On 20 February 2023, the First Tier Tribunal (“FTT”) ruled on Experian’s appeal of the Information Commissioner’s enforcement notice, imposed back in October 2020. Although the FTT’s findings are not binding precedent – and the current Information Commissioner has announced that there will be a further appeal to the Upper Tribunal - the judgment prompts various reflections for privacy professionals, on UK GDPR transparency requirements, on the FTT’s willingness to take business interests into account and on the ICO’s ability to take meaningful enforcement action.

The background to the appeal

The Information Commissioner’s enforcement against Experian followed a lengthy investigation into the actions of the three largest credit reference agencies (CRAs) in the UK, focussing on CRAs’ collection and reuse of data within their various postal direct marketing products. Although the ICO produced a general report into the practices of “data brokers”, the Commissioner only took formal enforcement action against Experian. The Commissioner’s enforcement notice, still available on the ICO’s website, explained that Experian had erred:

  • in its failure to provide an adequate notice to all data subjects ,and any notice at all to a sizeable number whose information Experian had received indirectly;
  • in reusing data collected for credit referencing purposes for certain additional purposes, including the screening out of individuals where there were affordability concerns;
  • in relying on legitimate interests where it was carrying out “surprising” and “intrusive” processing;
  • in relying on legitimate interests where the original lawful basis of a supplier was consent; and
  • in failing to do sufficient due diligence on its suppliers.

For a more detailed analysis of the original enforcement notice, please see our article from November 2020.

Experian appealed against the Information Commissioner’s findings, and argued that the notice should be set aside in its entirety. Experian’s grounds of appeal, summarised in paragraphs 31 to 46 of the FTT judgment, explained its belief that the Commissioner had sought to impose her “subjective preferences” as if they were legal obligations, applying a “counsel of perfection rather than adequacy” and that those preferences were “based on a mischaracterisation of Experian’s business and its impact on individual’s privacy”. Experian also argued that the Commissioner’s enforcement approach was disproportionate, and would have the “perverse” impact of requiring a privacy notice to be “rendered less and not more meaningful” and that it would result in more direct marketing being sent, including to vulnerable people, due to the inevitable withdrawal of its products.

Between the issuing of the notice in October 2020, and the eventual hearing before the FTT in early 2022, changes were made by Experian in how it collects data – notably, it no longer uses any suppliers who rely on consent to share data - and how it provides its privacy notice. These proved important to the Tribunal’s findings.

The FTT findings, in short…

The FTT upheld much of Experian’s appeal, rejecting the ICO’s views on the meaningful transparency of Experian’s privacy notice and on Experian’s ability to rely on legitimate interests for much of its processing. It also criticised the ICO’s approach to its enforcement action, and its presentation of evidence both within the enforcement notice and before the Tribunal.

The FTT agreed with the ICO that Experian had unlawfully failed to notify over 5 million individuals, and that the disproportionate effort exemption to providing notice is narrow – but imposed a more lenient obligation on Experian to rectify this breach.

…and in more depth

Transparency may be “central”, but the FTT believes it reasonable that data subjects make the effort to read into layered links.

The Commissioner’s enforcement notice had found several failings in Experian’s transparency notice. In particular, she found that Experian’s Consumer Information Portal (“CIP”) (at least in October 2020):

  • did not set out clearly in one place the information that might be processed about an individual;
  • only presented information likely to surprise individuals in the third or fourth layer of the CIP;
  • placed too much emphasis on the benefits rather than the potential risks of data broking;

The Experian CIP (both at the time of the hearing and today) relies on a highly layered approach. On first visit, a pop-up is made available to the user with a link to an “Article 14 Notice” if an individual chooses to visit it. If a web visitor chooses to go straight to the portal, this notice cannot be easily revisited (for example, if clicking on the linked “Privacy Policy” at the bottom of the CIP, this Article 14 notice is not presented or listed). Instead, through the CIP, the visitor can click their way through various layers to find sections of Experian’s notice on separate pages. These are supported by summary videos at various stages, but multiple clicks are needed for specific details. For example, to find information about what precise personal data may be collected, an individual must visit the CIP, and either read the Article 14 notice, or click a minimum of two times from the CIP home page to find granular information.

