The Information Commissioner v Experian Limited

The context for this appeal is helpfully summarised by the First-tier Tribunal (‘the FTT’) in paragraph 1 of its decision:

The Information Commissioner, having found concerns with the extent and nature of Experian’s data processing in the light of the transparency requirements of the General Data Protection Regulation (“GDPR”), issued Experian with an enforcement notice (“EN”) after a prolonged investigation. Experian appealed to the FTT against the EN. Following hearings in January and February 2022, the FTT allowed Experian’s appeal in large part, in its decision of 20 February 2023. The Information Commissioner now appeals to the Upper Tribunal, permission to appeal having been granted by Upper Tribunal Judge Wikeley on 2 May 2023. The Chamber President subsequently directed that a three-judge panel be convened to determine the appeal as it raises a point of law of special difficulty or an important point of principle.

This appeal is primarily concerned with the principle of transparency, both the overarching duty in Article 5(1)(a) and the detailed obligations in Article 14 GDPR. It is common ground that the provision of transparency in the processing of personal data is foundational to data subjects’ rights. We understand from counsel that the transparency principle has not been the subject of any detailed judicial consideration by the Upper Tribunal or by the appellate courts so far. The Information Commissioner alleges that the FTT’s decision involved multiple errors of law and that it failed to address, or adequately address, a number of relevant issues. Experian contends that the FTT’s decision should be upheld and that the appeal essentially seeks to re-litigate unassailable findings of primary fact and evaluative assessments that were made below.

Our decision is to dismiss the appeal for the reasons that we set out.

The following Table signposts the structure of our decision:

We start our decision by dealing with some matters of terminology.

The following abbreviations are used in this decision:

The following definitions apply in this decision:

The extensive nature of Experian’s data processing, sketched out only very briefly at [1] above, was further summarised by the FTT at [2]-[10] of their decision:

The FTT, in the section of their decision headed “Findings”, recorded several further features of Experian’s data processing activities which were not in dispute and so can be rehearsed here. Thus, “Experian has no direct relationship with the individuals whose data it processes save for those with whom it may also have a direct relationship through ECS” (FTT at [140]). As regards Experian’s data processing products the FTT added:

Experian has created a Consumer Information Portal (“the CIP”) on its website, setting out the ways in which it processes data (https://www.experian.co.uk/cip). The adequacy (or otherwise) of the CIP in terms of its transparency was one of the central issues raised by the Information Commissioner’s EN and so also on the appeal before the FTT.

As the FTT noted at [13], in relation to CRA derived data, Experian relies upon the Credit Reference Agency Information Notice (“the CRAIN”), which is the general note produced by and used by CRAs “which sets out the wide variety of sources used by Experian and the other CRAs to obtain data about individuals and how the data may be used”. The CRAIN contains hyperlinks to the CIP. The third party data suppliers display privacy information on their websites with hyperlinks to the CIP. The accessibility of these routes to the CIP was also a central area of dispute before the FTT.

On 12 October 2020 the Information Commissioner issued Experian with an EN under sections 149(2)(a) and (b) of the DPA 2018. The EN made detailed findings that Experian had contravened, and was still contravening, Articles 5(1)(a), 6 and 14 of the GDPR. The EN imposed a series of requirements on Experian, set out in an Annex, to be completed within either three or nine months. These requirements were organised into five categories. Category A requirements were based on alleged breaches of GDPR Article 5(1)(a) and the obligation to process personal data fairly and transparently. Category B requirements were derived from alleged breaches of GDPR Article 14, while Category C requirements were founded on alleged breaches of GDPR Article 5(1)(a) and Article 6 and the obligation to process personal data lawfully. The Category D and E requirements related to matters where by the time of the FTT the Information Commissioner no longer considered that enforcement action was required, and so they are not discussed further here.

Here we just summarise the main import of those various stipulations – we refer a little later to the full text of the most significant requirements, namely A1, B4-B5 and C6-C8. (The requirements at A2 and C3 are no longer live issues, as we will come on to explain.)

The EN is a detailed and lengthy document – and indeed the FTT’s summary of the EN in their decision runs to six pages – but we will highlight the main features.

In relation to the Category A and Category B requirements, the Information Commissioner considered that the collation of a wide range of personal data about a huge number of data subjects constituted processing on a scale and for detailed analytical purposes which few data subjects would expect and constituted data profiling within the meaning of Article 4(4) GDPR. On that basis, the Information Commissioner considered it was incumbent on Experian to ensure that it was as transparent as possible about the data it was using; where it had been obtained from; and the ways in which it was used. In the Information Commissioner’s view, data subjects were precluded from being able to exercise their GDPR rights without clear detailed and transparent information, provided in a way that a data subject could readily understand. The Information Commissioner considered that the requirement of transparency in Article 5(1)(a) went beyond simple compliance with Article 14 and was context dependent. The Information Commissioner recognised that improvements had been made to the CIP, but considered that even in its most recent version it still failed to achieve the necessary transparency (in the respects summarised by the FTT at [18(a)]-[18(l)] of their decision). In sum, the Information Commissioner concluded that the extensive processing carried out by Experian, coupled with what she characterised as the largely invisible nature of that process (in particular the profiling of data subjects), was intrusive. Although not the most intrusive type of processing, it nonetheless involved the compilation of a wide range of data from public and private sources so as to build a profile of approximately 50 million data subjects, few of whom would expect such processing on a mass scale.

The Information Commissioner accepts that the requirement at A2 of the EN was overturned by the FTT and does not seek to challenge this. Accordingly, we need say no more about that aspect.

As regards the Category C requirements, the Information Commissioner considered that Experian had contravened both Article 5(1)(a) and Article 6(1) GDPR. Experian processed all of the personal data held for direct marketing purposes on the basis of its legitimate interest, but the information provided by third party suppliers was provided on the basis that those third parties data subjects’ data was obtained by consent. However, by the time of closing submissions before the FTT, it was accepted that data was no longer processed on the basis of consent. Thus the requirement at C3 became academic, and we focus on the requirements relating to processing on the basis of legitimate interests. In this respect, the Information Commissioner was not satisfied, in circumstances where a very large amount of personal data was being processed in highly targeted ways and where there were significant issues of non-transparency, that Experian had correctly or properly concluded there was a lawful basis for processing the personal data. The Information Commissioner rejected Experian’s assertion that the processing for profiling was not intrusive of privacy. The Information Commissioner’s case was that little weight could be attached to the supposed benefit of the data subject receiving direct marketing communications that were more appropriate to them and that this was a consequence of processing and profiling which they would not have anticipated. The Information Commissioner considered that it was unlikely that a controller would be able to rely on legitimate interests for intrusive profiling for direct marketing purposes.

As mentioned above, the Annex to the EN then set out the detailed requirements imposed on Experian. The Category A1 requirement, which was required to be met within three months, was framed in the following terms:

The further requirements under Categories B and C were stipulated to be met within a nine month timescale:

We now outline the main features of Experian’s challenge to the EN.

The overarching ground of challenge by Experian in its appeal to the FTT was that the EN was an attempt by the Information Commissioner to impose its subjective preferences as if they were legal requirements under the GDPR, and that those subjective preferences were based on a mischaracterisation of Experian’s business and its impact on individuals’ privacy. The result, it was said, would be that Experian would be compelled to adopt an unworkable, purely consent based, model for offline marketing services and this would, if complied with, force Experian to shut down its offline marketing services business. As such it was argued that the Information Commissioner had applied the law incorrectly and/or reached flawed conclusions on the facts. In sum, it was contended that the requirements of the EN were disproportionate and unfair and the notice should be set aside in its entirety. In support of this overarching challenge Experian advanced five more specific grounds of appeal before the FTT.

Experian’s first ground of appeal was essentially an economic argument, namely that effective and efficient marketing was fundamental to the achievement of a successful marketing consumer economy. In this respect it was argued that Experian’s data processing activities served the interests of data subjects, by ensuring that they received marketing materials which were more likely to be relevant to them, limiting the scope for them to receive irrelevant marketing communications, and in helping to deliver lower prices due to more efficient marketing and competition.

The second ground of appeal was that the Information Commissioner’s assertion that Experian’s processing activities would not be expected by the data subjects and would be likely to cause distress was unevidenced. Furthermore, Experian contended, it was incorrect as it used data from public sources to build statistical models from which attributes could be inferred – it did not process actual data relating to individuals’ behaviour and nor did it track their internet activity.

Experian’s third ground of appeal was that the Information Commissioner had proceeded on the basis of wrong assumptions as to the nature of Experian’s business model (e.g. the false assumption that Experian conducted its business so as to ensure its data processing activities remained invisible).

The fourth ground of appeal before the FTT was that the Information Commissioner’s approach was out of step with the requirements of Article 14 and that it was disproportionate in all the circumstances to require a privacy notice to be sent directly to all data subjects.

Experian’s fifth and final ground of appeal was that the effect of the Information Commissioner’s approach was that its privacy notice would be rendered less and not more meaningful as it would then lack effective, user friendly layering and structuring. Furthermore, it was alleged that Experian and its clients would be hampered in an effort to ensure that financially vulnerable people were not unduly exposed to inappropriate marketing materials. In addition, Experian would need to send communications to data subjects which would be likely to be viewed by them as unnecessary and irritating (if the recipients bothered to read them at all), as well as being environmentally unsound.

The Information Commissioner resisted Experian’s appeal, reiterating her argument that Experian was engaged in invisible processing of personal data on a mass scale. She contended that the lack of transparency involved meant that data subjects’ GDPR rights were rendered less effective, if not wholly ineffective. It was not accepted that compliance with the EN would require Experian to shut down its offline marketing business.  

With regard to the requirements set out in the EN, the Information Commissioner denied she was imposing too high a standard, arguing that Experian’s case failed to recognise that the principal requirement of transparency is a high level obligation and it is the necessary role of the national supervisory authority under the GDPR scheme to form a view on compliance. It was denied that the EN required excessive detail which would diminish transparency nor was it accepted that what was required was too vague. 

We note that by the time of the FTT hearing there was no dispute that the CIP displayed an Article 14 ‘pop-up’ privacy notice containing the requisite information. However, the Information Commissioner contended that the content and layout of the CIP did not comply with the Article 5 transparency requirements, given both the nature of Experian’s data processing and the layering of the CIP’s web pages. The Information Commissioner further submitted that the data subjects’ routes to the CIP via both the CRAIN and the third party suppliers did not comply with Article 14.

The Information Commissioner also maintained that Experian’s approach to the legitimate interests assessment (“LIA”) was deficient in that it had failed to have regard to relevant considerations, in particular the expectations of data subjects, the scale and intrusive nature of its profiling and processing, and the lack of sufficient transparency.

