, on the other one...
192. On the basis of the above considerations, the EDPB underlines that the principle of transparency is not circumscribed by the obligations under Articles 12-14 GDPR, although the latter are a concretisation of the former. Indeed, the principle of transparency is an overarching principle that not only reinforces other principles (i.e. fairness, accountability) but from which many other provisions of the GDPR derive...
193. That being said, the EDPB is of the view that an infringement of the transparency obligations under Articles 12-14 GDPR can, depending on the circumstances of the case, amount to an infringement of the transparency principle.”
In Rondon v Lexisnexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB), Collins Rice J stated at [87] that guidelines produced by EDPB “have weight which goes beyond expert commentary on the primary text. They do not constitute law but are an important indicator of whether or not ambiguity genuinely exists and, if it does, the best approach to understanding it. They have to be given commensurate weight”.
The “Article 29 Working Party”, an independent European advisory body equivalent to the EDPB for present purposes, was set up under Article 29 of Directive 95/46/EC (a predecessor of GDPR). Its guidelines on transparency under the GDPR, revised and adopted on 11 April 2018, were to provide “practical guidance and interpretive assistance” on the “new” obligation of transparency concerning the processing of personal data under the GDPR. In this appeal, the Information Commissioner drew attention to the following paragraphs of those guidelines:
“4. Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12-14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.
…
10. A central consideration of the principle of transparency outlined in these provisions is that the data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used. This is also an important aspect of the principle of fairness under Article 5(1) of the GDPR and indeed is linked to Recital 39 which states that “[n]atural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data...” In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14 (dealt with later in these guidelines), controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be: in other words, what kind of effect will the specific processing described in a privacy statement/ notice actually have on a data subject? In accordance with the principle of accountability and in line with Recital 39, data controllers should assess whether there are particular risks for natural persons involved in this type of processing which should be brought to the attention of data subjects. This can help to provide an overview of the types of processing that could have the highest impact on the fundamental rights and freedoms of data subjects in relation to the protection of their personal data.
11. The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fill in an online form, or in an interactive digital context through a chatbot interface, etc. These mechanisms are further considered below, including at paragraphs 33 to 40.
…
Layered approach in a digital environment and layered privacy statements/ notices
35. In the digital context, in light of the volume of information which is required to be provided to the data subject, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency. WP29 recommends in particular that layered privacy statements/ notices should be used to link to the various categories of information which must be provided to the data subject, rather than displaying all such information in a single notice on the screen, in order to avoid information fatigue. Layered privacy statements/ notices can help resolve the tension between completeness and understanding, notably by allowing users to navigate directly to the section of the statement/ notice that they wish to read. It should be noted that layered privacy statements/ notices are not merely nested pages that require several clicks to get to the relevant information. The design and layout of the first layer of the privacy statement/ notice should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information within the layers of the privacy statement/ notice. It is also important that the information contained within the different layers of a layered notice is consistent and that the layers do not provide conflicting information.
36. As regards the content of the first modality used by a controller to inform data subjects in a layered approach (in other words the primary way in which the controller first engages with a data subject), or the content of the first layer of a layered privacy statement/notice, WP29 recommends that the first layer/modality should include the details of the purposes of processing, the identity of controller and a description of the data subject’s rights. (Furthermore this information should be directly brought to the attention of a data subject at the time of collection of the personal data e.g. displayed as a data subject fills in an online form.) The importance of providing this information upfront arises in particular from Recital 39. While controllers must be able to demonstrate accountability as to what further information they decide to prioritise, WP29’s position is that, in line with the fairness principle, in addition to the information detailed above in this paragraph, the first layer/modality should also contain information on the processing which has the most impact on the data subject and processing which could surprise them. Therefore, the data subject should be able to understand from information contained in the first layer/modality what the consequences of the processing in question will be for the data subject (see also above at paragraph 10).” (Emphasis in original text.)
Summary of relevant aspects of the transparency principle in the GDPR
In light of the materials we have referred to and drawing the threads together for the purposes of this case, we summarise the “transparency” principle in the GDPR as follows:
there is an overarching obligation to process personal data in a transparent manner in relation to the data subject;
it is achieved, principally, by providing information to data subjects about how their personal data is being processed;
it is a lynchpin of, or gateway to, the GDPR, because, without this information, data subjects cannot enforce the rights afforded them under the GDPR to have their personal data protected;
it should result in data subjects being aware of risks, rules, safeguards and rights in relation to the processing of personal data and the specific purposes for which the data is being processed; it is part of the obligation on the controller to facilitate the exercise of data subject rights under the GDPR;
the core principle of transparency is contained in Article 5(1)(a) GDPR, whereas Articles 13 and 14 impose specific obligations that are linked to this core principle;
GDPR is prescriptive about the kinds of information that data subjects are to be provided with, as a basic minimum (this is Articles 13 and 14);
the accessibility and comprehensibility of the information is as important as its content. Article 12 GDPR prescribes that the Article 13/14 information (and the other information referred to in Article 12) must be provided to data subjects:
in a concise, transparent, intelligible and easily accessible form, and
in clear, plain language;
depending upon the particular circumstances, the general transparency obligation imposed by Article 5(1)(a) may require the provision of information that in terms of its content goes beyond the requirements of Articles 13 and 14;
the GDPR does not prescribe precisely to what lengths a controller must go to ensure that the outcomes summarised in d. above are achieved; and in particular
within the Article 13/14 framework, the GDPR does not prescribe exactly what, for example, qualifies as an “easily accessible” form of information provision; and
the GDPR does not prescribe when the controller is expected to go “above and beyond” the Article 13/14 framework;
in these areas, where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality. It will be a matter for evaluative judgement, based on all the relevant facts and circumstances, including:
what kind of personal data are being processed? Some personal data are more “sensitive”, such that data subjects are more in need of “protection” during their processing, than others. This, we believe, is the point made in the FTT’s decision at [121] that “what is or is not transparent will be fact-specific and context related. The level of transparency required, for example, when sharing intimate health details will not be the same as people consenting to the processing of, for example, data about their preferred supermarket”. We agree with this;
what kind of processing is the personal data being subject to and for what purpose? Similar to the above, some forms of processing are more intrusive and/or more “sensitive”, such that data subjects are more in need of “protection” of their personal data, than others. As we discuss under Ground 1, the extent to which the processing is outside the reasonable expectations of data subjects will be a part of this consideration;
the consequences of the processing, including the nature and degree of harm (or benefit) to data subjects that may result;
the degree of connection between the personal data being processed and a particular GDPR right, including an “absolute” right to object to the processing, such as that under Article 21(2)-(3);
the costs for the controller of taking additional steps to ensure the desired outcomes summarised at d. above;
the requisite information may be provided in a number of ways, including in an electronic form. However, what is appropriate in any particular situation will depend upon all the relevant circumstances.
The parties were agreed that Article 14(1) and (2) were not satisfied where data subjects received the information set out in Article 14(1) and (2), otherwise than via its direct provision by the controller, for example where part of the information was provided by websites other than Experian’s. Accordingly, we proceed on this basis for the purposes of the appeal, but we express no view on this reading of Article 14(1) and (2), as it was not in contention and we did not hear argument on the point. What was, of course, in contention was whether Article 14(1) and (2) did not apply in this case, because Article 14(5) was satisfied as data subjects already had the information required by Article 14(1) and (2).
The parties’ overarching submissions
Before discussing the grounds of appeal individually, we will provide a short encapsulation of the parties’ overarching submissions i.e. those that seem to us to permeate many, if not all, of the grounds. Counsel’s detailed submissions on the specific grounds will be summarised (insofar as is necessary to explain the reasons for our decision) in our consideration of each of the grounds, below.
In essence, the Information Commissioner argued that the FTT had misapplied the transparency principle in the GDPR, and so had erred in law, materially; whereas Experian argued that the Information Commissioner’s complaints were really with the FTT’s factual findings and evaluative judgements about Experian’s processing, which, on the authorities, could not be disturbed on appeal; and that the FTT had not erred in applying the transparency principle in the GDPR to the facts as it found them.
The “field of battle” as regards the transparency principle in the GDPR was not whether the CIP contained all the information required by Article 14 (it was agreed that by the time of the hearing below it did so, and that the FTT had so found); rather, it was whether that principle was satisfied by
the steps that data subjects needed to take in practice to reach the CIP (the “user journey”); this is the main area of contention in Ground 2; and
the layout of the CIP itself and, as the Information Commissioner put it, the way in which the CIP approaches the more striking and surprising aspects of Experian’s processing; this is the main area of contention in Grounds 1 and 3.