Notably, neither the CIP nor the Article 14 Notice at the time of writing meet some of the requirements set out in the Irish Data Protection Commissioner’s decision against WhatsApp in September 2021. In this enforcement action, covered in detail in our earlier article, the DPC particularly held that information should be “easily accessible” and “the user should not have to work hard to access the prescribed information; nor should he/ she be left wondering if he/she has exhausted all available sources of information”. Experian’s CIP has no composite notice setting out all the detail available in the CIP. The Article 14 Notice is detailed, but is not a direct replica of the CIP’s content and is described by Experian as a “summary” of the CIP. The DPC also held that the legal basis and the purpose of processing must be given with reference to the specific categories of personal data and specific processing operations that take place. In common with many notices, neither the Article 14 Notice nor the CIP provides this level of granularity.

Rather than follow the DPC’s lead, the FTT instead emphasised that there is a “tension between providing large amounts of information on the one hand with the aim of improving transparency and accessibility of information and on the other the resultant information overload.” [165] It found that “transparency is central to the GDPR” but that the CIP in its current form “is adequately clear”. Although acknowledging that the processing of Experian is extensive and wide-ranging, and something that “would be surprising” given the purposes for which data was originally collected, the FTT considered “that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed.” [177]

The approach of the FTT appears to be that although controllers are obliged to provide transparency information, there is a substantial onus on individuals to make the effort to read the information available and to navigate the layers of a policy. The FTT held that “if people are not concerned about their privacy or what happens to their data, and they must be assumed to know those people are going to process it, then to a significant extent that is their choice” [169]. The FTT also appears to have tied evidence of a low number of CIP visits (only 130,000 unique IPs between April 2018 and February 2022) with research it says demonstrated “actually most people do not care about what happens to their data.” [166]. It summed up saying that “It may not be the choice of others or particularly data professionals but you cannot force people into reading privacy policies” [169] – clearly, in the FTT’s view, those who do not extend the effort to read into the layers presented ought not complain that they do not know how their data is processed.

The FTT’s approach is clearly at odds with the views of the DPC and wider EDPB in the Whatsapp case, where the onus is instead placed on controllers to ensure that notices are clearly presented to their audience and that the most surprising information can be immediately understood. We know the ICO disagrees with this view – it certainly demonstrates through its own information notice that it believes in clearer layers and a more granular approach. Although the FTT decision does not bind the Commissioner outside of this case, and a further appeal is forthcoming, UK controllers may feel this decision allows them to take a less specific approach in their own notices at this stage, particularly given it is difficult to draft and maintain privacy notices to this level of detail.

Controllers cannot evidence disproportionate effort with extensive costs or the fact data was publicly available

Although the FTT concluded that most individuals have limited interest in the contents of any notice they receive, it took a much stricter line on a controller’s ability to rely on the disproportionate effort exemption to providing a notice.

Article 14(5)(b) of the UK GDPR, like its EU equivalent, exempts controllers from providing a notice to data subjects where the personal data is received indirectly and providing a notice “proves impossible or would involve a disproportionate efforts”. Experian contended that this ought to apply to a requirement to provide a notice to the 5.3 million data subjects who had received no privacy notice as a result of their data coming from publicly available sources. It argued that the nature of the data’s source, and the considerable expense that would be incurred in providing such a notice, met the test of the exemption.

The FTT disagreed, holding, “the fact that notifying the 5.3 million data subjects would involve a considerable business expense does not mean that it would be a disproportionate effort for the purposes of article 14 GDPR”. It explained that this was an expense that ought to have been spread over time and that if the costs “were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing.” This is in line with approaches taken elsewhere in Europe, and leaves little opportunity for controllers to argue that the size of a notification exercise could render it disproportionate.

Although Experian was unsuccessful in arguing against providing a physical notice to the un-notified 5.3 million, the FTT did allow an extended 12 months for Experian to identify these individuals and provide this notice.

Experian’s processing might be “surprising” but it can still be based on legitimate interests

The Commissioner’s enforcement notice explained her view that it was “unlikely that a controller will be able to apply legitimate interests for intrusive profiling for direct marketing purposes”. The Commissioner also suggested that Experian’s profiling was likely to be considered intrusive, based on its failure to provide a sufficiently transparent notice and on the inherent intrusiveness of the data Experian processed, even where this relied on modelled rather than accurate data.