The FTT (Upper Tribunal Judge Rintoul, Tribunal Judge Griffin and Tribunal Member Grimley Evans) heard extensive evidence and submissions over six days (17, 19-21 & 31 January 2022 & 11 February 2022), with the hearing bundles running to several thousands of pages, supplemented by skeleton arguments and closing submissions which in themselves ran to several hundred pages. Experian’s witnesses were Ms Shearman (senior product manager), Mr Bendon (product director), Mr Cresswell (data protection and privacy lead), Mr Grieves (managing director of UK marketing services business) and Mr Parker (economist and expert witness). The Commissioner’s witnesses were Mr Hulme (director of regulatory assurance) and Mr Reynolds (economist and expert witness). After the conclusion of the evidence and at the request of the FTT, the parties provided a Schedule of agreed and disputed facts.

Although the parties made their closing submissions on 11 February 2022, the FTT’s decision was not signed off until just over a year later on 17 February 2023 and promulgated on 20 February 2023. No apology or explanation was evident on the face of the FTT’s decision for this lengthy and most regrettable delay.

As we have indicated, the FTT allowed the appeal in part. The decision itself commenced with a substituted Decision Notice in the form of the SEN. The FTT’s reasons then ran to some 45 pages and 187 paragraphs. The FTT started with an introduction and a review of background matters, focussing on the Information Commissioner’s EN ([1]-[30]). This was followed by a detailed account of Experian’s grounds of appeal ([31]-[46]) and the Information Commissioner’s response ([47]-[55]). The FTT then dealt with the hearing and in particular reviewed the oral evidence tendered on behalf of the parties at some length ([57]-[110]). In the next section, entitled “The Tribunal’s Function”, the FTT included relevant provisions of the DPA 2018, followed by Articles 4-7, 12 and 13-14 of the GDPR ([111]-[129]). The FTT set out their “Findings” at [130]-[171] and then their conclusions in a section headed “Has there been a breach as the Information Commissioner submits?” at [172]-[187].

As well as the bare statutory provisions, the section at [111]-[129] also included some commentary by the FTT, as follows:

Under the heading ‘Findings’ the FTT indicated that they would set out their findings “as to what Experian does with the data it collects”. They began with some observations about the extent to which the data processing aspects of Experian’s business were well-known:

The FTT then returned to the subject of Mr Hulme’s evidence, about which they were highly critical:

The FTT referred to whether Experian’s processing would be surprising to data subjects in the following terms:

The FTT then found that the use of modelled data points was less intrusive than the processing of actual data:

Under the heading “CRA derived data”, the FTT addressed the use made of data subjects’ data as follows:

As regards the CRAIN and then the CIP, the FTT made the following findings:

The following passage contained many of the FTT’s central conclusions (we have omitted the FTT’s citation of the text of Article 14(5) in paragraph [175]):

The FTT then addressed the sub-group of data subjects who had not been provided with either a copy of or a link to Experian’s privacy notice as their data had been taken from public sources, primarily the OER. The parties referred to this sub-group as “the residual cohort” (and the remainder of the data subjects as “the main cohort”). The FTT found that there had been a breach of Article 14 in respect of this cohort, reasoning as follows:

The FTT then referred to the now academic consent issue:

After this the FTT gave a composite indication that:

In concluding, the FTT turned to consider the terms of any EN to be substituted and what steps it should order, bearing in mind the need for any steps to be proportionate:

The FTT’s SEN was accordingly in the following terms:

In his order granting the Information Commissioner permission to appeal, Upper Tribunal Judge Wikeley suspended the effect of the SEN pending the determination of this appeal.

The Information Commissioner advances five grounds of appeal before the Upper Tribunal.

Ground 1 is an overarching transparency ground, alleging that the FTT failed to address what the principle of transparency, enshrined especially in Article 5(1)(a) GDPR, required as a matter of law, and furthermore failed adequately to apply a legally accurate interpretation of that principle to the issues of fact, law and assessment which arose, including failing to take into account the adverse impact on transparency from the way in which Experian processed data. The Commissioner submitted that these overarching errors were manifested in four specific errors, namely: (i) the FTT’s failure to take into account the absolute Article 21(2) GDPR right to object to direct marketing processing; (ii) the apparent assessment that Experian’s transparency obligation could be secured through the use of a series of hyperlinks, an assessment that was unlawfully inconsistent with the legal principle of transparency; (iii) the FTT’s apparent conclusion that individuals do not care about how their personal data is processed by Experian; and (iv) concluding that data subjects would not find Experian’s processing surprising, notwithstanding a finding elsewhere in the FTT’s reasoning that the processing was indeed surprising.

Ground 2 concerns the data subject’s journey to the CIP. Again, both overarching and specific errors are relied upon. As to the former, it is argued that the FTT failed to distinguish and analyse the separate legal issues arising from each of Articles 14(1), (5)(a) and (5)(b) GDPR. This is said to have led to the following specific errors: (i) the FTT failed to make a finding in respect of the Article 14(1) duty; (ii) in consequence, the FTT did not have regard to the significance of Experian’s non-compliance with Article 14(1); (iii) in relation to its apparent application of Article 14(5)(a), the FTT erred in holding that the provision of hyperlinks to privacy information was sufficient to constitute the data subject ‘having’ that information already; (iv) the FTT wholly failed to address the Article 14 position of data subjects whose personal data had been supplied to Experian by third party data suppliers; and (v) had the FTT properly rejected the application of Article 14(5)(a), it would have been bound – consistent with its findings relating to the residual cohort – to refuse to apply Article 14(5)(b) and to find a general breach of Article 14 on the part of Experian.

Ground 3 deals with the content of the CIP. It is said that the FTT erred in law by failing to address the pleaded issue of the compliance of the CIP with Article 5(1)(a) GDPR, or making any findings on the criticisms made in the EN of the CIP’s approach to layering of important privacy information and so its accessibility.

Ground 4 is that the FTT’s approach to the terms of the SEN in respect of the breach of Article 14 that it did find was flawed, because of the errors of law identified in Grounds 1 and/or 2. It was accepted that Ground 4 stood or fell with Grounds 1 and 2.

Ground 5 is that the FTT failed to address the pleaded issue as to the requirement laid on Experian to re-conduct its LIAs, notwithstanding the findings it had made against Experian’s case.

Whilst Mr Pitt-Payne criticised the adequacy of the FTT’s reasoning in developing the grounds of appeal, he submitted that his reasons challenge was secondary to the errors that he foregrounded.

Mr Pitt-Payne confirmed to us during the appeal hearing that he did not challenge any of the following findings made by the FTT: (i) the negative assessment of Mr Hulme’s evidence ([128],[136], [142], [155] and [158] of their decision in particular); (ii) that using modelled data points was less intrusive than processing actual data [145]; (iii) the benefits that resulted from the uses of the data and the conclusion that the worst outcome of Experian’s processing was that an individual was likely to get a marketing leaflet which might align to their interests rather than be irrelevant ([152] and [154]-[160]); (iv) as to the controls that were operated by Experian ([157]); and (v) that it was unlikely that any person suffered damage or distress ([187]). The appeal therefore proceeds on the basis of those findings.

Mr Pitt-Payne did not advance the time that it had taken the FTT to provide their decision as a free-standing ground of appeal, but he submitted that this was relevant to our evaluation of the FTT’s reasoning and it meant that we should approach their reasoning with particular care.

Finally, we record that there was no cross-appeal by Experian in relation to the FTT’s decision insofar as it related to the residual cohort.

This section sets out the legal framework for the issues in this appeal. In so far as the grounds of appeal raise contentious issues of legal interpretation – for example, as to the meaning of ‘has’ in Article 14(5)(a) GDPR – these are addressed when we come to determine the relevant ground of appeal.

The first task of the Upper Tribunal in an appeal such as this is to decide whether the FTT’s decision involved the making of an error on a point of law. The Court of Appeal’s brief summary of the most commonly encountered such legal errors, in R (Iran) v SSHD [2005] EWCA Civ 982, is well known. Also of assistance is the Supreme Court’s recent summary of the correct approach to challenges on appeal to first-instance evaluative judgements in Lifestyle Equities CV v Amazon UK Services Ltd [2024] UKSC 8, handed-down after the hearing of this appeal, but not, we think, making any material change to the law in this area:

“Perversity” challenges (i.e. ones based on a finding of fact by the first-instance tribunal being perverse or one which no reasonable tribunal could have reached on the evidence before it) must also bear in mind the expertise of the first-instance tribunal: as was said by Lloyd Jones LJ (as he then was) in Department for Work and Pensions v Information Commissioner & Zola [2016] EWCA Civ 758 at [34]:

Where, having completed its “first task” as just described, the Upper Tribunal finds that the making of a decision by the FTT did involve the making of an error on a point of law, the Upper Tribunal may (but need not) set aside the FTT decision and, if it does, must either (i) remit the case to the FTT with directions for its reconsideration, or (ii) re-make the decision.

There are many appellate authorities on the adequacy of reasons in a judicial decision. In this chamber of the Upper Tribunal, the principles were summarised in, for example, Oxford Phoenix Innovation Ltd v Information Commissioner & Medicines and Healthcare Regulatory Agency [2018] UKUT 192 (AAC) at [50-54]. At its most succinct, the duty to give reasons was encapsulated at [22] in Re F (Children) [2016] EWCA Civ 546 (one of the authorities cited there), as follows:

As is well-known, the authorities counsel judicial “restraint” when the reasons that a tribunal gives for its decision are being examined. In R (Jones) v FTT (Social Entitlement Chamber) [2013] UKSC 19 at [25] Lord Hope observed that the appellate court should not assume too readily that the tribunal below misdirected itself just because it had not fully set out every step in its reasoning. Similarly, “the concern of the court ought to be substance not semantics”: per Sir James Munby P in Re F (Children) at [23]. Lord Hope said this of an industrial tribunal’s reasoning in Shamoon v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 11 at [59]:

The reasons of the tribunal below must be considered as a whole. Furthermore, the appellate court should not limit itself to what is explicitly shown on the face of the decision; it should also have regard to that which is implicit in the decision. R v Immigration Appeal Tribunal, ex parte Khan [1983] QB 790 (per Lord Lane CJ at page 794) was cited by Floyd LJ in UT (Sri Lanka) v SSHD [2019] EWCA Civ 1095 at [27] as explaining that the issues which a tribunal decides and the basis on which the tribunal reaches its decision may be set out directly or by inference.

The following was said in English v Emery Reimbold & Strick Ltd [2002] 1 WLR 2409 (a classic authority on the adequacy of reasons), on the question of the context in which apparently inadequate reasons of a trial judge are to be read:

Under s149(1) DPA 2018, where the Information Commissioner is satisfied that a person “has failed, or is failing” in one of the ways set out in sub-section (2), the Information Commissioner may give the person a written notice (the EN) which requires the person

The types of “failure” set out in s149(2) include where a controller or processor has failed, or is failing to comply with a provision of Part II or Articles 12 to 22 of UK GDPR.