The Information Commissioner argued that the FTT had misapplied the transparency principle by over-focusing on the (benign) consequences to data subjects of Experian’s processing of their personal data; whereas the true focus should have been on the rights and protections afforded to data subjects under the GDPR and the expectations that data subjects would have in this particular context. Transparency in the GDPR, argued the Information Commissioner, is a foundational principle intended to enable data subjects to make their own judgment as to whether or not they consider processing of their personal data is innocuous or objectionable in some manner, and therefore whether they wish to exercise the rights the GDPR provides to them. The Information Commissioner argued that the FTT failed to appreciate or engage with the significance of the overarching Article 5(1)(a) transparency obligation, erred by failing to determine key issues and, in substance, treating Experian’s failures in transparency as being of no account (or to not amount to failures), because of the FTT’s own view as to the innocuous nature of the processing.
Experian, on the other hand, submitted that the FTT’s decision rightly turned on the question of whether Experian’s processing was significantly privacy-intrusive or otherwise likely to be harmful to data subjects in practice. Experian argued that the difficulty for the Information Commissioner in this appeal was that the FTT had not been persuaded of these factual points on the evidence before it. The poor showing of the Information Commissioner’s main witness, Mr Hulme, at the FTT hearing was an essential facet of this.
Experian argued that the effect of processing the personal data affected the strictness of the transparency standard to be applied. The transparency principle is context-dependent and must be applied in a way that is proportionate to the facts of the case. The FTT was required to take the broad, undefined concept of transparency and apply it to the facts of the case before it, doing so in a manner which recognised that the transparency standards set by the GDPR are context-dependent.
Consonant with the Information Commissioner’s position that the FTT had misapplied the transparency principle in the GDPR, the Information Commissioner submitted that the appeal was not, primarily, a “reasons” challenge (i.e. based on inadequacy of reasons in the FTT’s decision), although this was argued in the alternative. On the other hand Experian argued that, at heart, the appeal was a reasons challenge and that the answer to the Information Commissioner’s criticisms of the FTTs decision was that, on the authorities, any perceived gaps in the FTT’s reasoning could, and indeed must, be filled by inference drawn from the decision as a whole. Experian accepted that the FTT decision was not “the most perfectly articulated set of reasons”; and that there were “infelicities” in the reasoning. However, it submitted that the question for the Upper Tribunal is whether, standing back from the detail, it is nonetheless possible to discern the core thrust of the FTT’s reasoning on the core issues. Experian submitted that it was.
Ground 1
The Information Commissioner’s submissions
Ground 1 of the Information Commissioner’s grounds of appeal is summarised at [50] above. Mr Pitt-Payne submitted that an overarching and pervasive error in the FTT’s approach was their failure to address what Article 5(1)(a) GDPR transparency requires and an allied failure to then apply this to the case before them. He said that the FTT needed to weigh up all the relevant considerations and then identify what transparency required in this context. He emphasised that providing transparency was foundational, as without it a data subject could not make an informed assessment of their rights. Mr Pitt-Payne contended that the FTT’s lack of engagement with Article 5(1)(a) was exemplified by the absence of any explicit reference to this provision (as opposed to Article 14) when the FTT came to set out their conclusions. Mr Pitt-Payne accepted that what transparency required in a particular situation would be informed by the consequences of the processing for the data subjects and confirmed that he did not challenge the FTT’s findings in terms of the absence of harmful consequences, nonetheless he submitted that the FTT had failed to have regard to a further highly relevant aspect, namely the intrinsic nature of Experian’s processing and the extent to which this went beyond data subjects’ reasonable expectations. He submitted that data subjects would not expect to be profiled in the extensive way undertaken by Experian and that in focusing on their finding that the consequences for data subjects were innocuous, the FTT had only had regard to “half the story”.
In terms of the first specific error relied upon, Mr Pitt-Payne submitted that the FTT had ignored the absolute right of a data subject to object to the processing of their personal data for direct marketing purposes conferred by Article 21(2). The existence of this absolute right was an important element in assessing what transparency required in this instance, yet the FTT’s reasoning made no reference to this provision nor to how the information provided to data subjects had addressed this aspect.
As regards the second specific error, Mr Pitt-Payne submitted that a situation where the data subject was required to navigate multiple hyperlinks, provided by different entities, in order to reach Experian’s own transparency information on the CIP was the obverse of transparency and inconsistent with its requirements. He said that the FTT had failed to focus upon the key question; was the user journey good enough in transparency terms.
The third specific error rested on the proposition that the FTT had concluded that the low number of visitors to the CIP reflected the fact that individuals did not care about how their personal data was processed and that, in turn, this was relevant to the question of what the transparency principle required. Mr Pitt-Payne submitted that in this respect the FTT had taken into account a legally irrelevant consideration; transparency requires that data subjects have an informed opportunity to exercise the rights conferred on them by the GDPR, regardless of whether they choose to do so, and any other approach would undermine the fundamental premise of the legislative scheme. Further or alternatively, he contended that the finding that data subjects did not care about how their personal data were processed was unsupported by the evidence and perverse and/or unreasoned.
In terms of the fourth specific error, Mr Pitt-Payne focused on the FTT’s reasoning as to whether data subjects would be surprised by Experian’s processing of their personal data. He said that the reasoning at [142], [165] and [177] of their decision was irrationally inconsistent and that insofar as the FTT found that the data processing was not objectively surprising to data subjects, the finding was wrong in law and/or perverse and/or unreasoned.
Experian’s submissions
Ms Proops contended that the FTT had adequately addressed what the principle of transparency required. Their decision set out the material parts of Articles 5(1), 12 and 14; accurately noted the Information Commissioner’s submission on transparency; and rightly recognised that transparency in the processing of personal data was foundational and that what transparency required was fact-specific and context-related. The FTT then went on to apply that approach to the facts that they had found and it would have been wrong for the FTT to put a gloss on the wording of Article 5(1)(a) by attempting to define what transparency required. Ms Proops pointed out that Mr Pitt-Payne had not been able to identify what it was that the FTT had failed to spell out in terms of the transparency principle. She also submitted that it was apparent from the content of the FTT’s reasoning that it had taken into account Article 5(1)(a), albeit the provision was not referred to in terms when they set out their conclusions. The FTT’s reasoning was compressed, but it showed that they had considered the issue raised by Article 5(1)(a) and had found that the CIP provided the relevant information in an accessible and adequately clear way; and there was no perversity challenge to these findings. Equally, insofar as it was relevant, the FTT had taken into account the data subjects’ reasonable expectations, as the terms of [177] of their decision showed.
Ms Proops characterised the FTT’s finding that the processing was essentially anodyne and their rejection of the Information Commissioner’s case as to its damaging consequences, as leaving the latter’s case “in tatters”. She said that inevitably, and quite properly, this impacted on the way that the FTT approached the issues they had to resolve. Nonetheless, she submitted, the FTT did not simply focus on the lack of harmful impact for the data subjects, as Mr Pitt-Payne suggested; the FTT’s reasoning showed that they had considered the intrinsic nature of the processing, finding that the use of modelled data was less intrusive than if actual data points had been used and making a number of findings about the use that was made of the data and the controls that were operated.
As regards the first alleged specific error, Ms Proops submitted that earlier references to Article 21 opt out rights at [40] and [52] of the FTT’s decision showed that they were aware of this provision and its potential significance. Furthermore, the FTT had considered the CIP as a whole (with the benefit of a detailed presentation of its webpages) and there was a right to opt out button on the first page and on successive pages of the site. Accordingly, the Article 21(2) opt out right must be taken to have been part of the FTT’s contextual assessment that the material was presented in a sufficiently accessible and clear way.
Ms Proops submitted that a concession made by Mr Pitt-Payne during the course of her submissions was fatal to his case on the second alleged error. He had clarified that he did not suggest that a user route consisting of a series of hyperlinks on websites provided by different entities could never satisfy the Article 5(1)(a) transparency principle. Ms Proops submitted that as this was accepted in principle, the question of whether sufficient transparency was achieved by the hyperlinks route in this particular case was a matter for the FTT’s evaluative assessment, and there was no perversity challenge to the conclusions they had reached.
