The First Tier Tribunal’s judgment in Experian v Information Commissioner [2023] UKFTT 00132 marks the end of one of the most significant UK data protection appeals to date.

Summary

The appeal arose out of an audit conducted on Experian’s marketing services business (not its credit reference business) in 2018, which resulted in an Enforcement Notice in 2020. The marketing services business does not generally deal directly with individuals and so relies on third parties to notify them of its processing. In broad terms, the judgment considers four issues:

• Is the privacy information provided by the marketing services business, known as the Consumer Information Portal or CIP, clear and transparent?

• Can Experian rely on third parties notifying individuals about its processing using the CIP? Alternatively, because of the allegedly intrusive nature of that processing, must Experian directly notify those individuals?

• Can Experian make use of limited types of information taken from its credit reference agency business without obtaining consent from individuals?

• In general, does the processing carried out by Experian’s marketing services business reflect a legitimate interest?

The Tribunal found almost entirely in Experian’s favour concluding, in effect, that the processing by marketing services business is lawful. That processing did not result in adverse outcomes for individuals and that the CIP was clear and transparent. Accordingly, it was sufficient for third parties to notify individuals by providing a link to the CIP, without obtaining consent to any processing.

The only exception is a residual cohort of individuals whose data was collected by Experian from open sources (e.g. from the Open Electoral Role) but who had no dealings with the relevant third party and so had not been presented with the CIP.

The Tribunal therefore struck out the original Enforcement Notice and issued a short Substitute Enforcement Notice in its place only requiring notice to this residual cohort.

The judgment contains important points on transparency and the “indirect” provision of privacy notices but also highlights a number of important lessons to consider when challenging regulatory decisions by the Information Commissioner.

Don’t assume the regulator understands your business…

One of the most striking aspects of this decision is the treatment of the Information Commissioner’s evidence by the Tribunal. The Information Commissioner started its investigation into Experian by way of an Assessment Notice in July 2018. The Information Commissioner carried out four days of audit field work at Experian’s business in September 2018. This resulted in a preliminary Enforcement Notice in April 2019 and a final Enforcement Notice in October 2020.

The Information Commissioner acknowledged in its evidence that not only did Experian provide “extensive … information” and “detailed written representations”, it also “continued to engage in various respects…. including to explore remaining areas of difference.”

Despite that information, representations and explorations Experian engaged in, the Tribunal found that “there [was] little or no evidence [produced by the Information Commissioner] to support some of the positions taken in the enforcement notice”. The Tribunal also found that there were “a number of factual errors identified in the enforcement notice”, that the Information Commissioner’s lead witnesses’ evidence was “significantly flawed in a number of respects” and that “in certain core parts…. what he had said…was not just wrong but the position was in fact the direct opposite of what he had said”.

Like many data heavy businesses, Experian’s marketing services business is complex. It now seems clear that the Information Commissioner did not understand that complexity, despite Experian’s “extensive” attempts to explain it.

The core of the Information Commissioner’s case was that the processing by the marketing service business was intrusive. However, the Tribunal disagreed, finding that the Information Commissioner “fundamentally misunderstood the actual outcomes of Experian’s processing”. For example, the Information Commissioner was forced to accept that the example it used of Experian’s processing leading to marketing being “sent to a pregnant mother who had suffered a miscarriage … was perverse, wrong and misleading”. Equally, the Tribunal concluded “the Information Commissioner did not properly appreciate the limited use to which [credit reference] data is used” in the marketing service business. On the key issue of transparency, the Tribunal decided the Information Commissioner was “not in reality grounded in evidence but in supposition”.

The position of the Information Commissioner is difficult. Large businesses have complex and nuanced processing operations and it is difficult for anyone not working within that business to have full command of the underlying detail. As a result, it is easy to see the temptation to rely on high level assumptions about how the business operates. Unfortunately, they may not accurately reflect the way the business operates in practice. There is no substitute for a close examination of the underlying data and datafields, and a concrete understanding of the exact processing taking place.

That is a key learning point for other businesses in a similar position; even in a long process your regulator may not have a clear view of all the relevant facts. Certainly, you shouldn’t assume they do.

...but data protection is getting a lot more contentious

Sadly, this type of appeal is becoming more common as the data protection law becomes more contentious.

One reason is that step change in sanctions brought about by the GDPR. Under the old Data Protection Act 1998, the Information Commissioner initially had no fining powers, and when those powers finally arrived in 2010, they were capped at a miserly £500,000. Even then most fines were well below that limit. Large businesses would usually fix the issue, pay the fine and move on, regardless of whether they considered the sanction was merited. The cost and uncertainty of appealing was generally not worthwhile.

The UK GDPR changes all of that. Fines of up to the greater of £17.5 million or 4% of worldwide turnover means there may be a sound financial case to contest a fine. Added to this is the residual concern that a formal finding of breach by the Information Commissioner will trigger civil claims (albeit this risk has abated significantly since the Supreme Court’s decision on opt-out representative actions in Lloyd v Google, here). In other words, the increase in the size of the fines and the risk of follow-on civil claims means appeals have inevitably become more common.

Data is also becoming more important. Over the past decade data has become “the new oil” – a valuable commodity that helps businesses operate more efficiently and create new products and solutions. An Enforcement Notice often dictates how personal data can, and cannot, be used. This can have significant implications that cut to the heart of many modern business models.

The final reason arises because the Information Tribunal allows a full “merits based” review. The Tribunal is not limited to considering if there has been an error of law or fact, or wholly unreasonable exercise of discretion by the Information Commissioner. Instead, the Tribunal can “stand in the shoes” of the Information Commissioner and, if appropriate decide the Information Commissioner should have exercised its discretion differently. That creates a strong incentive for both parties to put everything before the Tribunal and invite them to come to a conclusion.