An EN must state what the person has failed or is failing to do and give the Information Commissioner’s reasons for reaching that opinion: s150(1). Under s150(2), in deciding whether to give an EN in reliance on s149(2), the Information Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress. An EN given in reliance on subsection (2) may only impose requirements which the Commissioner considers appropriate for remedying the failure: s149(6).

Section 163 confers a right of appeal to the FTT on a person who is given an EN. The FTT may review any determination of fact on which the EN was based. If the FTT considers –

As the FTT decision noted in their “chronology”, the GDPR came into force on 25 May 2018. The GDPR remained the data protection regime in the UK until 31 December 2020 (the end of the transitional period that followed the UK leaving the EU); from that point onwards, a modified data protection regime, “UK GDPR”, came into effect. It appeared to be common ground in this appeal that nothing turns on any differences between the GDPR and UK GDPR (in general, the differences between the two are modest); reference in what follows will be to the GDPR, as the regime in force when the EN was issued.

In the words of Article 1, the GDPR “lays down rules relating to the protection of persons with regard to the processing of personal data” (as well as rules relating to the free movement of such data); it also “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.

Personal data is defined in Article 4 to mean “any information relating to an identified or identifiable natural person (‘data subject’)”; and “processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data …” (the definition then gives a number of examples).

Chapter II of the GDPR is headed “Principles”, and within this is Article 5, headed “Principles relating to processing of personal data”. Article 5(1)(a) provides that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. Article 5(1) (b) to (f), in high-level summary (in order to give context to Article 5(1)(a)), provide that personal data shall be

Article 5(2) provides that the controller shall be responsible for, and able to demonstrate compliance with, Article 5(1).

Article 6 (also within Chapter II) is headed “Lawfulness of processing”. Article 6(1) provides that processing shall be lawful only if and to the extent that one of (a) to (f), which follow, applies. Article 6(1)(f) provides that processing is lawful if and to the extent it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).

Chapter III of the GDPR is headed “Rights of the data subject”. Within this is Section 1 (headed “Transparency and modalities”), and Article 12, headed “Transparent information, communication and modalities for the exercise of the rights of the data subject.” Article 12(1) provides that the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject “in a concise, transparent, intelligible and easily accessible form, using clear and plain language …”. Article 12(2) states that the controller shall “facilitate the exercise of data subject rights” under Articles 15 to 22.

Articles 13 and 14, also within Chapter III, are complementary, as can be seen from their headings: “Information to be provided where personal data are collected from the data subject” (Article 13), as against “Information to be provided where personal data have not been obtained from the data subject” (Article 14). Before the FTT and on this appeal the parties were agreed that Article 14, rather than Article 13, was the applicable provision, as Experian did not itself collect the personal data from the data subjects, but obtained them via the three strands described by the FTT at [4] of their decision.

The text of Article 14 (as material) is as follows:

Article 13(1) and (2) require the provision of comparable information to the data subject, albeit the timescale for provision of the information is more rigorous. Both Articles disapply the obligation to provide the data subject with information “where and insofar as” the data subject “already has the information” (Article 13(4) and Article 14(5)(a)). We address the correct interpretation of Article 14(5)(a) when we consider Ground 2. Articles 14(1) and 14(2) are also disapplied where and insofar as the provision of such information proves impossible or would involve a disproportionate effort (Article 14(5)(b)) and in the circumstances identified in Articles 14(5)(c) and 14(5)(d). Experian relies upon Article 14(5)(b), if Article 14(5)(a) does not apply. Article 13(4) provides the only basis for disapplying the Article 13 duties.

Articles 15-18 and 20-22, all within Chapter III, give data subjects specific rights.

One of these provisions, Article 21, is headed “Right to object”. Article 21(2) provides that where personal data are processed for direct marketing purposes, “the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing”. Article 21(3) provides that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. (This is in contrast to the right to object in Article 21(1), relating to processing of personal data based on point (e) or (f) of Article 6(1) where, in certain circumstances, the controller does not have to stop processing the personal data after the data subject objects).

As the FTT stated at [118] of their decision, recitals to a directive are an aid to interpretation; but, as was said in R(M) v Chief Constable of Sussex Police [2021] EWCA Civ 42 at [87], “they cannot be treated as if they were operative provisions giving rise to substantive obligations, or be used to create such obligations in the guise of interpretation”. We will set out the recitals which were particularly relied upon by the Information Commissioner as bearing on the obligations of transparency.

Recital (39) states:

Recital (58) states:

Recital (60) states:

Recital (62) includes this:

Recital (70) states:

Proportionality is an overarching principle of EU law; as this is well-known, we were not taken to any particular authorities by the parties, but in essence the principle is that measures adopted by EU institutions must not exceed what is appropriate and necessary for attaining the objective pursued.

Recital (4) to the GDPR states that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

Section 3 of Chapter VII of the GDPR creates a European Data Protection Board (“EDPB”). Article 70 tasks the EDPB with ensuring consistent application of the GDPR, including by issuing guidelines. The GDPR’s references to EDPB have been removed in UK GDPR.

The EDPB’s “Binding Decision 1/2021 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR” (2 September 2021) considered the inter-relationship between the obligations in Article 5(1)(a) and Articles 12-14 GDPR. The decision is persuasive rather than binding upon us. The EDPB’s analysis including the following:

In Rondon v Lexisnexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB), Collins Rice J stated at [87] that guidelines produced by EDPB “have weight which goes beyond expert commentary on the primary text. They do not constitute law but are an important indicator of whether or not ambiguity genuinely exists and, if it does, the best approach to understanding it. They have to be given commensurate weight”.

The “Article 29 Working Party”, an independent European advisory body equivalent to the EDPB for present purposes, was set up under Article 29 of Directive 95/46/EC (a predecessor of GDPR). Its guidelines on transparency under the GDPR, revised and adopted on 11 April 2018, were to provide “practical guidance and interpretive assistance” on the “new” obligation of transparency concerning the processing of personal data under the GDPR. In this appeal, the Information Commissioner drew attention to the following paragraphs of those guidelines:

In light of the materials we have referred to and drawing the threads together for the purposes of this case, we summarise the “transparency” principle in the GDPR as follows:

The parties were agreed that Article 14(1) and (2) were not satisfied where data subjects received the information set out in Article 14(1) and (2), otherwise than via its direct provision by the controller, for example where part of the information was provided by websites other than Experian’s. Accordingly, we proceed on this basis for the purposes of the appeal, but we express no view on this reading of Article 14(1) and (2), as it was not in contention and we did not hear argument on the point. What was, of course, in contention was whether Article 14(1) and (2) did not apply in this case, because Article 14(5) was satisfied as data subjects already had the information required by Article 14(1) and (2).

Before discussing the grounds of appeal individually, we will provide a short encapsulation of the parties’ overarching submissions i.e. those that seem to us to permeate many, if not all, of the grounds. Counsel’s detailed submissions on the specific grounds will be summarised (insofar as is necessary to explain the reasons for our decision) in our consideration of each of the grounds, below.

In essence, the Information Commissioner argued that the FTT had misapplied the transparency principle in the GDPR, and so had erred in law, materially; whereas Experian argued that the Information Commissioner’s complaints were really with the FTT’s factual findings and evaluative judgements about Experian’s processing, which, on the authorities, could not be disturbed on appeal; and that the FTT had not erred in applying the transparency principle in the GDPR to the facts as it found them.

The “field of battle” as regards the transparency principle in the GDPR was not whether the CIP contained all the information required by Article 14 (it was agreed that by the time of the hearing below it did so, and that the FTT had so found); rather, it was whether that principle was satisfied by

The Information Commissioner argued that the FTT had misapplied the transparency principle by over-focusing on the (benign) consequences to data subjects of Experian’s processing of their personal data; whereas the true focus should have been on the rights and protections afforded to data subjects under the GDPR and the expectations that data subjects would have in this particular context. Transparency in the GDPR, argued the Information Commissioner, is a foundational principle intended to enable data subjects to make their own judgment as to whether or not they consider processing of their personal data is innocuous or objectionable in some manner, and therefore whether they wish to exercise the rights the GDPR provides to them. The Information Commissioner argued that the FTT failed to appreciate or engage with the significance of the overarching Article 5(1)(a) transparency obligation, erred by failing to determine key issues and, in substance, treating Experian’s failures in transparency as being of no account (or to not amount to failures), because of the FTT’s own view as to the innocuous nature of the processing.

Experian, on the other hand, submitted that the FTT’s decision rightly turned on the question of whether Experian’s processing was significantly privacy-intrusive or otherwise likely to be harmful to data subjects in practice. Experian argued that the difficulty for the Information Commissioner in this appeal was that the FTT had not been persuaded of these factual points on the evidence before it. The poor showing of the Information Commissioner’s main witness, Mr Hulme, at the FTT hearing was an essential facet of this.

Experian argued that the effect of processing the personal data affected the strictness of the transparency standard to be applied. The transparency principle is context-dependent and must be applied in a way that is proportionate to the facts of the case. The FTT was required to take the broad, undefined concept of transparency and apply it to the facts of the case before it, doing so in a manner which recognised that the transparency standards set by the GDPR are context-dependent.

Consonant with the Information Commissioner’s position that the FTT had misapplied the transparency principle in the GDPR, the Information Commissioner submitted that the appeal was not, primarily, a “reasons” challenge (i.e. based on inadequacy of reasons in the FTT’s decision), although this was argued in the alternative. On the other hand Experian argued that, at heart, the appeal was a reasons challenge and that the answer to the Information Commissioner’s criticisms of the FTTs decision was that, on the authorities, any perceived gaps in the FTT’s reasoning could, and indeed must, be filled by inference drawn from the decision as a whole. Experian accepted that the FTT decision was not “the most perfectly articulated set of reasons”; and that there were “infelicities” in the reasoning. However, it submitted that the question for the Upper Tribunal is whether, standing back from the detail, it is nonetheless possible to discern the core thrust of the FTT’s reasoning on the core issues. Experian submitted that it was.

Ground 1 of the Information Commissioner’s grounds of appeal is summarised at [50] above. Mr Pitt-Payne submitted that an overarching and pervasive error in the FTT’s approach was their failure to address what Article 5(1)(a) GDPR transparency requires and an allied failure to then apply this to the case before them. He said that the FTT needed to weigh up all the relevant considerations and then identify what transparency required in this context. He emphasised that providing transparency was foundational, as without it a data subject could not make an informed assessment of their rights. Mr Pitt-Payne contended that the FTT’s lack of engagement with Article 5(1)(a) was exemplified by the absence of any explicit reference to this provision (as opposed to Article 14) when the FTT came to set out their conclusions. Mr Pitt-Payne accepted that what transparency required in a particular situation would be informed by the consequences of the processing for the data subjects and confirmed that he did not challenge the FTT’s findings in terms of the absence of harmful consequences, nonetheless he submitted that the FTT had failed to have regard to a further highly relevant aspect, namely the intrinsic nature of Experian’s processing and the extent to which this went beyond data subjects’ reasonable expectations. He submitted that data subjects would not expect to be profiled in the extensive way undertaken by Experian and that in focusing on their finding that the consequences for data subjects were innocuous, the FTT had only had regard to “half the story”.