Ms Proops disagreed with Mr Pitt-Payne’s interpretation of the FTT’s reference to most people not caring about their data; the observation at [166] of the decision was simply by way of explaining the low number of visitors to the CIP, the FTT was not suggesting that this was a factor that diluted the extent to which transparency should be provided to data subjects. She also submitted that the Competition and Markets Authority’s (“CMA”) “Online platforms and digital advertising: Market study final report” (1 July 2021) provided the evidential basis for the FTT’s observation.
As regards the fourth specific error, Ms Proops recognised that the FTT’s reasoning could have been expressed more clearly, but she submitted that, read correctly, there was no inconsistency in what the FTT said in the paragraphs that Mr Pitt-Payne had highlighted. Furthermore, whether or not a data subject was surprised by the data processing, or a particular facet of it, was not synonymous with a data subject’s reasonable expectations in relation to the processing and the FTT were right to distinguish between the two. She also submitted that no basis had been shown for the perversity challenge.
Alleged overarching errors: discussion and conclusions
In the interests of clarity, we have set out our discussion and our conclusions in a way that reflects the sequencing of the grounds of appeal and the submissions made to us. However, there is a degree of overlap between the Information Commissioner’s grounds, particularly in respect of the various parts of Ground 1 and also as between Grounds 1 and 3.
Alleged failure to address Article 5(1)(a) GDPR
The logical starting point, when addressing the overarching aspects of Ground 1, is to consider whether we accept Mr Pitt-Payne’s submission that the FTT entirely failed to address the requirement of transparency imposed by Article 5(1)(a) GDPR in reaching their conclusions. The high-point of this submission is the FTT’s statement in [175] of their decision that, “The relevant transparency requirement here is the requirement to provide an article 14 notice...” and the absence of any express reference to Article 5(1)(a) in their conclusions section headed “Has there been a breach as the Information Commissioner submits?”.
We have already explained that Article 5(1)(a) is the source of the overarching transparency principle and that it may require steps to be taken that go beyond the specific requirements of Articles 13-14 ([95] above). The contraventions identified in the Information Commissioner’s EN included Article 5(1)(a) as well as Article 14 ([13]-[18] above). Accordingly, we accept that it was incumbent on the FTT to consider whether the Article 5(1)(a) requirement of transparency had been met in this instance.
However, the absence of express reference to Article 5(1)(a) in the conclusions section of the FTT’s decision is not determinative. As we explained when setting out the applicable legal framework, we need to consider the decision in light of the evidence and submissions that were before the FTT and the inferences that we can properly draw as to the basis upon which they reached the decision that, absent the residual cohort, there were no material contraventions of the GDPR.
In this regard, it is important to appreciate that the parties were agreed that the alleged contravention of Article 5(1)(a) related to the content and layout of the CIP, whereas the alleged contravention of Article 14 concerned the user journey to the CIP ([30] above). We say this because there can be no doubt that the FTT did address the content and layout of the CIP, finding at [177] that “having consider the CIP in detail, that in its current form, as provided to us, it is adequately clear...we consider that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed”. We are not at this stage concerned with the specifics of how the FTT addressed the layering of the website; that is the subject of Ground 3. We are simply focusing upon whether the FTT considered the Article 5(1)(a) transparency principle at all or whether they confined their reasoning and conclusions to Article 14. These passages in [177] indicate that the FTT did consider Article 5(1)(a) in substance and reached conclusions as to whether the content and layout of the CIP met the requirements of transparency.
We are reinforced in this view by the features that we go on to list in this paragraph, which all indicate that the FTT was alive to the significance of Article 5(1)(a) and the transparency principle. Article 5(1)(a) clearly featured in the parties’ written submissions to the FTT. The FTT’s decision included a lengthy summary of the EN and the sub-heading above their summary of the Category A requirements was, “Category A: Fair and Transparent Processing Article 5(1)(a)” and their summary of the Category C requirements was sub-headed, “Category C: Lawful Processing: Article 5(1)(a) and Article 6(1)”. The FTT’s summary of the Information Commissioner’s response to Experian’s grounds of appeal also included reference to Article 5(1)(a), for example at [51] of their decision. When they came to setting out the legal framework, the FTT set out the material parts of Article 5(1) at [116]. In the same paragraph they said that they had also taken into account the various recitals to the GDPR “to which we have been referred as an aid to interpretation”. We understand that these recitals were the same recitals as Mr Pitt-Payne cited to us concerning the principle of transparency (and set out at [84]-[88] above). At [119] of their decision, the FTT accepted the Information Commissioner's submission that the right to transparency in the processing of personal data was foundational. At [121] of their decision the FTT rightly said that the level of transparency required will be fact-specific and context-related. The FTT’s summary of the Information Commissioner's case indicates that they were aware that the argument had not become confined to the user route to the CIP; at [135] the FTT correctly recognised that the core of the Information Commissioner’s submissions was that the processing undertaken by Experian will be surprising to those whose personal data is being processed and that the process was intrusive; and at [164] the FTT noted that the Information Commissioner’s case was that Experian had made “no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP”.
Furthermore, whilst our reasoning does not depend on this point, we consider that the FTT’s comment at [175] of their decision to “the relevant transparency requirement here is the requirement to provide an article 14 notice” (which Mr Pitt-Payne emphasised to us) needs to be placed in its context. It was said immediately after the FTT’s reference in [174] to the fourth ground of Experian’s grounds of appeal, which was centred on Article 14 and the alleged disproportionality of providing a privacy notice directly to all data subjects ([26] above).
Undoubtedly the FTT could have structured their conclusions in a clearer way and addressed the transparency requirements of Article 5(1)(a) more explicitly. However, we are not marking an examination paper; the question for us is whether the FTT erred in law in failing to apply the transparency principle in Article 5(1)(a) to the appeal before them. For the reasons that we have identified, we do not consider that this was the case.
Alleged failure to identify the applicable standard of transparency
Next we turn to Mr Pitt-Payne’s contention that, even if the FTT had Article 5(1)(a) in mind, they failed to identify what the transparency principle required in these circumstances, before arriving at their conclusion.
We do not accept this submission. We have summarised the transparency principle at [95] above, where we have explained that in the areas where the GDPR is non-prescriptive, the answer to what transparency requires will be context specific. As we have already noted, the FTT correctly recognised this at [121] of their decision. Transparency is not defined in the GDPR and it would not have been helpful if the FTT had tried to provide a definition of this concept or put a gloss upon its meaning. Whilst the FTT did not in terms identify a list of relevant, or potentially relevant features, as we did at [95] above, we are satisfied that in practice they adopted the approach that we have outlined. It was somewhat telling that when we asked Mr Pitt-Payne what else the FTT should have said in terms of identifying the transparency standard that they were applying, his answer did not engage with this point, rather his reply reiterated other aspects of the alleged Ground 1 errors, namely that the FTT failed to take into account the nature of the processing, its surprising aspects and the Article 21(2) right to object.
The nature of the processing
We turn to the approach that the FTT did adopt. They plainly addressed the impact of the processing in some detail at [152]-[160] of their decision, finding that the worst outcome of Experian’s processing was that an individual is likely to get a marketing leaflet that is more aligned to their interests, rather than irrelevant material. Mr Pitt-Payne does not challenge this finding. As we explain in the next paragraph, we consider that the FTT also had regard to the nature of the data and to Experian’s processing.
The FTT were clearly alive to the significance of the nature of the data, as shown by [121] of their decision. Furthermore, the FTT went on to find in terms at [145] that the modelled data points used by Experian were less intrusive than the processing of actual data. In light of this finding, the number of modelled data points used by Experian was not of particular significance. In any event, the FTT were clearly aware of the scale of this and that 370 modelled points were used, as they said this in terms at [144]. In addition the FTT found at [153], and were entitled to take into account, that the Information Commissioner had not properly appreciated the limited extent to which the CRA derived data was used. The FTT also made findings at [157] as to the limited number of attributes derived from the data that were provided to Experian’s clients and, in the same paragraph, as to the controls operated by Experian. None of these findings are challenged or could be challenged before us. Accordingly, we reject the contention that the FTT failed to have regard to the intrinsic nature of Experian’s processing.
Relevance of the reasonable expectations of data subjects
Next we turn to the reasonable expectations of the data subjects. We address the extent to which this was a relevant consideration for the FTT. We leave the specific criticism of the FTT’s allegedly inconsistent reasoning in [142], [165] and [177] of their decision until we come to the fourth specific error.