While the Tribunal must pay careful attention to the findings of the Information Commissioner as an expert regulator (R (Hope and Glory) v City of Westminster [2011] EWCA Civ 31) a “merits based” review opens broader grounds to appeal and increases the likelihood of success.

Just a matter of opinion?

Even if the facts are right, data protection compliance often turns on subjective and context-specific assessment. For example, the legitimate interest assessment under Art 6(1)(f) requires an assessment of a very broad range of factors and is sometimes equated to the question “Is Messi the greatest footballer of all time?”. You might agree or disagree with the answer to that question but is it ‘wrong’?

One way to support your position is survey evidence. If a matter turns on the individuals’ “reasonable expectations” rather than assuming they have particular state of mind, you might just ask them what they think. As the Tribunal notes on the issue of transparency, the “mere fact some people might subjectively find some things “surprising” is not a particularly useful yardstick”. In the Experian appeal, the Tribunal was positively influenced by a C-Space survey about the CIP which, for example, found that 90% found the front page easy to understand and 93% found it easy to understand the opt-out information.

More generally, there may be a number of right answers. This point was argued during the Experian appeal but is not discussed in the final judgment. However, judicial guidance comes from the earlier decision by the Tribunal in DSG Retail Limited v Information Commissioner [2022] UKFTT 2020_0048 where the Tribunal criticised the Information Commissioner for “substitute[ing] its own judgement” as to the appropriateness of DSG’s security measures, noting that the “pitfall of such an approach is that it requires the decision maker to have in their possession all of the contextual and technical information that was available to the data controller”.

Further support for the fact controllers should have margin of discretion in these matters comes from a range of other cases such as in Sales LJ’s comments (as he then was) in Dr B v GMC [2018] EWCA Civ 1497; “individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue … The incommensurable and very varied nature of the interests of requesters, objectors and data controllers which might be taken into consideration in the balancing exercise … also indicates that individual data controllers have a wide margin of assessment”. Those comments relate to the disclosure of mixed data (i.e. data of other individuals in response to subject access request) but appear to be more widely applicable. In other words, controllers may well have a range of lawful approaches. It is not sufficient for the Information Commissioner to prefer a different approach. It must instead show the approach taken by the controller is wrong.

“Indirect” transparency

A core issue in the Experian judgment is “indirect” transparency – i.e. where a controller does not have a direct relationship with an individual, to what extent can it rely on third parties who do have a direct relationship to notify the individual of the controller’s processing? This is an issue of wider importance.

To address this issue, the Tribunal made a number of insightful observations about practical challenges in ensuring good transparency:

• Transparency is “central to the GDPR” and attitudes vary however “research data … shows that actually most people do not care about what happens to their data”. Evidence from the Competition & Markets Authority suggests that “on average individuals spend 73 seconds reading a privacy policy”. Ultimately, you “cannot force people into reading privacy policies”.

• The level of transparency required is context specific. For example, the level of transparency is needed “when sharing intimate health details will not be the same as people consenting to the processing of, for example, data about their preferred supermarket”.

• Deciding how to layer this information – i.e. what processing is surprising, unusual or important – is inevitably a matter of judgement; “Put bluntly, what surprises one person may not surprise another”.

• There is an inherent “tension between providing large amounts of information on the one hand with the aim of improving transparency and accessibility of information and on the other the resultant information overload”. The layering of information can help address this issue.

These findings may be heresy in some data protection circles. However, personal experience suggests people do care about their privacy but privacy notices are not the solution. The creation of ever-longer and more detailed privacy notices seems to be driven by regulatory imperatives rather than any pressure from the public.

The conclusion

Putting this together, the Tribunal concluded that the CIP provided significant transparency with prominent and accessible information to individuals about Experian’s processing. If individuals decide not to follow those hyperlinks or not to read the contents of the CIP, “then to a significant effect that is their choice”.

Accordingly, Experian was entitled to rely on third parties notifying individuals about its processing by providing links to the CIP and there was no need for Experian to contact the individuals directly.

However, that is not the end of the matter. There is a residual cohort of individuals who are not notified about Experian’s processing via the CIP. For example, where information about an individual is collected from open sources (such as the Open Electoral Roll) and that individual has no dealings with relevant third parties (who would bring the CIP to their attention) the individual would be unaware of Experian’s processing. The question is whether notifying these individuals would be disproportionate (Art 14(5)(b)). The Tribunal’s conclusion here is finely balanced, reflecting:

• the fact that Experian’s processing in relation to such individuals is limited, only from public sources and does not result in any adverse outcomes for the individuals – the Tribunal was satisfied it was unlikely any person had suffered damage or distress as a result of Experian’s processing;

• the notification exercise would be time consuming and expensive, and

• the reaction by individuals on receiving the notification would be confusion or distress in limited cases, but more likely “disinterest resulting … in the data subject just putting it in the bin”.

The Tribunal’s decision was to overturn the original Enforcement Notice and replace it with a Substitute Enforcement Notice under which individuals in this residual cohort (subject to specific exemptions) do need to be notified, but in a staggered manner over the next 12 months. 

The principle that privacy notices should be sent to individuals whose data is collected from open sources (such as the Open Electoral Roll or Companies House) may be more widely applicable. This could impose a significant burden on other businesses who use these data sources for marketing purposes and calls into question the adequacy of the current approach using the so called “form of words”.

The judgment in Experian v Information Commissioner [2023] UKFTT 00132 is available here

Linklaters acted for Experian throughout this matter.