In terms of the first specific error relied upon, Mr Pitt-Payne submitted that the FTT had ignored the absolute right of a data subject to object to the processing of their personal data for direct marketing purposes conferred by Article 21(2). The existence of this absolute right was an important element in assessing what transparency required in this instance, yet the FTT’s reasoning made no reference to this provision nor to how the information provided to data subjects had addressed this aspect.

As regards the second specific error, Mr Pitt-Payne submitted that a situation where the data subject was required to navigate multiple hyperlinks, provided by different entities, in order to reach Experian’s own transparency information on the CIP was the obverse of transparency and inconsistent with its requirements. He said that the FTT had failed to focus upon the key question; was the user journey good enough in transparency terms.

The third specific error rested on the proposition that the FTT had concluded that the low number of visitors to the CIP reflected the fact that individuals did not care about how their personal data was processed and that, in turn, this was relevant to the question of what the transparency principle required. Mr Pitt-Payne submitted that in this respect the FTT had taken into account a legally irrelevant consideration; transparency requires that data subjects have an informed opportunity to exercise the rights conferred on them by the GDPR, regardless of whether they choose to do so, and any other approach would undermine the fundamental premise of the legislative scheme. Further or alternatively, he contended that the finding that data subjects did not care about how their personal data were processed was unsupported by the evidence and perverse and/or unreasoned.

In terms of the fourth specific error, Mr Pitt-Payne focused on the FTT’s reasoning as to whether data subjects would be surprised by Experian’s processing of their personal data. He said that the reasoning at [142], [165] and [177] of their decision was irrationally inconsistent and that insofar as the FTT found that the data processing was not objectively surprising to data subjects, the finding was wrong in law and/or perverse and/or unreasoned.

Ms Proops contended that the FTT had adequately addressed what the principle of transparency required. Their decision set out the material parts of Articles 5(1), 12 and 14; accurately noted the Information Commissioner’s submission on transparency; and rightly recognised that transparency in the processing of personal data was foundational and that what transparency required was fact-specific and context-related. The FTT then went on to apply that approach to the facts that they had found and it would have been wrong for the FTT to put a gloss on the wording of Article 5(1)(a) by attempting to define what transparency required. Ms Proops pointed out that Mr Pitt-Payne had not been able to identify what it was that the FTT had failed to spell out in terms of the transparency principle. She also submitted that it was apparent from the content of the FTT’s reasoning that it had taken into account Article 5(1)(a), albeit the provision was not referred to in terms when they set out their conclusions. The FTT’s reasoning was compressed, but it showed that they had considered the issue raised by Article 5(1)(a) and had found that the CIP provided the relevant information in an accessible and adequately clear way; and there was no perversity challenge to these findings. Equally, insofar as it was relevant, the FTT had taken into account the data subjects’ reasonable expectations, as the terms of [177] of their decision showed.

Ms Proops characterised the FTT’s finding that the processing was essentially anodyne and their rejection of the Information Commissioner’s case as to its damaging consequences, as leaving the latter’s case “in tatters”. She said that inevitably, and quite properly, this impacted on the way that the FTT approached the issues they had to resolve. Nonetheless, she submitted, the FTT did not simply focus on the lack of harmful impact for the data subjects, as Mr Pitt-Payne suggested; the FTT’s reasoning showed that they had considered the intrinsic nature of the processing, finding that the use of modelled data was less intrusive than if actual data points had been used and making a number of findings about the use that was made of the data and the controls that were operated.

As regards the first alleged specific error, Ms Proops submitted that earlier references to Article 21 opt out rights at [40] and [52] of the FTT’s decision showed that they were aware of this provision and its potential significance. Furthermore, the FTT had considered the CIP as a whole (with the benefit of a detailed presentation of its webpages) and there was a right to opt out button on the first page and on successive pages of the site. Accordingly, the Article 21(2) opt out right must be taken to have been part of the FTT’s contextual assessment that the material was presented in a sufficiently accessible and clear way.

Ms Proops submitted that a concession made by Mr Pitt-Payne during the course of her submissions was fatal to his case on the second alleged error. He had clarified that he did not suggest that a user route consisting of a series of hyperlinks on websites provided by different entities could never satisfy the Article 5(1)(a) transparency principle. Ms Proops submitted that as this was accepted in principle, the question of whether sufficient transparency was achieved by the hyperlinks route in this particular case was a matter for the FTT’s evaluative assessment, and there was no perversity challenge to the conclusions they had reached.

Ms Proops disagreed with Mr Pitt-Payne’s interpretation of the FTT’s reference to most people not caring about their data; the observation at [166] of the decision was simply by way of explaining the low number of visitors to the CIP, the FTT was not suggesting that this was a factor that diluted the extent to which transparency should be provided to data subjects. She also submitted that the Competition and Markets Authority’s (“CMA”) “Online platforms and digital advertising: Market study final report” (1 July 2021) provided the evidential basis for the FTT’s observation.

As regards the fourth specific error, Ms Proops recognised that the FTT’s reasoning could have been expressed more clearly, but she submitted that, read correctly, there was no inconsistency in what the FTT said in the paragraphs that Mr Pitt-Payne had highlighted. Furthermore, whether or not a data subject was surprised by the data processing, or a particular facet of it, was not synonymous with a data subject’s reasonable expectations in relation to the processing and the FTT were right to distinguish between the two. She also submitted that no basis had been shown for the perversity challenge.

In the interests of clarity, we have set out our discussion and our conclusions in a way that reflects the sequencing of the grounds of appeal and the submissions made to us. However, there is a degree of overlap between the Information Commissioner’s grounds, particularly in respect of the various parts of Ground 1 and also as between Grounds 1 and 3.

The logical starting point, when addressing the overarching aspects of Ground 1, is to consider whether we accept Mr Pitt-Payne’s submission that the FTT entirely failed to address the requirement of transparency imposed by Article 5(1)(a) GDPR in reaching their conclusions. The high-point of this submission is the FTT’s statement in [175] of their decision that, “The relevant transparency requirement here is the requirement to provide an article 14 notice...” and the absence of any express reference to Article 5(1)(a) in their conclusions section headed “Has there been a breach as the Information Commissioner submits?”.

We have already explained that Article 5(1)(a) is the source of the overarching transparency principle and that it may require steps to be taken that go beyond the specific requirements of Articles 13-14 ([95] above). The contraventions identified in the Information Commissioner’s EN included Article 5(1)(a) as well as Article 14 ([13]-[18] above). Accordingly, we accept that it was incumbent on the FTT to consider whether the Article 5(1)(a) requirement of transparency had been met in this instance.

However, the absence of express reference to Article 5(1)(a) in the conclusions section of the FTT’s decision is not determinative. As we explained when setting out the applicable legal framework, we need to consider the decision in light of the evidence and submissions that were before the FTT and the inferences that we can properly draw as to the basis upon which they reached the decision that, absent the residual cohort, there were no material contraventions of the GDPR.

In this regard, it is important to appreciate that the parties were agreed that the alleged contravention of Article 5(1)(a) related to the content and layout of the CIP, whereas the alleged contravention of Article 14 concerned the user journey to the CIP ([30] above). We say this because there can be no doubt that the FTT did address the content and layout of the CIP, finding at [177] that “having consider the CIP in detail, that in its current form, as provided to us, it is adequately clear...we consider that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed”. We are not at this stage concerned with the specifics of how the FTT addressed the layering of the website; that is the subject of Ground 3. We are simply focusing upon whether the FTT considered the Article 5(1)(a) transparency principle at all or whether they confined their reasoning and conclusions to Article 14. These passages in [177] indicate that the FTT did consider Article 5(1)(a) in substance and reached conclusions as to whether the content and layout of the CIP met the requirements of transparency.

We are reinforced in this view by the features that we go on to list in this paragraph, which all indicate that the FTT was alive to the significance of Article 5(1)(a) and the transparency principle. Article 5(1)(a) clearly featured in the parties’ written submissions to the FTT. The FTT’s decision included a lengthy summary of the EN and the sub-heading above their summary of the Category A requirements was, “Category A: Fair and Transparent Processing Article 5(1)(a)” and their summary of the Category C requirements was sub-headed, “Category C: Lawful Processing: Article 5(1)(a) and Article 6(1)”. The FTT’s summary of the Information Commissioner’s response to Experian’s grounds of appeal also included reference to Article 5(1)(a), for example at [51] of their decision. When they came to setting out the legal framework, the FTT set out the material parts of Article 5(1) at [116]. In the same paragraph they said that they had also taken into account the various recitals to the GDPR “to which we have been referred as an aid to interpretation”. We understand that these recitals were the same recitals as Mr Pitt-Payne cited to us concerning the principle of transparency (and set out at [84]-[88] above). At [119] of their decision, the FTT accepted the Information Commissioner's submission that the right to transparency in the processing of personal data was foundational. At [121] of their decision the FTT rightly said that the level of transparency required will be fact-specific and context-related. The FTT’s summary of the Information Commissioner's case indicates that they were aware that the argument had not become confined to the user route to the CIP; at [135] the FTT correctly recognised that the core of the Information Commissioner’s submissions was that the processing undertaken by Experian will be surprising to those whose personal data is being processed and that the process was intrusive; and at [164] the FTT noted that the Information Commissioner’s case was that Experian had made “no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP”.

Furthermore, whilst our reasoning does not depend on this point, we consider that the FTT’s comment at [175] of their decision to “the relevant transparency requirement here is the requirement to provide an article 14 notice” (which Mr Pitt-Payne emphasised to us) needs to be placed in its context. It was said immediately after the FTT’s reference in [174] to the fourth ground of Experian’s grounds of appeal, which was centred on Article 14 and the alleged disproportionality of providing a privacy notice directly to all data subjects ([26] above).

Undoubtedly the FTT could have structured their conclusions in a clearer way and addressed the transparency requirements of Article 5(1)(a) more explicitly. However, we are not marking an examination paper; the question for us is whether the FTT erred in law in failing to apply the transparency principle in Article 5(1)(a) to the appeal before them. For the reasons that we have identified, we do not consider that this was the case.

Next we turn to Mr Pitt-Payne’s contention that, even if the FTT had Article 5(1)(a) in mind, they failed to identify what the transparency principle required in these circumstances, before arriving at their conclusion.