At one point in her oral submissions Ms Proops appeared to be suggesting that the reasonable expectation of the data subjects was not relevant to the question of what transparency required. She sought to draw an analogy with the constituent elements of the tort of misuse of private information, where it is necessary to establish a reasonable expectation of privacy for the duty to be engaged at all, but, if it is, then the second issue is whether that expectation is outweighed by a countervailing interest of the defendant. In so far as this contention was maintained, we reject it. We agree with Mr Pitt-Payne that there is no true analogy here. Showing a reasonable expectation of privacy is a threshold requirement for the existence of the right to privacy in the tort of misuse of private information. By contrast, the rights of data subjects conferred by the GDPR extend to all processing of personal data and are not dependent upon the data subject showing a reasonable expectation of privacy in relation to the processing.
We have set out [10] of the Article 29 Working Party’s guidelines on transparency at [94] above. Where the text says that a central aspect of the transparency principle is that the data subject should not be taken by surprise at a later point about the ways in which their data has been used, it is clearly referring to what a data subject may objectively expect in terms of the use of their data, not to the subjective surprise that might be experienced by a particular individual in a particular situation. Whilst the guidelines do not constitute binding law, we agree with the points made at [10], in particular that this is also an important aspect of the principle of fairness in Article 5(1)(a) GDPR and that transparency may require additional information to be provided where the processing is objectively unexpected in order to achieve the objective in Recital 39 of the GDPR that persons should be made aware of (amongst other things) the risks, safeguards and rights in relation to the processing of personal data. Accordingly, the nature and extent of the information that is to be provided to data subjects in order to comply with the requirements of transparency may be affected by whether and in what respects the processing goes beyond that which they would have reasonably expected in any event.
Turning to the FTT’s reasoning on this aspect (which we discuss in detail in relation to the fourth alleged error), we indicate at this stage that we are satisfied that the FTT did take the reasonable expectations of data subjects into account, as is reflected in the terms of their conclusion at [177].
Before leaving the alleged overarching errors we emphasise that there is no perversity challenge to the FTT’s evaluative assessment at [177] as to the clarity and accessibility of the information in the CIP.
Alleged specific errors: discussion and conclusions
Article 21(2)
Turning to the first alleged error, we have already accepted that the existence of an Article 21(2) absolute right to object is part of the relevant context in terms of determining what transparency requires in a particular situation ([95] above). As the parties accept that Article 21(2) applied to Experian’s data processing, it was part of the relevant context for the FTT to consider in this case.
In support of his submission that Article 21(2) was not taken into account, Mr Pitt-Payne relied on the fact that this provision was not included in the FTT’s account of the legal framework and it was not mentioned when the FTT set out their conclusions.
However, it is trite law that an appeal tribunal should not infer that the tribunal below failed to have regard to a material provision, submission or piece of evidence simply because they did not refer to it explicitly in their decision. As we have explained, the authorities establish that it is necessary to look at the substance of the decision, read as a whole and to draw appropriate inferences.
The FTT’s references to Article 21 at [40] of their decision when detailing the EN and at [52] when summarising the Information Commissioner’s response to Experian’s grounds of appeal, indicate that they were aware of this right. In addition, the FTT addressed the general right to opt out at [167], concluding that the layout and contents of the CIP did not improperly push data subjects away from exercising that right. In his reply, Mr Pitt-Payne did not take issue with Ms Proops’ description of there being a right to opt out button on the first page of the CIP and on successive pages. As their summary of his evidence makes clear, Mr Bendon provided the FTT with a detailed account of the CIP and a demonstration which took them through its structure from the front page and the introductory video onwards. They also had print outs of each of the webpages. The FTT observed that the CIP was not structured as a single web page or document (with the exception of the Article 14 pop-up privacy notice) but as “a series of connecting web pages or layouts to make it more accessible to readers” ([78]) and that Mr Bendon’s evidence (which the FTT plainly accepted) was that “there are prominent links throughout the CIP through which individuals can choose to opt out of having their data processed by Experian which takes them into a webpage entitled ‘your opt-out options’. There are also links to a ‘help’ page and an FAQs page on each page” ([79]). The FTT then referred to an online survey conducted by Experian in June 2021, in which 90% of respondents indicated that they found it easy to understand the CIP front page, 94% of respondents were able to locate the opt out button from the introductory page and 93% found it easy to understand the opt out information. The FTT commented at [81] that “this is a useful exercise although not definitive”.
In these circumstances, we agree with Ms Proops’ submission that, reading the decision as a whole, the FTT’s conclusion expressed at [177] that the CIP was sufficiently transparent in terms of the clarity and accessibility of the information it displayed, must be taken to have included a consideration of the rights to opt out and the means of doing so via the CIP.
Use of hyperlinks to the CIP
We can deal with the second alleged error shortly. We accept Ms Proops’ argument that given Mr Pitt-Payne (rightly in our view) conceded that a user route consisting of a series of hyperlinks on websites provided by different entities could satisfy the transparency principle, this sub-ground of appeal is untenable. Whether or not the requirements of transparency were met in this particular instance was a matter for the FTT’s evaluative assessment. They reached the conclusions in this regard expressed at [169] and [177] of their decision and these have not been the subject of a perversity challenge. Accordingly, unless the Information Commissioner can establish one of the other alleged errors of law that bear on this conclusion, their finding is unassailable. It was noteworthy that Mr Pitt-Payne’s submissions on this area of the case really amounted to no more than an expression of disagreement with the FTT’s conclusions.
Suggestion that people do not care about what happens to their data
We can also deal with the third alleged error relatively shortly. The key passage in the FTT’s decision appears at [166]. We are satisfied that the FTT’s reference to research data showing that most people do not care about what happens to their data was made in order to address a submission made by the Information Commissioner that the fact that only 130,000 unique IP addresses had visited the CIP, out of the 7 million visitors to Experian’s main website, indicated that the existence of the CIP was not made sufficiently clear to data subjects. Mr Pitt-Payne’s written closing submissions confirm that this was the way that this aspect of the case was put before the FTT. Accordingly, at [166] the FTT were simply saying that the relatively few visitors to the CIP was consistent with the picture revealed by independent research data and was not indicative of a lack of transparency in terms of the existence of and the route to be taken to arrive at the CIP. We are equally clear that the FTT did not rely upon their understanding that most people do not care about what happens to their data in any broader sense and in particular they did not rely on this to dilute or undermine the requirements of transparency. Indeed, at [169] the FTT said in terms that whilst people may choose not to read privacy policies, “The processing must still be fair, lawful and transparent”.
Mr Pitt-Payne’s secondary argument was that there was no evidential basis before the FTT from which they could have concluded that people do not care about what happens to their data. We agree with Ms Proops that, read in context, the “research data” that the FTT had in mind was plainly the CMA’s report ([113] above). In his reply Mr Pitt-Payne submitted that even if this was the “research data” that the FTT had in mind, it did not bear out the statement that people do not care what happens to their data. Counsel took us to various passages in this lengthy report. In summary, what these showed was that research indicated that most people did not access / read privacy policies, as opposed to it indicating that they did not care what happens to their data. Accordingly, the last sentence of the FTT’s [166] was clumsily phrased. However, the point that they were in fact seeking to make, namely that data subjects’ lack of engagement with the CIP does not indicate that it was inaccessible, is borne out by the contents of the CMA’s report.
How the FTT addressed the reasonable expectations of data subjects
Lastly in terms of Ground 1, we do not accept that the FTT erred in law in the way that they addressed the reasonable expectations of those whose personal data was used by Experian or that their reasoning displays irrational inconsistency. The first sentence of the FTT’s [142] simply referred to the Information Commissioner’s case. The last sentence indicates that at this stage the FTT had in mind individuals’ subjective reactions to the way in which Experian processed their data. As we have explained when addressing the overarching elements of Ground 1, this is not a relevant contextual consideration. Accordingly, the FTT did not fall into error in finding that this was “not a particularly useful yardstick”. The middle of the paragraph legitimately referred to the FTT’s rejection of Mr Hulme’s evidence in this respect. At [165] of their decision, the FTT correctly drew a distinction between the subjective surprise that some users might experience and their reasonable expectations, noting that it was the latter that was in issue. Thus, in setting out their conclusion at [177] we consider that the FTT was referring to its assessment of those reasonable expectations when they acknowledged that, “the scale of the processing undertaken is very large, and that is something which would be surprising to data subjects as indeed would be the uses to which that data is put”. Read in this way we do not consider that there is significant inconsistency between the passages that Mr Pitt-Payne highlighted, albeit this is another respect in which the FTT’s decision could certainly have been better expressed.