The FTT disagreed with the Commissioner’s conclusion. In particular, the FTT argued that the Commissioner’s finding that Experian’s processing would be “surprising” was “not in reality grounded in evidence but is supposition” and that in any event the fact some data subjects might find processing to be surprising was “not a particularly useful yardstick “ [142]. The FTT also disagreed that the nature of the data being processed was inherently intrusive, finding that processing modelled data was “less intrusive than processing actual data” [145]. This last finding does not appear to consider the potential for modelled data to be treated as accurate by a third-party recipient. The FTT also disagreed with the Commissioner that the processing and failure to provide a notice was likely to cause distress [187].

The FTT was particularly more willing to accept Experian’s arguments on the potential benefits of its processing than the Commissioner. In her enforcement notice, the Commissioner pointed to ICO guidance that “little weight can be attached to supposed benefit of the data subject consumer receiving direct marketing communications more 'appropriate' to them”. In contrast, the FTT – and the ICO’s own witness before the FTT – accepted that there were benefits arising from Experian’s processing, in particular that Experian’s products allowed marketing to be more accurately directed [152] and that affordability checks conducted by Experian prevented potential harm [153]. Evidence obtained from financial regulators the PRA and FCA supported this conclusion [154]. The ICO’s evidence on the perceived risks associated with screening out was instead dismissed as “emotive”. [155]

Importantly, controllers should not assume that the FTT’s acceptance of the potential benefits of marketing could be read across to online marketing. Experian specifically sought to distinguish its products from more targeted advertising, and the FTT accepted that Experian’s clients were “interested in the aggregated picture and we bear in mind that this is not a situation, unlike some direct online marketing, where the buying habits of particular individuals are known.” [156]

The FTT did agree with the Commissioner that it was not possible to “flip” between reliance on consent and legitimate interests – however, as Experian no longer engages with third parties who rely on consent, this practical issue had fallen away.

The ICO’s takeaway should be an improvement in evidence collection and preparation

As will be apparent from some of findings set out above, the ICO’s evidence before the FTT came in for substantial criticism. Astonishingly, the ICO had not retained a copy of the CIP notice actually enforced against [176] and neither of the parties considered pointing the FTT at the Wayback Machine. Despite discussion of bundles reaching “several thousand pages” it is clear that the ICO’s main witness struggled to maintain a consistent thread of argument under cross-examination, and the FTT concluded that at times the ICO’s evidence “made little sense.” The FTT’s decision to overturn the ICO’s enforcement notice is particularly driven by its view that there was “little or no evidence to support some of the positions taken in the enforcement notice” and that in other places there were “factual errors”.

The FTT also scolded the Commissioner’s failure to consider wider concerns in determining whether to issue an enforcement notice. As well as disagreeing with the Commissioner on Experian’s processing causing adverse outcomes for data subjects, the FTT considered that the Commissioner should also consider the likely reaction of a data subject receiving an “out of the blue” privacy notice and the economic impact on Experian [184]. It also criticised the failure to consider the “environmental impact” of requiring a substantial paper mailshot [138].

It is clear that the ICO will need to do better in preparing, evidencing and explaining its case in future to withstand the FTT’s scrutiny– it is less clear that as a public authority it has the resources and structure to make these necessary changes swiftly.

Getting away with unlawful processing…an opportunity for future innovation in enforcement?

The FTT accepted that it was problematic that Experian continued to benefit commercially from personal data, previously processed unlawfully, because no notice had been given. This remained problematic even when the data was turned into anonymous models – because anonymisation is itself an act of processing which should be lawful.[186] Here, however, the FTT concluded that it could not “order steps that would be unclear or possibly incapable of implementation” - presumably, because it was not willing to formally order steps that might require Experian to delete data it had lawfully collected because it could no longer separate the two datasets. Instead, the FTT limited itself – somewhat vaguely – to asking Experian to “consider what it could do to discontinue the processing” [186].

This will clearly be dissatisfactory for the ICO, given it imposes no obligation on Experian to make a change. It will be interesting to see if, in future cases, the Commissioner or even the FTT will look to stronger alternatives like the Federal Trade Commission’s algorithmic disgorgement penalty as a way of addressing this topic.

Watch this space

On 8 March, the current Commissioner John Edwards announced that the ICO would be appealing the FTT’s decision. This will not allow the ICO to remedy any evidential failures, as the Upper Tribunal will only consider points of law. It is likely that Experian will counter-appeal on the findings against it, particularly on disproportionate effort – 5 million data subjects are unlikely to hear the sound of Experian notice mailshots hitting their doormats for some time.