We do not accept this submission. We have summarised the transparency principle at [95] above, where we have explained that in the areas where the GDPR is non-prescriptive, the answer to what transparency requires will be context specific. As we have already noted, the FTT correctly recognised this at [121] of their decision. Transparency is not defined in the GDPR and it would not have been helpful if the FTT had tried to provide a definition of this concept or put a gloss upon its meaning. Whilst the FTT did not in terms identify a list of relevant, or potentially relevant features, as we did at [95] above, we are satisfied that in practice they adopted the approach that we have outlined. It was somewhat telling that when we asked Mr Pitt-Payne what else the FTT should have said in terms of identifying the transparency standard that they were applying, his answer did not engage with this point, rather his reply reiterated other aspects of the alleged Ground 1 errors, namely that the FTT failed to take into account the nature of the processing, its surprising aspects and the Article 21(2) right to object.

We turn to the approach that the FTT did adopt. They plainly addressed the impact of the processing in some detail at [152]-[160] of their decision, finding that the worst outcome of Experian’s processing was that an individual is likely to get a marketing leaflet that is more aligned to their interests, rather than irrelevant material. Mr Pitt-Payne does not challenge this finding. As we explain in the next paragraph, we consider that the FTT also had regard to the nature of the data and to Experian’s processing.

The FTT were clearly alive to the significance of the nature of the data, as shown by [121] of their decision. Furthermore, the FTT went on to find in terms at [145] that the modelled data points used by Experian were less intrusive than the processing of actual data. In light of this finding, the number of modelled data points used by Experian was not of particular significance. In any event, the FTT were clearly aware of the scale of this and that 370 modelled points were used, as they said this in terms at [144]. In addition the FTT found at [153], and were entitled to take into account, that the Information Commissioner had not properly appreciated the limited extent to which the CRA derived data was used. The FTT also made findings at [157] as to the limited number of attributes derived from the data that were provided to Experian’s clients and, in the same paragraph, as to the controls operated by Experian. None of these findings are challenged or could be challenged before us. Accordingly, we reject the contention that the FTT failed to have regard to the intrinsic nature of Experian’s processing.

Next we turn to the reasonable expectations of the data subjects. We address the extent to which this was a relevant consideration for the FTT. We leave the specific criticism of the FTT’s allegedly inconsistent reasoning in [142], [165] and [177] of their decision until we come to the fourth specific error.

At one point in her oral submissions Ms Proops appeared to be suggesting that the reasonable expectation of the data subjects was not relevant to the question of what transparency required. She sought to draw an analogy with the constituent elements of the tort of misuse of private information, where it is necessary to establish a reasonable expectation of privacy for the duty to be engaged at all, but, if it is, then the second issue is whether that expectation is outweighed by a countervailing interest of the defendant. In so far as this contention was maintained, we reject it. We agree with Mr Pitt-Payne that there is no true analogy here. Showing a reasonable expectation of privacy is a threshold requirement for the existence of the right to privacy in the tort of misuse of private information. By contrast, the rights of data subjects conferred by the GDPR extend to all processing of personal data and are not dependent upon the data subject showing a reasonable expectation of privacy in relation to the processing.

We have set out [10] of the Article 29 Working Party’s guidelines on transparency at [94] above. Where the text says that a central aspect of the transparency principle is that the data subject should not be taken by surprise at a later point about the ways in which their data has been used, it is clearly referring to what a data subject may objectively expect in terms of the use of their data, not to the subjective surprise that might be experienced by a particular individual in a particular situation. Whilst the guidelines do not constitute binding law, we agree with the points made at [10], in particular that this is also an important aspect of the principle of fairness in Article 5(1)(a) GDPR and that transparency may require additional information to be provided where the processing is objectively unexpected in order to achieve the objective in Recital 39 of the GDPR that persons should be made aware of (amongst other things) the risks, safeguards and rights in relation to the processing of personal data. Accordingly, the nature and extent of the information that is to be provided to data subjects in order to comply with the requirements of transparency may be affected by whether and in what respects the processing goes beyond that which they would have reasonably expected in any event.

Turning to the FTT’s reasoning on this aspect (which we discuss in detail in relation to the fourth alleged error), we indicate at this stage that we are satisfied that the FTT did take the reasonable expectations of data subjects into account, as is reflected in the terms of their conclusion at [177].

Before leaving the alleged overarching errors we emphasise that there is no perversity challenge to the FTT’s evaluative assessment at [177] as to the clarity and accessibility of the information in the CIP.

Turning to the first alleged error, we have already accepted that the existence of an Article 21(2) absolute right to object is part of the relevant context in terms of determining what transparency requires in a particular situation ([95] above). As the parties accept that Article 21(2) applied to Experian’s data processing, it was part of the relevant context for the FTT to consider in this case.

In support of his submission that Article 21(2) was not taken into account, Mr Pitt-Payne relied on the fact that this provision was not included in the FTT’s account of the legal framework and it was not mentioned when the FTT set out their conclusions.

However, it is trite law that an appeal tribunal should not infer that the tribunal below failed to have regard to a material provision, submission or piece of evidence simply because they did not refer to it explicitly in their decision. As we have explained, the authorities establish that it is necessary to look at the substance of the decision, read as a whole and to draw appropriate inferences.

The FTT’s references to Article 21 at [40] of their decision when detailing the EN and at [52] when summarising the Information Commissioner’s response to Experian’s grounds of appeal, indicate that they were aware of this right. In addition, the FTT addressed the general right to opt out at [167], concluding that the layout and contents of the CIP did not improperly push data subjects away from exercising that right. In his reply, Mr Pitt-Payne did not take issue with Ms Proops’ description of there being a right to opt out button on the first page of the CIP and on successive pages. As their summary of his evidence makes clear, Mr Bendon provided the FTT with a detailed account of the CIP and a demonstration which took them through its structure from the front page and the introductory video onwards. They also had print outs of each of the webpages. The FTT observed that the CIP was not structured as a single web page or document (with the exception of the Article 14 pop-up privacy notice) but as “a series of connecting web pages or layouts to make it more accessible to readers” ([78]) and that Mr Bendon’s evidence (which the FTT plainly accepted) was that “there are prominent links throughout the CIP through which individuals can choose to opt out of having their data processed by Experian which takes them into a webpage entitled ‘your opt-out options’. There are also links to a ‘help’ page and an FAQs page on each page” ([79]). The FTT then referred to an online survey conducted by Experian in June 2021, in which 90% of respondents indicated that they found it easy to understand the CIP front page, 94% of respondents were able to locate the opt out button from the introductory page and 93% found it easy to understand the opt out information. The FTT commented at [81] that “this is a useful exercise although not definitive”.

In these circumstances, we agree with Ms Proops’ submission that, reading the decision as a whole, the FTT’s conclusion expressed at [177] that the CIP was sufficiently transparent in terms of the clarity and accessibility of the information it displayed, must be taken to have included a consideration of the rights to opt out and the means of doing so via the CIP.

We can deal with the second alleged error shortly. We accept Ms Proops’ argument that given Mr Pitt-Payne (rightly in our view) conceded that a user route consisting of a series of hyperlinks on websites provided by different entities could satisfy the transparency principle, this sub-ground of appeal is untenable. Whether or not the requirements of transparency were met in this particular instance was a matter for the FTT’s evaluative assessment. They reached the conclusions in this regard expressed at [169] and [177] of their decision and these have not been the subject of a perversity challenge. Accordingly, unless the Information Commissioner can establish one of the other alleged errors of law that bear on this conclusion, their finding is unassailable. It was noteworthy that Mr Pitt-Payne’s submissions on this area of the case really amounted to no more than an expression of disagreement with the FTT’s conclusions.

We can also deal with the third alleged error relatively shortly. The key passage in the FTT’s decision appears at [166]. We are satisfied that the FTT’s reference to research data showing that most people do not care about what happens to their data was made in order to address a submission made by the Information Commissioner that the fact that only 130,000 unique IP addresses had visited the CIP, out of the 7 million visitors to Experian’s main website, indicated that the existence of the CIP was not made sufficiently clear to data subjects. Mr Pitt-Payne’s written closing submissions confirm that this was the way that this aspect of the case was put before the FTT. Accordingly, at [166] the FTT were simply saying that the relatively few visitors to the CIP was consistent with the picture revealed by independent research data and was not indicative of a lack of transparency in terms of the existence of and the route to be taken to arrive at the CIP. We are equally clear that the FTT did not rely upon their understanding that most people do not care about what happens to their data in any broader sense and in particular they did not rely on this to dilute or undermine the requirements of transparency. Indeed, at [169] the FTT said in terms that whilst people may choose not to read privacy policies, “The processing must still be fair, lawful and transparent”.

Mr Pitt-Payne’s secondary argument was that there was no evidential basis before the FTT from which they could have concluded that people do not care about what happens to their data. We agree with Ms Proops that, read in context, the “research data” that the FTT had in mind was plainly the CMA’s report ([113] above). In his reply Mr Pitt-Payne submitted that even if this was the “research data” that the FTT had in mind, it did not bear out the statement that people do not care what happens to their data. Counsel took us to various passages in this lengthy report. In summary, what these showed was that research indicated that most people did not access / read privacy policies, as opposed to it indicating that they did not care what happens to their data. Accordingly, the last sentence of the FTT’s [166] was clumsily phrased. However, the point that they were in fact seeking to make, namely that data subjects’ lack of engagement with the CIP does not indicate that it was inaccessible, is borne out by the contents of the CMA’s report.

Lastly in terms of Ground 1, we do not accept that the FTT erred in law in the way that they addressed the reasonable expectations of those whose personal data was used by Experian or that their reasoning displays irrational inconsistency. The first sentence of the FTT’s [142] simply referred to the Information Commissioner’s case. The last sentence indicates that at this stage the FTT had in mind individuals’ subjective reactions to the way in which Experian processed their data. As we have explained when addressing the overarching elements of Ground 1, this is not a relevant contextual consideration. Accordingly, the FTT did not fall into error in finding that this was “not a particularly useful yardstick”. The middle of the paragraph legitimately referred to the FTT’s rejection of Mr Hulme’s evidence in this respect. At [165] of their decision, the FTT correctly drew a distinction between the subjective surprise that some users might experience and their reasonable expectations, noting that it was the latter that was in issue. Thus, in setting out their conclusion at [177] we consider that the FTT was referring to its assessment of those reasonable expectations when they acknowledged that, “the scale of the processing undertaken is very large, and that is something which would be surprising to data subjects as indeed would be the uses to which that data is put”. Read in this way we do not consider that there is significant inconsistency between the passages that Mr Pitt-Payne highlighted, albeit this is another respect in which the FTT’s decision could certainly have been better expressed.

It follows from our analysis that the FTT did proceed on the basis that Experian’s processing went beyond the reasonable expectations of the data subjects, when they assessed whether transparency requirements had been met. Nonetheless they found (as it was open to them to do so) that the transparency requirements were met in this instance.