It follows from our analysis that the FTT did proceed on the basis that Experian’s processing went beyond the reasonable expectations of the data subjects, when they assessed whether transparency requirements had been met. Nonetheless they found (as it was open to them to do so) that the transparency requirements were met in this instance.
Furthermore, insofar as there is any tension or inconsistency between [142] and [177] of the FTT’s reasoning (contrary to our primary conclusion), it is evident from the structure of the decision and their reasoning, that it was the latter that informed their conclusion on transparency. Accordingly, the FTT did not find that Experian’s data processing was not objectively surprising to data subjects and thus the perversity complaint falls away.
Concluding observations on Ground 1
It therefore follows that we reject each of the alleged errors of law that the Information Commissioner advanced in respect of Ground 1. The FTT’s decision is neither well-structured nor well-reasoned, but for the reasons that we have identified, we are satisfied that applying the approach that the appellate authorities require us to take, there was no error of law in the FTT’s approach to these aspects of transparency. To a significant degree the points made to us by Mr Pitt-Payne were simply an attempt to take issue with the FTT’s evaluative assessments and to re-argue a case that was unsuccessful below. Insofar as Mr Pitt-Payne suggested that we should approach the Ground 1 errors cumulatively, the submission has no traction as we have not accepted that any of the alleged errors were made. However, we confirm that we kept in mind the full picture of the alleged errors when reaching our conclusions in respect of Ground 1.
Ground 2
The Information Commissioner’s submissions
We have summarised the Information Commissioner’s Ground 2 at [51] above. Mr Pitt-Payne contended that the overarching error was the FTT’s failure to approach Article 14 GDPR in a structured way, distinguishing between the three questions that arose in this case. He said that the FTT should firstly have determined whether Experian had itself provided data subjects with the information required by Article 14(1); and then, upon finding that it had not, the FTT should have addressed in terms whether the ground for disapplying the Article 14(1) duty provided for by Article 14(5)(a) had been established (that data subjects already had the information) and, if this was not the case, whether the Article 14(5)(b) ground for disapplication (disproportionality) applied.
Turning to the specific errors, Mr Pitt-Payne submitted that the only conclusion open to the FTT in relation to Article 14(1) was that Experian had not provided the prescribed information and that it was incumbent on the FTT to state this. The second and linked error, said Mr Pitt-Payne, was that the FTT’s failure to recognise that Article 14(1) had not been complied with infected their consideration of the Article 14(5) issues. The FTT’s starting point should have been that Experian were having to rely upon exceptions to the Article 14(1) duty, which, as such, should be narrowly construed.
Thirdly, Mr Pitt-Payne submitted that the FTT had erred in law in their application of Article 14(5)(a), if, indeed, this was the conclusion that they had reached at [177]. He noted that this conclusion was not expressed in terms of the Article 14(5)(a) criterion, namely whether the data subject “already has the information” and he suggested that this indicated that the FTT had failed to ask themselves the correct question. Furthermore, he contended that the user routes to the CIP, whether via the hyperlinks in the CRAIN on the lenders’ websites or via the links on the websites of the third party suppliers, could not, as a matter of law, amount to the data subjects “having” the prescribed information (which was admittedly contained within the pop-up privacy notice on arrival at the CIP). He said that in these circumstances, whilst a data subject was told what they could do to acquire the prescribed information, unless they in fact followed the links through to the CIP they did not “have” that information for the purposes of Article 14(5)(a).
In terms of the fourth specific error that he relied upon, Mr Pitt-Payne emphasised the absence of any explicit conclusions in respect of data subjects whose data was provided to Experian via third party suppliers; the FTT’s conclusion at [177] was expressed to relate to the CRA data subjects and there was no equivalent reference to those who provided their data via the third party suppliers’ websites. He said that the only potentially material reference to the latter came in [133] of the FTT’s decision and in terms that suggested a finding that such data subjects would not “have” the Article 14 information. There was no equivalent to the FTT’s finding at [161] in respect of the CRAIN providing individuals with an understanding of Experian’s business and links to further material and the third party suppliers route required separate consideration. Mr Pitt-Payne also drew attention to the absence of any explicit reference in the FTT’s conclusions to Requirement C7 of the EN, which was aimed at Experian improving the information provided to data subjects by third party suppliers.
As regards the fifth specific error, Mr Pitt-Payne emphasised that the FTT had not addressed the Article 14(5)(b) disproportionality exception in respect of the main cohort of data subjects. He said that as it was clear from the FTT’s finding that Experian could not rely upon this exception in relation to the residual cohort, it could not have applied to the main cohort either.
Mr Pitt-Payne also submitted that the FTT had failed to provide adequate reasons in respect of the findings that they purported to make in relation to Article 14.
Experian’s submissions
Ms Proops acknowledged that the FTT’s reasoning in relation to Article 14 was suboptimal but she submitted that each of the perceived gaps could and should be filled by the necessary process of considering the decision as a whole (in light of the submissions made to the FTT) and drawing the appropriate inferences.
Ms Proops submitted that the FTT had approached the Article 14 issues correctly. She said that as it was quite clear that Experian did not assert that they had met the Article 14(1) duty it was unnecessary for the FTT to make any finding in this respect. She said that it was equally clear that the FTT had not decided the case involving the main cohort of data subjects on the basis of Article 14(5)(b), as there was no consideration in their reasoning of “disproportionate effort”, as there was when they considered the position of the residual cohort at [178]. Accordingly, she said, although the conclusion at [177] was not explicitly couched in the terms of Article 14(5)(a), Article 14(5)(a) was “the only game in town” and it was tolerably clear that the FTT had found that this provision applied as the data subjects already had the information, in light of the simple to follow and accessible route to the CIP.
Ms Proops contended that there was nothing in the first two specific errors. There was no need for the FTT to make a finding in relation to Article 14(1) and not doing so did not impact upon how the FTT approached Article 14(5). Whether the data subjects already “had” the prescribed information or not was simply a binary question, to which no question of a broad or narrow construction arose.
As regards the third specific error, Ms Proops responded that the question of whether the data subject already “has” the prescribed information involved a straightforward, commonsense application of these words. She submitted that the FTT were entitled to find that as data subjects had the opportunity to click on the relevant hyperlinks to take them to the CIP, they “had” the information. Ms Proops reminded us of the concession that Mr Pitt-Payne had made that it was possible for transparency requirements to be met by a series of hyperlinks ([112] above). She said that it was a question of fact for the FTT, who had resolved it in Experian’s favour, finding that an effective delivery mechanism for the information had been employed after weighing up the relevant matters, in particular the accessibility and clarity of the route to the CIP. Whilst the Information Commissioner disagreed with the FTT, there was no perversity challenge to the FTT’s conclusions at [161], [169] or [177] and their evaluative assessment was unassailable.
In terms of the fourth specific error, Ms Proops acknowledged that the FTT did not expressly address the route from the third party suppliers’ websites to the CIP. However, she submitted that it was evident from their stated reasoning, that the FTT had concluded that the hyperlinks route to the CIP from third party suppliers meant that these data subjects also already “had” the prescribed information. She said their finding to this effect was included in the conclusion at [181] in circumstances where it necessarily followed that the FTT’s assessment in respect of the CRA side of things also applied to the third party suppliers route, not least because the latter would involve one hyperlink rather than two (a link on the third party supplier’s website to the CIP, as opposed to a link on the lender’s website to the CRAIN and, in turn, a link to the CIP). Ms Proops said that it was inconceivable that the FTT had simply forgotten about the position in relation to third party suppliers, when it was apparent from the parties’ submissions that this was in issue and the findings of fact showed that the FTT were aware that a substantial amount of data subjects’ personal data was drawn from the third party suppliers. She submitted that the inference we were bound to draw was that after finding that the more indirect CRAIN route met Article 14(5)(a), the FTT considered that it followed that the same conclusion applied to the third party suppliers.
Ms Proops also contended that the FTT had not erred in relation to Article 14(5)(b); it did not arise in relation to the main cohort of data subjects as the FTT had already lawfully held that the Article 14(5)(a) exception applied.
Alleged overarching error: discussion and conclusion
The FTT’s decision could have been much clearer in terms of their approach to Article 14 GDPR. Nonetheless, we are satisfied that the FTT did identify and analyse the issues that they needed to consider in respect of the Article.
It is clear from the contents of [175] of their decision that the FTT directed their minds to whether the requirements of Article 14 had been met. It is also apparent that the FTT had the provisions of Article 14 well in mind. Article 14 was set out in full at [116] of their decision and the terms of Article 14(5) were set out again at [175].
