In a recent decision, the Upper Tribunal dismissed an appeal by the UK Information Commissioner, finding that Experian’s data processing practices had in fact been lawful.
The appeal focussed on whether Experian had properly discharged its transparency obligations under the GDPR (the Transparency Principle), an issue that has not previously been the subject of detailed judicial consideration in the United Kingdom. The Upper Tribunal undertook a thorough assessment of the Transparency Principle and, in doing so, provided general guidance that will no doubt be of wider benefit to the marketing industry.
It remains to be seen whether the Information Commissioner will challenge the Upper Tribunal’s decision.
Background
Experian is a well-known credit reference agency that holds and processes data pertaining to over 51 million individuals living in the United Kingdom - effectively the whole adult population. Less well known is that a business unit within Experian processes such data in order to provide marketing services to third-party clients. It does so by combining the names and addresses of these individuals with up to 13 actual attributes obtained via various sources, including public sources; such data is then processed to create modelled information on the demographic, social, economic, and behavioural characteristics of these individuals on a predictive basis.
Experian’s website includes a Consumer Information Portal, which sets out the ways in which Experian processes data. The adequacy (or otherwise) of this portal from a transparency perspective was one of the central issues in this case. In relation to data derived from Experian’s credit reference agency business, Experian relies on an Information Notice on its website to notify individuals about its personal data sources and how such data is used. The Information Notice contains hyperlinks to the Consumer Information Portal. The accessibility of this route to the portal was also in dispute.
On 12 October 2020, following a wider investigation into the data broking sector, the Information Commissioner issued Experian with an Enforcement Notice. The Commissioner found that Experian’s data processing practices contravened the GDPR transparency requirements and exceeded what many data subjects would reasonably expect. The Commissioner further required Experian to, among other things, revise its Consumer Information Portal and provide all data subjects with an Article 14 compliant privacy notice.
Experian challenged the Enforcement Notice before the First-tier Tribunal in early 2022, contending that it should be set-aside in its entirety. Experian argued that, through the Enforcement Notice, the Information Commissioner was seeking to impose its subjective preferences as if they were legal requirements under the GDPR (these preferences being based on a mischaracterisation of Experian’s business and its impact on privacy), and that if Experian were to comply with the Enforcement Notice, it would be forced to shut down its offline marketing services business. After an extensive delay (over a year following the hearing), the First-tier Tribunal issued a decision in which it allowed the appeal and issued a Supplementary Enforcement Notice; this was the subject of the appeal before the Upper Tribunal.
Guidance on the Transparency Principle
At the heart of the appeal lay the GDPR's Transparency Principle, which mandates that personal data be processed “lawfully, fairly and in a transparent manner” (Article 5(1)(a)). It places the onus on the controller to demonstrate compliance with the Transparency Principle. The Upper Tribunal also considered the specific obligation under Article 14, which requires controllers to provide certain information to data subjects where the personal data has been obtained otherwise than directly from the data subject (as was the case for Experian).
Before setting out its conclusions, the Upper Tribunal provided helpful guidance on the meaning of the Transparency Principle, summarising that:
- There is an overarching obligation to process personal data in a transparent manner in relation to the data subject (Article 5(1)(a)). Articles 13 and 14 impose specific obligations that are linked to this core principle.
- Compliance with the Transparency Principle is principally achieved by providing information to data subjects about how their personal data is being processed. It is a lynchpin of, or gateway to, the GDPR because data subjects cannot enforce the rights afforded to them without this information.
- The accessibility and comprehensibility of the information is as important as its content (being a reference to the requirements of Article 12).
- Depending on the particular circumstances, the Transparency Principle may require the provision of information that goes beyond the requirements of Articles 13 and 14.
- Where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality, including:
- The level of sensitivity of personal data being processed. For example, the level of transparency required when sharing intimate health details will not be the same as people consenting to the processing of data about their preferred supermarket.
- The degree to which the processing is intrusive and whether the processing falls outside the reasonable expectations of data subjects.
- The consequence of the processing, including the nature and degree of harm to data subjects that may result.
- The costs for the controller of taking additional steps to ensure the desired outcomes.
The Appeal
The Information Commissioner advanced five grounds of appeal, including that the First-tier Tribunal had failed to address what the Transparency Principle required as a matter of law and then failed to apply a legally accurate interpretation of the principle to the facts before it. The Commissioner argued that the First-tier Tribunal had focussed on the (benign) consequences to data subjects without taking account of the intrinsic nature of Experian’s processing and the extent to which the processing went beyond the data subjects’ reasonable expectations.
Experian admitted that the First-tier Tribunal’s reasoning could have been expressed more clearly but submitted that it was clear from the content of the First-tier Tribunal’s reasoning that it had taken Article 5(1)(a) into account, despite not referring to the provision in its conclusions.
Having considered the First-tier Tribunal’s decision and drawn the relevant inferences, the Upper Tribunal concluded that the First-tier Tribunal had not erred in law in its application of the Transparency Principle. Whilst the Upper Tribunal accepted that the answer to what transparency requires will be context specific, it noted that transparency is not defined in the GDPR and concluded that it would not have been helpful if the First-tier Tribunal had tried to provide a definition of this concept or put a gloss upon its meaning.
On the specific issue of whether the First-tier Tribunal had regard to the intrinsic nature of Experian’s processing, the Upper Tribunal found that this had been taken into consideration. The First-tier Tribunal had found that the worst outcome of Experian’s processing was that an individual might receive a marketing leaflet that was more aligned to their interests and that Experian’s use of modelled data points was less intrusive than the processing of actual data.
As for the relevance of the reasonable expectations of data subjects, the Upper Tribunal considered that, in line with Article 29 Working Party guidelines on transparency, additional information may need to be provided to individuals where the processing is objectively unexpected. Whilst Experian’s processing had gone beyond the reasonable expectations of data subjects, it found that the First-tier Tribunal had taken the reasonable expectations of data subjects into account when concluding (as it was entitled to do) that the transparency requirements had nonetheless been met.
Takeaway points
The Upper Tribunal’s decision helpfully took the opportunity to provide guidance on the Transparency Principle and reaffirm the centrality of transparency in GDPR compliance.
This decision highlights the importance of providing accessible and comprehensible information to data subjects, whilst also clarifying that transparency requirements are context-specific and must therefore be balanced with considerations of proportionality. Given the ever-evolving nature of the marketing industry, organisations should ensure that they are regularly reviewing their data protection policies in light of their current data processing and data subjects' expectations.
[View source.]