Furthermore, insofar as there is any tension or inconsistency between [142] and [177] of the FTT’s reasoning (contrary to our primary conclusion), it is evident from the structure of the decision and their reasoning, that it was the latter that informed their conclusion on transparency. Accordingly, the FTT did not find that Experian’s data processing was not objectively surprising to data subjects and thus the perversity complaint falls away.

It therefore follows that we reject each of the alleged errors of law that the Information Commissioner advanced in respect of Ground 1. The FTT’s decision is neither well-structured nor well-reasoned, but for the reasons that we have identified, we are satisfied that applying the approach that the appellate authorities require us to take, there was no error of law in the FTT’s approach to these aspects of transparency. To a significant degree the points made to us by Mr Pitt-Payne were simply an attempt to take issue with the FTT’s evaluative assessments and to re-argue a case that was unsuccessful below. Insofar as Mr Pitt-Payne suggested that we should approach the Ground 1 errors cumulatively, the submission has no traction as we have not accepted that any of the alleged errors were made. However, we confirm that we kept in mind the full picture of the alleged errors when reaching our conclusions in respect of Ground 1.

We have summarised the Information Commissioner’s Ground 2 at [51] above. Mr Pitt-Payne contended that the overarching error was the FTT’s failure to approach Article 14 GDPR in a structured way, distinguishing between the three questions that arose in this case. He said that the FTT should firstly have determined whether Experian had itself provided data subjects with the information required by Article 14(1); and then, upon finding that it had not, the FTT should have addressed in terms whether the ground for disapplying the Article 14(1) duty provided for by Article 14(5)(a) had been established (that data subjects already had the information) and, if this was not the case, whether the Article 14(5)(b) ground for disapplication (disproportionality) applied.

Turning to the specific errors, Mr Pitt-Payne submitted that the only conclusion open to the FTT in relation to Article 14(1) was that Experian had not provided the prescribed information and that it was incumbent on the FTT to state this. The second and linked error, said Mr Pitt-Payne, was that the FTT’s failure to recognise that Article 14(1) had not been complied with infected their consideration of the Article 14(5) issues. The FTT’s starting point should have been that Experian were having to rely upon exceptions to the Article 14(1) duty, which, as such, should be narrowly construed.

Thirdly, Mr Pitt-Payne submitted that the FTT had erred in law in their application of Article 14(5)(a), if, indeed, this was the conclusion that they had reached at [177]. He noted that this conclusion was not expressed in terms of the Article 14(5)(a) criterion, namely whether the data subject “already has the information” and he suggested that this indicated that the FTT had failed to ask themselves the correct question. Furthermore, he contended that the user routes to the CIP, whether via the hyperlinks in the CRAIN on the lenders’ websites or via the links on the websites of the third party suppliers, could not, as a matter of law, amount to the data subjects “having” the prescribed information (which was admittedly contained within the pop-up privacy notice on arrival at the CIP). He said that in these circumstances, whilst a data subject was told what they could do to acquire the prescribed information, unless they in fact followed the links through to the CIP they did not “have” that information for the purposes of Article 14(5)(a).

In terms of the fourth specific error that he relied upon, Mr Pitt-Payne emphasised the absence of any explicit conclusions in respect of data subjects whose data was provided to Experian via third party suppliers; the FTT’s conclusion at [177] was expressed to relate to the CRA data subjects and there was no equivalent reference to those who provided their data via the third party suppliers’ websites. He said that the only potentially material reference to the latter came in [133] of the FTT’s decision and in terms that suggested a finding that such data subjects would not “have” the Article 14 information. There was no equivalent to the FTT’s finding at [161] in respect of the CRAIN providing individuals with an understanding of Experian’s business and links to further material and the third party suppliers route required separate consideration. Mr Pitt-Payne also drew attention to the absence of any explicit reference in the FTT’s conclusions to Requirement C7 of the EN, which was aimed at Experian improving the information provided to data subjects by third party suppliers.

As regards the fifth specific error, Mr Pitt-Payne emphasised that the FTT had not addressed the Article 14(5)(b) disproportionality exception in respect of the main cohort of data subjects. He said that as it was clear from the FTT’s finding that Experian could not rely upon this exception in relation to the residual cohort, it could not have applied to the main cohort either.

Mr Pitt-Payne also submitted that the FTT had failed to provide adequate reasons in respect of the findings that they purported to make in relation to Article 14.

Ms Proops acknowledged that the FTT’s reasoning in relation to Article 14 was suboptimal but she submitted that each of the perceived gaps could and should be filled by the necessary process of considering the decision as a whole (in light of the submissions made to the FTT) and drawing the appropriate inferences.

Ms Proops submitted that the FTT had approached the Article 14 issues correctly. She said that as it was quite clear that Experian did not assert that they had met the Article 14(1) duty it was unnecessary for the FTT to make any finding in this respect. She said that it was equally clear that the FTT had not decided the case involving the main cohort of data subjects on the basis of Article 14(5)(b), as there was no consideration in their reasoning of “disproportionate effort”, as there was when they considered the position of the residual cohort at [178]. Accordingly, she said, although the conclusion at [177] was not explicitly couched in the terms of Article 14(5)(a), Article 14(5)(a) was “the only game in town” and it was tolerably clear that the FTT had found that this provision applied as the data subjects already had the information, in light of the simple to follow and accessible route to the CIP.

Ms Proops contended that there was nothing in the first two specific errors. There was no need for the FTT to make a finding in relation to Article 14(1) and not doing so did not impact upon how the FTT approached Article 14(5). Whether the data subjects already “had” the prescribed information or not was simply a binary question, to which no question of a broad or narrow construction arose.

As regards the third specific error, Ms Proops responded that the question of whether the data subject already “has” the prescribed information involved a straightforward, commonsense application of these words. She submitted that the FTT were entitled to find that as data subjects had the opportunity to click on the relevant hyperlinks to take them to the CIP, they “had” the information. Ms Proops reminded us of the concession that Mr Pitt-Payne had made that it was possible for transparency requirements to be met by a series of hyperlinks ([112] above). She said that it was a question of fact for the FTT, who had resolved it in Experian’s favour, finding that an effective delivery mechanism for the information had been employed after weighing up the relevant matters, in particular the accessibility and clarity of the route to the CIP. Whilst the Information Commissioner disagreed with the FTT, there was no perversity challenge to the FTT’s conclusions at [161], [169] or [177] and their evaluative assessment was unassailable.

In terms of the fourth specific error, Ms Proops acknowledged that the FTT did not expressly address the route from the third party suppliers’ websites to the CIP. However, she submitted that it was evident from their stated reasoning, that the FTT had concluded that the hyperlinks route to the CIP from third party suppliers meant that these data subjects also already “had” the prescribed information. She said their finding to this effect was included in the conclusion at [181] in circumstances where it necessarily followed that the FTT’s assessment in respect of the CRA side of things also applied to the third party suppliers route, not least because the latter would involve one hyperlink rather than two (a link on the third party supplier’s website to the CIP, as opposed to a link on the lender’s website to the CRAIN and, in turn, a link to the CIP). Ms Proops said that it was inconceivable that the FTT had simply forgotten about the position in relation to third party suppliers, when it was apparent from the parties’ submissions that this was in issue and the findings of fact showed that the FTT were aware that a substantial amount of data subjects’ personal data was drawn from the third party suppliers. She submitted that the inference we were bound to draw was that after finding that the more indirect CRAIN route met Article 14(5)(a), the FTT considered that it followed that the same conclusion applied to the third party suppliers.

Ms Proops also contended that the FTT had not erred in relation to Article 14(5)(b); it did not arise in relation to the main cohort of data subjects as the FTT had already lawfully held that the Article 14(5)(a) exception applied.

The FTT’s decision could have been much clearer in terms of their approach to Article 14 GDPR. Nonetheless, we are satisfied that the FTT did identify and analyse the issues that they needed to consider in respect of the Article.

It is clear from the contents of [175] of their decision that the FTT directed their minds to whether the requirements of Article 14 had been met. It is also apparent that the FTT had the provisions of Article 14 well in mind. Article 14 was set out in full at [116] of their decision and the terms of Article 14(5) were set out again at [175].

We agree with Ms Proops that there was no need for the FTT to set out a finding that Article 14(1) had not been complied with, as it was no part of Experian’s appeal against the EN to suggest that it had. Experian simply relied upon the Article 14(5) exceptions. This is clear from Experian’s grounds of appeal. Requirements B4-B5 of the EN were addressed at [38]-[39] of that document. Experian asserted that there had been no failure to comply with Article 14 given that: (i) “to a very large extent, Experian has already effectively ensured that the affected data subjects have the relevant transparency information, such that the Article 14(1) duty to provide a privacy notice direct to the data subject is disapplied pursuant to Article 14(5)(a) GDPR”; and/or (ii) providing a direct notification to data subjects who had not obtained the information would entail a disproportionate effort, so that Article 14(5)(b) applied. Furthermore, it is clear that the FTT appreciated that the issues they had to decide concerned the Article 14(5) exceptions. After referring in general terms to Article 14 at [175], the FTT observed that the GDPR was “clear about the limited circumstances in which the requirement to give an article 14 notice may be avoided. These are set out in paragraph 5 of article 14”. They then repeated the terms of Article 14(5). There was never any question of Article 14(5)(c) or (d) applying. Accordingly, the FTT’s conclusions that followed were, in Article 14 terms, plainly focused on Article 14(5)(a) and/or (b).

In turn, it is readily apparent that the conclusions expressed by the FTT at [177] partly concerned the accessibility of the route to the CIP for the CRA data subjects. In light of the issues before the FTT, the clear and appropriate inference to draw is that this conclusion was addressed to the applicability of Article 14(5)(a) and to whether the data subjects already “had” the information. We agree with Ms Proops that in the circumstances Article 14(5)(a) is the only realistic candidate. Furthermore, there is no reference to “disproportionate effort” or anything else that would suggest that the FTT were in fact addressing the Article 14(5)(b) exception, rather than Article 14(5)(a), in relation to the main cohort.

Our analysis is reinforced by the way that the FTT then addressed the residual cohort. If there was any question of Article 14(1) having been complied with, it would have been necessary for the FTT to have considered this before finding a contravention of Article 14 in relation to those data subjects. However, the FTT moved straight to the Article 14(5) exceptions, in this instance (and in contrast to its approach to the main cohort), addressing at [178] whether Article 14(5)(b) applied. As the residual cohort were those data subjects who had not received any notice of the data processing, plainly Article 14(5)(a) could not apply to them.

There is nothing in Mr Pitt-Payne’s first complaint. It was unnecessary for the FTT to find or record that Article 14(1) had not been complied with; as we have explained, the appeal before them proceeded on the basis that it had not.