We agree with Ms Proops that there was no need for the FTT to set out a finding that Article 14(1) had not been complied with, as it was no part of Experian’s appeal against the EN to suggest that it had. Experian simply relied upon the Article 14(5) exceptions. This is clear from Experian’s grounds of appeal. Requirements B4-B5 of the EN were addressed at [38]-[39] of that document. Experian asserted that there had been no failure to comply with Article 14 given that: (i) “to a very large extent, Experian has already effectively ensured that the affected data subjects have the relevant transparency information, such that the Article 14(1) duty to provide a privacy notice direct to the data subject is disapplied pursuant to Article 14(5)(a) GDPR”; and/or (ii) providing a direct notification to data subjects who had not obtained the information would entail a disproportionate effort, so that Article 14(5)(b) applied. Furthermore, it is clear that the FTT appreciated that the issues they had to decide concerned the Article 14(5) exceptions. After referring in general terms to Article 14 at [175], the FTT observed that the GDPR was “clear about the limited circumstances in which the requirement to give an article 14 notice may be avoided. These are set out in paragraph 5 of article 14”. They then repeated the terms of Article 14(5). There was never any question of Article 14(5)(c) or (d) applying. Accordingly, the FTT’s conclusions that followed were, in Article 14 terms, plainly focused on Article 14(5)(a) and/or (b).
In turn, it is readily apparent that the conclusions expressed by the FTT at [177] partly concerned the accessibility of the route to the CIP for the CRA data subjects. In light of the issues before the FTT, the clear and appropriate inference to draw is that this conclusion was addressed to the applicability of Article 14(5)(a) and to whether the data subjects already “had” the information. We agree with Ms Proops that in the circumstances Article 14(5)(a) is the only realistic candidate. Furthermore, there is no reference to “disproportionate effort” or anything else that would suggest that the FTT were in fact addressing the Article 14(5)(b) exception, rather than Article 14(5)(a), in relation to the main cohort.
Our analysis is reinforced by the way that the FTT then addressed the residual cohort. If there was any question of Article 14(1) having been complied with, it would have been necessary for the FTT to have considered this before finding a contravention of Article 14 in relation to those data subjects. However, the FTT moved straight to the Article 14(5) exceptions, in this instance (and in contrast to its approach to the main cohort), addressing at [178] whether Article 14(5)(b) applied. As the residual cohort were those data subjects who had not received any notice of the data processing, plainly Article 14(5)(a) could not apply to them.
Alleged specific errors: discussion and conclusions
Article 14(1)
There is nothing in Mr Pitt-Payne’s first complaint. It was unnecessary for the FTT to find or record that Article 14(1) had not been complied with; as we have explained, the appeal before them proceeded on the basis that it had not.
We also reject the second alleged error. The FTT were plainly aware that Article 14(5) provided “limited circumstances” ([175]) in which the Article 14(1) requirement could be avoided. Furthermore, when addressing the residual cohort at [178] the FTT observed in terms that the main Article 14 duty, “cannot be easily avoided, so that ‘disproportionate effect’ is to be construed narrowly”. Accordingly, the FTT were plainly aware that Article 14(5)(a) also provided an exception to the primary duty, which it was incumbent on Experian to establish. It was logical for the FTT to highlight the importance of adopting a narrow construction when they came to consider “disproportionate effect” (rather than when they addressed Article 14(5)(a)) as there was an issue between the parties as to whether the business expense for Experian of directly notifying all of the residual cohort could amount to this.
Article 14(5)(a) and whether the data subject already “has” the information
The first question that we need to determine in relation to the third alleged error is the correct approach to “already has” in Article 14(5)(a). Whether or not the data subject “has” the prescribed information is not a concept that is further defined in the GDPR and, as far as we are aware, there is no earlier authority that has considered this. We emphasise that, as we have explained at [96] above, we approach this issue on the basis of the parties’ agreed position that Article 14(1) is not satisfied where data subjects receive the information specified in Article 14(1) and (2) otherwise than by direct provision from the data controller, in this instance, in part via websites other than Experian’s (which, in due course, via hyperlinks, could lead them to the CIP). We emphasise this because it might otherwise be thought to be a rather strained use of the concept of the data subject “already” having the prescribed information, for it to cover a situation where the prescribed information is partially imparted by the controller itself via Experian’s CIP at the end of the user’s route. However, Mr Pitt-Payne did not take issue with the applicability of Article 14(5)(a) on this basis; as we have already summarised, his position was that this exception did not apply because the ability to receive the information via a trail of hyperlinks did not amount to the data subjects “having” the information.
Mr Pitt-Payne accepted that “having” the information was not confined to a situation where a data subject actually read the relevant material. He agreed that if a data subject received a privacy notice in the post which they chose not to read, they plainly “had” that information. Importantly for present purposes, he also agreed that those data subjects who did click on the hyperlinks on the external websites and thereby arrived at the CIP “had” the prescribed information, whether or not they chose to read the pop-up notice or other information contained on the website. We agree with these concessions. It would be quite unrealistic to suggest that a data subject only “had” the prescribed information if they elected to consider it, or only “had” it if they were in physical possession of a hard copy. The latter is consistent with Recital 58 to the GDPR ([85] above) which expressly recognises that information addressed to the data subject may be provided in electronic form in appropriate situations. This is also recognised in the Article 29 Working Party guidelines, for example at [11], [35] and [36] ([94] above), which specifically address the provision of information to data subjects in a digital environment (and which we consider further in relation to Ground 3, below).
However, once it is rightly accepted that the Article 14(5)(a) requirement may be met by the provision of the prescribed information in an electronic form including on a website accessed via a hyperlink, it seems to us that it is a question of fact and degree, rather than a matter of rigid principle, as to whether the ability to access the relevant information via a hyperlink or series of hyperlinks satisfies the Article 14(5)(a) exception. Both counsel suggested to us that “has” was an ordinary word that it was not helpful to try and define further. We agree. We conclude that whether the data subject already “has” the prescribed information is a question of fact, which is to be answered by reference to the specific circumstances, particularly the accessibility and the clarity of the information, and bearing in mind the underpinning principle of transparency which we have already discussed at [95] above. We consider it less likely that the nature of the processing or its likely impact will bear directly on this question, but we do not rule that out. We consider that the approach we have outlined is in keeping with the GDPR Recitals and the passages in the Article 29 Working Party guidelines on transparency which we have already set out.
In his reply, Mr Pitt-Payne suggested that if the Article 14(5)(a) exception was broad enough to accommodate the present case, it would be sufficient for an external website to simply state that data subjects’ personal data was shared with Experian and to provide no website address for the CIP, hyperlink to it or other information on how to access it. We do not agree that this follows from the approach to Article 14(5)(a) that we have identified. We emphasise that we are not deciding that the Article 14(5)(a) exception will be established in every instance in which data subjects are given some means of arriving at the prescribed information, even if research or inquiry on their part is involved. To the contrary, we have indicated that it will always be a question of fact and degree as to whether or not the data subject already “has” the prescribed information.
We turn to the conclusions reached by the FTT. We regard the following findings as significant. At [161] the FTT found that the CRAIN provided individuals with an understanding of Experian’s business and links to further material. At [162] they noted that the route to the CIP would be facilitated by hyperlinks and the reasonable data subject would be familiar with hyperlinks and how to follow them. At [169] the FTT found that there was “a sufficiently easy to follow trail through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more”. Then in their conclusions section at [177] the FTT found that the processing was sufficiently transparent in respect of CRA derived data in the context of privacy notices served on data subjects who provided their data to lenders. The FTT’s assessment was that, “The hyperlinks and websites are simple to follow, and we find, having considered the CIP in detail, that in its current form ... it is adequately clear”; and that the relevant information on the CIP was “accessible to data subjects who want to understand how their data will be processed”.
