![[2024] UKUT 105 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Summary of relevant aspects of the transparency principle in the GDPR
Summary of relevant aspects of the transparency principle in the GDPR
In light of the materials we have referred to and drawing the threads together for the purposes of this case, we summarise the “transparency” principle in the GDPR as follows:
there is an overarching obligation to process personal data in a transparent manner in relation to the data subject;
it is achieved, principally, by providing information to data subjects about how their personal data is being processed;
it is a lynchpin of, or gateway to, the GDPR, because, without this information, data subjects cannot enforce the rights afforded them under the GDPR to have their personal data protected;
it should result in data subjects being aware of risks, rules, safeguards and rights in relation to the processing of personal data and the specific purposes for which the data is being processed; it is part of the obligation on the controller to facilitate the exercise of data subject rights under the GDPR;
the core principle of transparency is contained in Article 5(1)(a) GDPR, whereas Articles 13 and 14 impose specific obligations that are linked to this core principle;
GDPR is prescriptive about the kinds of information that data subjects are to be provided with, as a basic minimum (this is Articles 13 and 14);
the accessibility and comprehensibility of the information is as important as its content. Article 12 GDPR prescribes that the Article 13/14 information (and the other information referred to in Article 12) must be provided to data subjects:
in a concise, transparent, intelligible and easily accessible form, and
in clear, plain language;
depending upon the particular circumstances, the general transparency obligation imposed by Article 5(1)(a) may require the provision of information that in terms of its content goes beyond the requirements of Articles 13 and 14;
the GDPR does not prescribe precisely to what lengths a controller must go to ensure that the outcomes summarised in d. above are achieved; and in particular
within the Article 13/14 framework, the GDPR does not prescribe exactly what, for example, qualifies as an “easily accessible” form of information provision; and
the GDPR does not prescribe when the controller is expected to go “above and beyond” the Article 13/14 framework;
in these areas, where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality. It will be a matter for evaluative judgement, based on all the relevant facts and circumstances, including:
what kind of personal data are being processed? Some personal data are more “sensitive”, such that data subjects are more in need of “protection” during their processing, than others. This, we believe, is the point made in the FTT’s decision at [121] that “what is or is not transparent will be fact-specific and context related. The level of transparency required, for example, when sharing intimate health details will not be the same as people consenting to the processing of, for example, data about their preferred supermarket”. We agree with this;
what kind of processing is the personal data being subject to and for what purpose? Similar to the above, some forms of processing are more intrusive and/or more “sensitive”, such that data subjects are more in need of “protection” of their personal data, than others. As we discuss under Ground 1, the extent to which the processing is outside the reasonable expectations of data subjects will be a part of this consideration;
the consequences of the processing, including the nature and degree of harm (or benefit) to data subjects that may result;
the degree of connection between the personal data being processed and a particular GDPR right, including an “absolute” right to object to the processing, such as that under Article 21(2)-(3);
the costs for the controller of taking additional steps to ensure the desired outcomes summarised at d. above;
the requisite information may be provided in a number of ways, including in an electronic form. However, what is appropriate in any particular situation will depend upon all the relevant circumstances.
The parties were agreed that Article 14(1) and (2) were not satisfied where data subjects received the information set out in Article 14(1) and (2), otherwise than via its direct provision by the controller, for example where part of the information was provided by websites other than Experian’s. Accordingly, we proceed on this basis for the purposes of the appeal, but we express no view on this reading of Article 14(1) and (2), as it was not in contention and we did not hear argument on the point. What was, of course, in contention was whether Article 14(1) and (2) did not apply in this case, because Article 14(5) was satisfied as data subjects already had the information required by Article 14(1) and (2).
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Hearing dates: 6-8 February 2024
- The structure of the Upper Tribunal’s decision
- Abbreviations
- Glossary
- The nature of Experian’s data processing
- The Information Commissioner’s Enforcement Notice
- Experian’s appeal to the First-tier Tribunal
- The Information Commissioner’s case before the First-tier Tribunal
- The hearing before the First-tier Tribunal
- The First-tier Tribunal’s decision
- The First-tier Tribunal’s findings
- The First-tier Tribunal’s conclusions
- The Substituted Enforcement Notice
- The Information Commissioner’s grounds of appeal to the Upper Tribunal
- The legal framework
- The Upper Tribunal’s “error of law” jurisdiction
- Adequacy of reasons
- Enforcement notices and appeals against them
- Recitals to the GDPR
- Proportionality
- The European Data Protection Board: decisions and guidelines
- Summary of relevant aspects of the transparency principle in the GDPR
- The parties’ overarching submissions
- Ground 1
- Experian’s submissions
- Alleged overarching errors: discussion and conclusions
- Alleged failure to address Article 5(1)(a) GDPR
- Alleged failure to identify the applicable standard of transparency
- The nature of the processing
- Relevance of the reasonable expectations of data subjects
- Alleged specific errors: discussion and conclusions
- Use of hyperlinks to the CIP
- Suggestion that people do not care about what happens to their data
- How the FTT addressed the reasonable expectations of data subjects
- Concluding observations on Ground 1
- Ground 2
- Experian’s submissions
- Alleged overarching error: discussion and conclusion
- Alleged specific errors: discussion and conclusions
- Article 14(5)(a) and whether the data subject already “has” the information
- The route from the third party suppliers to the CIP
- Article 14(5)(b)
- Concluding observations on Ground 2
- Ground 3
- Experian’s submissions
- Discussion and conclusions
- Ground 5
- Experian’s submissions
- Discussion and conclusions
- Conclusions