We also reject the second alleged error. The FTT were plainly aware that Article 14(5) provided “limited circumstances” ([175]) in which the Article 14(1) requirement could be avoided. Furthermore, when addressing the residual cohort at [178] the FTT observed in terms that the main Article 14 duty, “cannot be easily avoided, so that ‘disproportionate effect’ is to be construed narrowly”. Accordingly, the FTT were plainly aware that Article 14(5)(a) also provided an exception to the primary duty, which it was incumbent on Experian to establish. It was logical for the FTT to highlight the importance of adopting a narrow construction when they came to consider “disproportionate effect” (rather than when they addressed Article 14(5)(a)) as there was an issue between the parties as to whether the business expense for Experian of directly notifying all of the residual cohort could amount to this.

The first question that we need to determine in relation to the third alleged error is the correct approach to “already has” in Article 14(5)(a). Whether or not the data subject “has” the prescribed information is not a concept that is further defined in the GDPR and, as far as we are aware, there is no earlier authority that has considered this. We emphasise that, as we have explained at [96] above, we approach this issue on the basis of the parties’ agreed position that Article 14(1) is not satisfied where data subjects receive the information specified in Article 14(1) and (2) otherwise than by direct provision from the data controller, in this instance, in part via websites other than Experian’s (which, in due course, via hyperlinks, could lead them to the CIP). We emphasise this because it might otherwise be thought to be a rather strained use of the concept of the data subject “already” having the prescribed information, for it to cover a situation where the prescribed information is partially imparted by the controller itself via Experian’s CIP at the end of the user’s route. However, Mr Pitt-Payne did not take issue with the applicability of Article 14(5)(a) on this basis; as we have already summarised, his position was that this exception did not apply because the ability to receive the information via a trail of hyperlinks did not amount to the data subjects “having” the information.

Mr Pitt-Payne accepted that “having” the information was not confined to a situation where a data subject actually read the relevant material. He agreed that if a data subject received a privacy notice in the post which they chose not to read, they plainly “had” that information. Importantly for present purposes, he also agreed that those data subjects who did click on the hyperlinks on the external websites and thereby arrived at the CIP “had” the prescribed information, whether or not they chose to read the pop-up notice or other information contained on the website. We agree with these concessions. It would be quite unrealistic to suggest that a data subject only “had” the prescribed information if they elected to consider it, or only “had” it if they were in physical possession of a hard copy. The latter is consistent with Recital 58 to the GDPR ([85] above) which expressly recognises that information addressed to the data subject may be provided in electronic form in appropriate situations. This is also recognised in the Article 29 Working Party guidelines, for example at [11], [35] and [36] ([94] above), which specifically address the provision of information to data subjects in a digital environment (and which we consider further in relation to Ground 3, below).

However, once it is rightly accepted that the Article 14(5)(a) requirement may be met by the provision of the prescribed information in an electronic form including on a website accessed via a hyperlink, it seems to us that it is a question of fact and degree, rather than a matter of rigid principle, as to whether the ability to access the relevant information via a hyperlink or series of hyperlinks satisfies the Article 14(5)(a) exception. Both counsel suggested to us that “has” was an ordinary word that it was not helpful to try and define further. We agree. We conclude that whether the data subject already “has” the prescribed information is a question of fact, which is to be answered by reference to the specific circumstances, particularly the accessibility and the clarity of the information, and bearing in mind the underpinning principle of transparency which we have already discussed at [95] above. We consider it less likely that the nature of the processing or its likely impact will bear directly on this question, but we do not rule that out. We consider that the approach we have outlined is in keeping with the GDPR Recitals and the passages in the Article 29 Working Party guidelines on transparency which we have already set out.

In his reply, Mr Pitt-Payne suggested that if the Article 14(5)(a) exception was broad enough to accommodate the present case, it would be sufficient for an external website to simply state that data subjects’ personal data was shared with Experian and to provide no website address for the CIP, hyperlink to it or other information on how to access it. We do not agree that this follows from the approach to Article 14(5)(a) that we have identified. We emphasise that we are not deciding that the Article 14(5)(a) exception will be established in every instance in which data subjects are given some means of arriving at the prescribed information, even if research or inquiry on their part is involved. To the contrary, we have indicated that it will always be a question of fact and degree as to whether or not the data subject already “has” the prescribed information.

We turn to the conclusions reached by the FTT. We regard the following findings as significant. At [161] the FTT found that the CRAIN provided individuals with an understanding of Experian’s business and links to further material. At [162] they noted that the route to the CIP would be facilitated by hyperlinks and the reasonable data subject would be familiar with hyperlinks and how to follow them. At [169] the FTT found that there was “a sufficiently easy to follow trail through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more”. Then in their conclusions section at [177] the FTT found that the processing was sufficiently transparent in respect of CRA derived data in the context of privacy notices served on data subjects who provided their data to lenders. The FTT’s assessment was that, “The hyperlinks and websites are simple to follow, and we find, having considered the CIP in detail, that in its current form ... it is adequately clear”; and that the relevant information on the CIP was “accessible to data subjects who want to understand how their data will be processed”.

We have already explained when addressing the alleged overarching error, that whilst the FTT did not use the language of Article 14(5)(a) in setting out their conclusion, we are satisfied that the FTT’s assessment at [177], read in the context that we have identified, was a conclusion that the Article 14(5)(a) exception applied. Given the “fact and degree” approach to Article 14(5)(a) that we have endorsed, we do not consider that the FTT erred in principle in reaching this conclusion. This was a conclusion that was open to them and it appears that relevant matters, particularly accessibility and clarity, were taken into account. There is no perversity challenge mounted to any of the findings that we have referred to in our preceding paragraph and no apparent gap in the FTT’s logic. Accordingly, there is no recognised basis upon which Mr Pitt-Payne can disturb the FTT’s assessment. A significant portion of his oral submissions expressed disagreement with this assessment and appeared to be directed towards persuading us that we should arrive at a different conclusion, but this is not a situation in which it would be appropriate for us to re-take the evaluative assessment arrived at by the FTT. Indeed, it would be particularly inappropriate for us to do so in circumstances where the evidence heard by the FTT included a detailed presentation relating to the hyperlinks from the external websites and the contents of the CIP.

The fourth alleged error caused us some anxiety. In setting out their findings at [161], [162] and [177], the FTT referred in terms to data subjects whose data was supplied via its CRA business and who were provided with a link to the CIP via the CRAIN. By contrast, the FTT did not refer to those data subjects whose personal data was provided to Experian by third party suppliers when it addressed the route to the CIP and the applicability of Article 14(5)(a). Moreover, the terms of [170]-[171] and [180] of their decision might suggest that the FTT thought that issues involving data supplied by the third parties had become entirely academic, as opposed to the issue of consent based processing raised by the EN’s Requirement C3 becoming academic (as we explained at [18] above).

However, ultimately we are persuaded by Ms Proops’ submissions that it is inconceivable in the circumstances that the FTT could have entirely overlooked this central issue. We infer that the FTT’s composite indication at [181] that they “did not find that there has been any other material contravention” included their assessment as to the accessibility of the user route from the third party suppliers’ websites, indicated in a very compressed way in light of the conclusion that they had already set out at [177] in respect of the CRA data subjects. We explain our reasoning in the paragraphs that follow.

The FTT were plainly aware that a substantial amount of the personal data processed by Experian was derived from third party suppliers; the FTT referred to this at [4], [8] and [148] of their decision, including noting that data was collected by some 148 third party websites and that the information held on ChannelView was predominantly provided to Experian by third party data suppliers. Equally, the FTT would have been aware that Requirements B4 and B5 of the EN did not distinguish between data subjects whose personal data was supplied via the CRA and those whose data was provided to Experian from the third parties. Accordingly, on the face of it, the Article 14 issues applied equally to both of these groups of data subjects.

Furthermore, there was nothing in the parties’ submissions before the FTT that suggested that the Article 14 issues had narrowed to exclude the latter group of data subjects from their consideration. This is confirmed by the parties’ closing submissions. The Information Commissioner’s written closing submissions noted at [50]-[51] that Experian relied upon Article 14(5)(a) in respect of (amongst other groups) the notices provided to data subjects by third party suppliers. The evidence relating to the information provided by third party suppliers to data subjects was then addressed in more detail at [51(2)]. At [53] and [54] it was said in terms that the Commissioner did not accept that any of the mechanisms discussed in [52] satisfied the requirements of Article 14(5)(a). Accordingly, this included the user route to the CIP from the third party suppliers’ websites. Additionally, the contents of [6(6)], [6(6)(b)] and [123(3)] of Experian’s written closing submissions confirmed that Experian continued to rely upon the Article 14(5)(a) exception in respect of those whose data was obtained by the third party websites.

We have also considered the Schedule of agreed and disputed facts. The provision of data by third party suppliers was referred to at points 3.9, 3.21, 3.25 and 3.27. In addition, point 6.19 referred to Experian’s contention that 90% of individuals had been notified of Experian’s processing of their data via the links to the CRAIN, the third party supplier information which linked to the CIP or ECS privacy information that linked to the CIP. Points 7.1 and 7.2 referred to Experian’s position that third party suppliers clearly explained to individuals who signed up, that their data would be provided to Experian for processing and provided them with a link to the CIP. We note that the Information Commissioner’s response included the observation that the evidence before the FTT had covered examples of the information provided by the third party suppliers, rather than comprehensive evidence regarding the information given to all 17 million individuals whose data was derived from these sources, but the Commissioner “does not suggest that these examples are atypical”. It appears from the Commissioner’s written closing submissions that the examples that had been provided in evidence related to four of the 148 third party suppliers.

This material all supports the proposition that the FTT would have been aware that the Article 14(5)(a) issue included the data subjects whose personal data had been provided to Experian by the third party suppliers.

We have also considered [133] of the FTT’s decision. Its terms further confirm that the FTT were aware that data was supplied to Experian from the 17 million individuals who had interacted with the relevant third party websites. Mr Pitt-Payne suggested that the FTT’s observations tended to show that they were not satisfied that the Article 14(5)(a) criterion was met in respect of these data subjects. However, we do not read [133] in that way. At this stage of the decision the FTT were not addressing the Article 14 exceptions, rather the FTT were responding to a suggestion that Experian’s data processing business was well-known to the 17 million individuals who had interacted with the third party websites. In this regard the FTT indicated that they did not accept that the reference to the Experian privacy notice on the third party websites was “good evidence that that number of people will be aware of EMS”. As the FTT were plainly referring to the (lack of) actual awareness on the part of data subjects at this stage, this observation was entirely consistent with their later remarks at [166] and [168] regarding the limited attention that people gave to privacy notices. (Indeed, it appears that their reference in [133] to “the other evidence, on which Experian relies” is a reference to the research material that the FTT had in mind in these later paragraphs.). In any event, it is clear that at [133] the FTT were not addressing the accessibility or clarity of the user route to the CIP or the CIP itself. In contrast to the point that the FTT were addressing at [133], we have already explained when addressing the third alleged error, that “having” the prescribed information for Article 14(5)(a) purposes does not require the data subject to have actually read it.