We have already explained when addressing the alleged overarching error, that whilst the FTT did not use the language of Article 14(5)(a) in setting out their conclusion, we are satisfied that the FTT’s assessment at [177], read in the context that we have identified, was a conclusion that the Article 14(5)(a) exception applied. Given the “fact and degree” approach to Article 14(5)(a) that we have endorsed, we do not consider that the FTT erred in principle in reaching this conclusion. This was a conclusion that was open to them and it appears that relevant matters, particularly accessibility and clarity, were taken into account. There is no perversity challenge mounted to any of the findings that we have referred to in our preceding paragraph and no apparent gap in the FTT’s logic. Accordingly, there is no recognised basis upon which Mr Pitt-Payne can disturb the FTT’s assessment. A significant portion of his oral submissions expressed disagreement with this assessment and appeared to be directed towards persuading us that we should arrive at a different conclusion, but this is not a situation in which it would be appropriate for us to re-take the evaluative assessment arrived at by the FTT. Indeed, it would be particularly inappropriate for us to do so in circumstances where the evidence heard by the FTT included a detailed presentation relating to the hyperlinks from the external websites and the contents of the CIP.
The route from the third party suppliers to the CIP
The fourth alleged error caused us some anxiety. In setting out their findings at [161], [162] and [177], the FTT referred in terms to data subjects whose data was supplied via its CRA business and who were provided with a link to the CIP via the CRAIN. By contrast, the FTT did not refer to those data subjects whose personal data was provided to Experian by third party suppliers when it addressed the route to the CIP and the applicability of Article 14(5)(a). Moreover, the terms of [170]-[171] and [180] of their decision might suggest that the FTT thought that issues involving data supplied by the third parties had become entirely academic, as opposed to the issue of consent based processing raised by the EN’s Requirement C3 becoming academic (as we explained at [18] above).
However, ultimately we are persuaded by Ms Proops’ submissions that it is inconceivable in the circumstances that the FTT could have entirely overlooked this central issue. We infer that the FTT’s composite indication at [181] that they “did not find that there has been any other material contravention” included their assessment as to the accessibility of the user route from the third party suppliers’ websites, indicated in a very compressed way in light of the conclusion that they had already set out at [177] in respect of the CRA data subjects. We explain our reasoning in the paragraphs that follow.
The FTT were plainly aware that a substantial amount of the personal data processed by Experian was derived from third party suppliers; the FTT referred to this at [4], [8] and [148] of their decision, including noting that data was collected by some 148 third party websites and that the information held on ChannelView was predominantly provided to Experian by third party data suppliers. Equally, the FTT would have been aware that Requirements B4 and B5 of the EN did not distinguish between data subjects whose personal data was supplied via the CRA and those whose data was provided to Experian from the third parties. Accordingly, on the face of it, the Article 14 issues applied equally to both of these groups of data subjects.
Furthermore, there was nothing in the parties’ submissions before the FTT that suggested that the Article 14 issues had narrowed to exclude the latter group of data subjects from their consideration. This is confirmed by the parties’ closing submissions. The Information Commissioner’s written closing submissions noted at [50]-[51] that Experian relied upon Article 14(5)(a) in respect of (amongst other groups) the notices provided to data subjects by third party suppliers. The evidence relating to the information provided by third party suppliers to data subjects was then addressed in more detail at [51(2)]. At [53] and [54] it was said in terms that the Commissioner did not accept that any of the mechanisms discussed in [52] satisfied the requirements of Article 14(5)(a). Accordingly, this included the user route to the CIP from the third party suppliers’ websites. Additionally, the contents of [6(6)], [6(6)(b)] and [123(3)] of Experian’s written closing submissions confirmed that Experian continued to rely upon the Article 14(5)(a) exception in respect of those whose data was obtained by the third party websites.
We have also considered the Schedule of agreed and disputed facts. The provision of data by third party suppliers was referred to at points 3.9, 3.21, 3.25 and 3.27. In addition, point 6.19 referred to Experian’s contention that 90% of individuals had been notified of Experian’s processing of their data via the links to the CRAIN, the third party supplier information which linked to the CIP or ECS privacy information that linked to the CIP. Points 7.1 and 7.2 referred to Experian’s position that third party suppliers clearly explained to individuals who signed up, that their data would be provided to Experian for processing and provided them with a link to the CIP. We note that the Information Commissioner’s response included the observation that the evidence before the FTT had covered examples of the information provided by the third party suppliers, rather than comprehensive evidence regarding the information given to all 17 million individuals whose data was derived from these sources, but the Commissioner “does not suggest that these examples are atypical”. It appears from the Commissioner’s written closing submissions that the examples that had been provided in evidence related to four of the 148 third party suppliers.
This material all supports the proposition that the FTT would have been aware that the Article 14(5)(a) issue included the data subjects whose personal data had been provided to Experian by the third party suppliers.
We have also considered [133] of the FTT’s decision. Its terms further confirm that the FTT were aware that data was supplied to Experian from the 17 million individuals who had interacted with the relevant third party websites. Mr Pitt-Payne suggested that the FTT’s observations tended to show that they were not satisfied that the Article 14(5)(a) criterion was met in respect of these data subjects. However, we do not read [133] in that way. At this stage of the decision the FTT were not addressing the Article 14 exceptions, rather the FTT were responding to a suggestion that Experian’s data processing business was well-known to the 17 million individuals who had interacted with the third party websites. In this regard the FTT indicated that they did not accept that the reference to the Experian privacy notice on the third party websites was “good evidence that that number of people will be aware of EMS”. As the FTT were plainly referring to the (lack of) actual awareness on the part of data subjects at this stage, this observation was entirely consistent with their later remarks at [166] and [168] regarding the limited attention that people gave to privacy notices. (Indeed, it appears that their reference in [133] to “the other evidence, on which Experian relies” is a reference to the research material that the FTT had in mind in these later paragraphs.). In any event, it is clear that at [133] the FTT were not addressing the accessibility or clarity of the user route to the CIP or the CIP itself. In contrast to the point that the FTT were addressing at [133], we have already explained when addressing the third alleged error, that “having” the prescribed information for Article 14(5)(a) purposes does not require the data subject to have actually read it.
We accept that the FTT’s finding at [177] also in effect determined the position in relation to Article 14(5)(a) for those individuals whose data was provided by the third party suppliers. Given that their route to the CIP involved clicking on only one hyperlink from the third party website to the CIP, as opposed to the CRA route via the CRAIN involving the data subject clicking on two hyperlinks to arrive at the CIP, it would have been very surprising indeed if the FTT had arrived at the opposite conclusion as to the applicability of the Article 14(5)(a) exception in relation to this group of data subjects. Furthermore, the FTT’s observations about users’ familiarity with hyperlinks and ability to follow them at [162] would have applied equally to the third party situation; and, on their face, their findings at [163] – [169] in respect of the CIP applied equally to this group of data subjects, including that, “there is a sufficiently easy trail to follow through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more”. In the circumstances we see no reason to differentiate in terms of the data subjects’ respective routes to the CIP between the FTT’s assessment at [177], explicitly stated to be in respect of the CRA derived data, and the position of those whose data was supplied by the third parties.
Mr Pitt-Payne suggested two specific reasons as to why the positions of these two groups was not materially analogous. We were unpersuaded by these points. Firstly, he submitted that the position was distinct as the data subjects’ personal data obtained from the third party websites was prospectable, whereas the CRA derived data was non-prospectable. However, as we have indicated at [165] above, the question of whether the data subject “already has” the prescribed information in the present kind of context is likely to turn on questions of accessibility and clarity, rather than on the extent to which the processing itself is intrusive. Accordingly, we do not consider that this distinction gives rise to a material difference.
Secondly, Mr Pitt-Payne submitted that not all of the third party websites displayed the Experian related information in the same way. Ms Proops showed us the Gardener’s Club example, where the reference to Experian and the hyperlink to the CIP appeared clearly on the first sign-up page of the website. In his reply, Mr Pitt-Payne said that this was not the universal position and referred us to the “MyOffers” site where the reference to Experian and the hyperlink were not on the signing-up page. However, in light of the relatively global way in which the parties had approached the evidence regarding the third party websites (as illustrated by the Schedule of agreed and disputed facts) and the fact that they were all one click away from the CIP, we consider that the FTT were entitled to arrive at an overall conclusion in respect of the third party websites route, rather than setting out an individualised assessment in relation to particular websites.
Article 14(5)(b)
We can swiftly dispose of the fifth alleged error. As the FTT had found that the Article 14(5)(a) exception applied in respect of the main cohort, there was no need for it to address Article 14(5)(b) in relation to this group of data subjects.
Concluding observations on Ground 2
For the reasons that we have set out above, we reject each of the alleged errors that were advanced as part of the Information Commissioner's Ground 2. In the course of doing so, we have also addressed the secondary basis upon which Mr Pitt-Payne put his case, namely that the FTT’s decision was inadequately reasoned. As we have explained, we have had to undertake a significant amount of inferential work, but, having done so, we are satisfied that the FTT’s reasons were not so inadequate as to amount to an error of law.
As we have not found that the FTT erred in law in relation to Ground 2, it is unnecessary for us to address Ms Proops’ fallback position in any detail. She submitted that any error of law in the FTT’s approach to Article 14 would be academic as it was apparent from the FTT’s findings at [184] that even if they had found that there was a contravention of Article 14, they would also have found that the Information Commissioner should not have exercised her discretion to issue the EN. In the circumstances it will suffice for us to indicate that if we had allowed the appeal in relation to all or part of Ground 2, it is unlikely that we would have been persuaded by this submission. This part of the FTT’s decision was primarily focused upon the terms of a SEN in respect of the residual cohort (where a contravention had been found) and insofar as [184] addressed the position of the main cohort, it did so briefly and on a hypothetical basis (no contravention of Article 14 having been found) and the FTT’s observations were clearly obiter dicta.
Ground 3
The Information Commissioner’s submissions
There appeared to be a significant degree of overlap between the Information Commissioner’s submissions on Ground 1 and Ground 3. In this section of our decision we only summarise and address those matters that we have not already covered when we considered Ground 1. Mr Pitt-Payne submitted that the FTT had failed to address the Commissioner’s specific criticism that the most striking and/or surprising features of Experian’s processing were not covered in the first levels of the CIP that would be reached when a data subject navigated to the website. He said that the first layer of the CIP focused on explaining why Experian’s processing was beneficial, rather than on what the processing actually entailed. He contended that the CIP failed to reflect the approach identified in the Article 29 Working Party’s guidelines on transparency in terms of layering and giving prominence to information that was relevant to the reasonable expectations of data subjects. He said that it was incumbent on the FTT to resolve this issue as it was clearly raised by Requirement A1 of the EN and maintained during the hearing, including in the Commissioner’s written closing submissions.
Experian’s submissions
Ms Proops submitted that [164] of the FTT’s decision showed that they had fully appreciated this aspect of the Commissioner’s case and, further, that it was apparent that they had addressed this in their findings at [177]. Accordingly, Mr Pitt-Payne was incorrect in contending that no conclusion had been reached on this issue and in the circumstances he had shown no permissible basis for interfering with the FTT’s assessment.
Discussion and conclusions
We have already concluded that the FTT took proper account of the Article 5(1)(a) transparency principle when we addressed the alleged overarching errors raised under Ground 1. The remaining complaint under Ground 3 is a narrower one, namely that the FTT did not have regard to or determine the Information Commissioner’s concerns as to the layering of the information provided on the CIP. For the reasons set out below we reject this proposition.
The FTT was clearly alive to the Information Commissioner’s case in this respect. They summarised this aspect of the EN at [18] of their decision. At [164] they correctly encapsulated her case as follows, “Experian made no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP”.
As we have already noted, the FTT were given a demonstration of the CIP’s pages ([135] above). They also referred to this at [163] of their decision, saying “We were taken at length through the consumer information portal”. Accordingly, the FTT were well-positioned to make an assessment as to the accessibility of information within the CIP and as to whether sufficient prominence was accorded to information that was of importance for data subjects. At [177] they concluded that the CIP was “adequately clear” and that “the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed”. Mr Pitt-Payne suggested that their reference to “relevant information” was a reference to the information referred to in Article 14(1) and (2). However, it is clear to us that the reference to “relevant information” was a reference to the immediately preceding sentence in [177] where the FTT had accepted that the very large scale of the processing and the use of the data would be surprising to data subjects. Accordingly, the FTT found that information pertaining to the nature of the processing was “sufficiently prominently displayed” and in so finding they took account of their assessment that the scale of the processing and use of the data went beyond data subjects’ reasonable expectations.
In the circumstances it is inaccurate to suggest that the FTT did not address this aspect of the Information Commissioner’s case. It is true that they did so in a relatively compressed way, but no proper basis has been shown for overturning this evaluative assessment, which the FTT were well-placed to make. As Ms Proops suggested, the articulation of a concise conclusion on this point should be seen in its context, namely the FTT were setting out their overall impression after having had the relevant webpages demonstrated to them.
Mr Pitt-Payne emphasised those parts of the Article 29 Working Party’s guidelines on transparency that are concerned with the provision of accessible information in the digital context, particularly [11], [35] and [36] ([94] above). Amongst other points, these passages address layering, including recommending information to include in the first layer. There is nothing to suggest that the FTT were unaware of the guidelines; they were cited to them and they referred to another part of the guidelines when they were considering the residual cohort at [178] of their decision. We are satisfied that the FTT were mindful of these matters; they commented on the advantages and disadvantages of layering at [165] of their decision. However, these paragraphs of the guidelines do not lay down rules of law; it was for the FTT to make their own evaluative assessment as to whether information about Experian’s processing was sufficiently prominently displayed on the CIP; they did so and they found that it was.
Ground 4
We have summarised this ground at [53] above. As we have rejected Grounds 1 and 2 it does not arise.
Ground 5
The Information Commissioner’s submissions
Mr Pitt-Payne contended that there was a complete failure on the part of the FTT to address Requirement C6 of the EN, which required Experian to cease processing any personal data where the LIA could not be said to favour the interests of Experian having regard to the transparency of the processing and the intrusive nature of the profiling. He said that this was clearly a live issue for the FTT to resolve. Experian’s grounds of appeal disputed the C6 Requirement, asserting that no basis had been shown for it to amend its current LIAs. The Commissioner defended the requirement and it remained in dispute before the FTT, as shown by [88]-[92] of the Commissioner’s written closing submissions. Mr Pitt-Payne submitted that the FTT had failed to make any express findings in respect of this issue and we could not be confident that it was addressed in the FTT’s global indication at [181] of their decision. Further, as the FTT had found a contravention in respect of the residual cohort, it was apparent that the LIAs required some re-assessment, as the FTT should have appreciated if they had engaged with the LIAs.
Alternatively, if the FTT were to be taken to have reached a conclusion on this aspect of the case in [181] of their decision, Mr Pitt-Payne submitted that they had failed to provide any or any adequate reasons for their conclusion.
Experian’s submissions
Ms Proops emphasised that the EN’s criticisms of Experian’s existing LIAs were based on the proposition that they failed to take into account the harmful and intrusive nature of the processing. Accordingly, as the FTT had rejected the Information Commissioner’s case on these matters, it was evident that there was no basis for Requirement C6 and, in the circumstances, it could clearly be inferred that their conclusion on this aspect was included within the FTT’s indication at [181] that they did not find that there had been any other material contravention.
Discussion and conclusions
We agree that this aspect of the case was a live issue before the FTT for the reasons that Mr Pitt-Payne identified.
However, it is apparent from the terms of the EN (which we have summarised in this respect at [18] above) that the Information Commissioner’s case that the LIAs should be re-assessed rested on the propositions that Experian’s processing was intrusive, non-transparent and harmful. As we have already explained the FTT rejected each of these propositions. There is no challenge to their conclusion in terms of the relatively innocuous nature of the processing and we have dismissed the grounds of appeal that challenge the FTT’s findings on intrusiveness and on transparency.
Accordingly, it follows that the FTT’s decision did contain a reasoned rejection of the Information Commissioner’s case. Whilst it would have been clearer, and thus desirable, for the FTT to have spelt out expressly that given these findings they did not uphold Requirement C6, we consider that it can clearly be inferred that this conclusion was part of their statement at [181] that they had found no other material contravention.
We do not consider that we are assisted by the discrete issues that arose in relation to the residual cohort. The conclusions reached in relation to the residual cohort and the terms of the SEN are not in issue on this appeal (and Experian indicated through Ms Proops that they are willing to agree to a requirement to re-visit the LIAs in so far as they concern this group of data subjects). For present purposes, we are satisfied that the FTT engaged with the question and their reasons make it tolerably clear why the Information Commissioner was unsuccessful in relation to this part of her case as regards the main cohort of data subjects.
Outcome
For the reasons that we have set out above, the Information Commissioner’s appeal is dismissed.
We conclude by thanking counsel for the considerable assistance that they provided to us and by observing that, having reviewed the relevant material, it appears to us that many of the points raised in this appeal could have been avoided if the FTT had provided a timely and better reasoned decision.
Mrs Justice Heather Williams DBE
Chamber President
Nicholas Wikeley
Judge of the Upper Tribunal
Zachary Citron
Judge of the Upper Tribunal
(Approved for issue on) 22 April 2024