We accept that the FTT’s finding at [177] also in effect determined the position in relation to Article 14(5)(a) for those individuals whose data was provided by the third party suppliers. Given that their route to the CIP involved clicking on only one hyperlink from the third party website to the CIP, as opposed to the CRA route via the CRAIN involving the data subject clicking on two hyperlinks to arrive at the CIP, it would have been very surprising indeed if the FTT had arrived at the opposite conclusion as to the applicability of the Article 14(5)(a) exception in relation to this group of data subjects. Furthermore, the FTT’s observations about users’ familiarity with hyperlinks and ability to follow them at [162] would have applied equally to the third party situation; and, on their face, their findings at [163] – [169] in respect of the CIP applied equally to this group of data subjects, including that, “there is a sufficiently easy trail to follow through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more”. In the circumstances we see no reason to differentiate in terms of the data subjects’ respective routes to the CIP between the FTT’s assessment at [177], explicitly stated to be in respect of the CRA derived data, and the position of those whose data was supplied by the third parties.

Mr Pitt-Payne suggested two specific reasons as to why the positions of these two groups was not materially analogous. We were unpersuaded by these points. Firstly, he submitted that the position was distinct as the data subjects’ personal data obtained from the third party websites was prospectable, whereas the CRA derived data was non-prospectable. However, as we have indicated at [165] above, the question of whether the data subject “already has” the prescribed information in the present kind of context is likely to turn on questions of accessibility and clarity, rather than on the extent to which the processing itself is intrusive. Accordingly, we do not consider that this distinction gives rise to a material difference.

Secondly, Mr Pitt-Payne submitted that not all of the third party websites displayed the Experian related information in the same way. Ms Proops showed us the Gardener’s Club example, where the reference to Experian and the hyperlink to the CIP appeared clearly on the first sign-up page of the website. In his reply, Mr Pitt-Payne said that this was not the universal position and referred us to the “MyOffers” site where the reference to Experian and the hyperlink were not on the signing-up page. However, in light of the relatively global way in which the parties had approached the evidence regarding the third party websites (as illustrated by the Schedule of agreed and disputed facts) and the fact that they were all one click away from the CIP, we consider that the FTT were entitled to arrive at an overall conclusion in respect of the third party websites route, rather than setting out an individualised assessment in relation to particular websites.

We can swiftly dispose of the fifth alleged error. As the FTT had found that the Article 14(5)(a) exception applied in respect of the main cohort, there was no need for it to address Article 14(5)(b) in relation to this group of data subjects.

For the reasons that we have set out above, we reject each of the alleged errors that were advanced as part of the Information Commissioner's Ground 2. In the course of doing so, we have also addressed the secondary basis upon which Mr Pitt-Payne put his case, namely that the FTT’s decision was inadequately reasoned. As we have explained, we have had to undertake a significant amount of inferential work, but, having done so, we are satisfied that the FTT’s reasons were not so inadequate as to amount to an error of law.

As we have not found that the FTT erred in law in relation to Ground 2, it is unnecessary for us to address Ms Proops’ fallback position in any detail. She submitted that any error of law in the FTT’s approach to Article 14 would be academic as it was apparent from the FTT’s findings at [184] that even if they had found that there was a contravention of Article 14, they would also have found that the Information Commissioner should not have exercised her discretion to issue the EN. In the circumstances it will suffice for us to indicate that if we had allowed the appeal in relation to all or part of Ground 2, it is unlikely that we would have been persuaded by this submission. This part of the FTT’s decision was primarily focused upon the terms of a SEN in respect of the residual cohort (where a contravention had been found) and insofar as [184] addressed the position of the main cohort, it did so briefly and on a hypothetical basis (no contravention of Article 14 having been found) and the FTT’s observations were clearly obiter dicta.

There appeared to be a significant degree of overlap between the Information Commissioner’s submissions on Ground 1 and Ground 3. In this section of our decision we only summarise and address those matters that we have not already covered when we considered Ground 1. Mr Pitt-Payne submitted that the FTT had failed to address the Commissioner’s specific criticism that the most striking and/or surprising features of Experian’s processing were not covered in the first levels of the CIP that would be reached when a data subject navigated to the website. He said that the first layer of the CIP focused on explaining why Experian’s processing was beneficial, rather than on what the processing actually entailed. He contended that the CIP failed to reflect the approach identified in the Article 29 Working Party’s guidelines on transparency in terms of layering and giving prominence to information that was relevant to the reasonable expectations of data subjects. He said that it was incumbent on the FTT to resolve this issue as it was clearly raised by Requirement A1 of the EN and maintained during the hearing, including in the Commissioner’s written closing submissions.

Ms Proops submitted that [164] of the FTT’s decision showed that they had fully appreciated this aspect of the Commissioner’s case and, further, that it was apparent that they had addressed this in their findings at [177]. Accordingly, Mr Pitt-Payne was incorrect in contending that no conclusion had been reached on this issue and in the circumstances he had shown no permissible basis for interfering with the FTT’s assessment.

We have already concluded that the FTT took proper account of the Article 5(1)(a) transparency principle when we addressed the alleged overarching errors raised under Ground 1. The remaining complaint under Ground 3 is a narrower one, namely that the FTT did not have regard to or determine the Information Commissioner’s concerns as to the layering of the information provided on the CIP. For the reasons set out below we reject this proposition.

The FTT was clearly alive to the Information Commissioner’s case in this respect. They summarised this aspect of the EN at [18] of their decision. At [164] they correctly encapsulated her case as follows, “Experian made no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP”.

As we have already noted, the FTT were given a demonstration of the CIP’s pages ([135] above). They also referred to this at [163] of their decision, saying “We were taken at length through the consumer information portal”. Accordingly, the FTT were well-positioned to make an assessment as to the accessibility of information within the CIP and as to whether sufficient prominence was accorded to information that was of importance for data subjects. At [177] they concluded that the CIP was “adequately clear” and that “the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed”. Mr Pitt-Payne suggested that their reference to “relevant information” was a reference to the information referred to in Article 14(1) and (2). However, it is clear to us that the reference to “relevant information” was a reference to the immediately preceding sentence in [177] where the FTT had accepted that the very large scale of the processing and the use of the data would be surprising to data subjects. Accordingly, the FTT found that information pertaining to the nature of the processing was “sufficiently prominently displayed” and in so finding they took account of their assessment that the scale of the processing and use of the data went beyond data subjects’ reasonable expectations.

In the circumstances it is inaccurate to suggest that the FTT did not address this aspect of the Information Commissioner’s case. It is true that they did so in a relatively compressed way, but no proper basis has been shown for overturning this evaluative assessment, which the FTT were well-placed to make. As Ms Proops suggested, the articulation of a concise conclusion on this point should be seen in its context, namely the FTT were setting out their overall impression after having had the relevant webpages demonstrated to them.

Mr Pitt-Payne emphasised those parts of the Article 29 Working Party’s guidelines on transparency that are concerned with the provision of accessible information in the digital context, particularly [11], [35] and [36] ([94] above). Amongst other points, these passages address layering, including recommending information to include in the first layer. There is nothing to suggest that the FTT were unaware of the guidelines; they were cited to them and they referred to another part of the guidelines when they were considering the residual cohort at [178] of their decision. We are satisfied that the FTT were mindful of these matters; they commented on the advantages and disadvantages of layering at [165] of their decision. However, these paragraphs of the guidelines do not lay down rules of law; it was for the FTT to make their own evaluative assessment as to whether information about Experian’s processing was sufficiently prominently displayed on the CIP; they did so and they found that it was.

We have summarised this ground at [53] above. As we have rejected Grounds 1 and 2 it does not arise.

Mr Pitt-Payne contended that there was a complete failure on the part of the FTT to address Requirement C6 of the EN, which required Experian to cease processing any personal data where the LIA could not be said to favour the interests of Experian having regard to the transparency of the processing and the intrusive nature of the profiling. He said that this was clearly a live issue for the FTT to resolve. Experian’s grounds of appeal disputed the C6 Requirement, asserting that no basis had been shown for it to amend its current LIAs. The Commissioner defended the requirement and it remained in dispute before the FTT, as shown by [88]-[92] of the Commissioner’s written closing submissions. Mr Pitt-Payne submitted that the FTT had failed to make any express findings in respect of this issue and we could not be confident that it was addressed in the FTT’s global indication at [181] of their decision. Further, as the FTT had found a contravention in respect of the residual cohort, it was apparent that the LIAs required some re-assessment, as the FTT should have appreciated if they had engaged with the LIAs.

Alternatively, if the FTT were to be taken to have reached a conclusion on this aspect of the case in [181] of their decision, Mr Pitt-Payne submitted that they had failed to provide any or any adequate reasons for their conclusion.

Ms Proops emphasised that the EN’s criticisms of Experian’s existing LIAs were based on the proposition that they failed to take into account the harmful and intrusive nature of the processing. Accordingly, as the FTT had rejected the Information Commissioner’s case on these matters, it was evident that there was no basis for Requirement C6 and, in the circumstances, it could clearly be inferred that their conclusion on this aspect was included within the FTT’s indication at [181] that they did not find that there had been any other material contravention.

We agree that this aspect of the case was a live issue before the FTT for the reasons that Mr Pitt-Payne identified.

However, it is apparent from the terms of the EN (which we have summarised in this respect at [18] above) that the Information Commissioner’s case that the LIAs should be re-assessed rested on the propositions that Experian’s processing was intrusive, non-transparent and harmful. As we have already explained the FTT rejected each of these propositions. There is no challenge to their conclusion in terms of the relatively innocuous nature of the processing and we have dismissed the grounds of appeal that challenge the FTT’s findings on intrusiveness and on transparency.

Accordingly, it follows that the FTT’s decision did contain a reasoned rejection of the Information Commissioner’s case. Whilst it would have been clearer, and thus desirable, for the FTT to have spelt out expressly that given these findings they did not uphold Requirement C6, we consider that it can clearly be inferred that this conclusion was part of their statement at [181] that they had found no other material contravention.

We do not consider that we are assisted by the discrete issues that arose in relation to the residual cohort. The conclusions reached in relation to the residual cohort and the terms of the SEN are not in issue on this appeal (and Experian indicated through Ms Proops that they are willing to agree to a requirement to re-visit the LIAs in so far as they concern this group of data subjects). For present purposes, we are satisfied that the FTT engaged with the question and their reasons make it tolerably clear why the Information Commissioner was unsuccessful in relation to this part of her case as regards the main cohort of data subjects.

For the reasons that we have set out above, the Information Commissioner’s appeal is dismissed.

We conclude by thanking counsel for the considerable assistance that they provided to us and by observing that, having reviewed the relevant material, it appears to us that many of the points raised in this appeal could have been avoided if the FTT had provided a timely and better reasoned decision.