[2024] UKUT 105 (AAC)

The following passage contained many of the FTT’s central conclusions (we have omitted the FTT’s citation of the text of Article 14(5) in paragraph [175]):

“172.

We turn next to whether, in the light of these findings, Experian has failed to comply with the GDPR as the Information Commissioner claims.

173.

The Enforcement Notice required Experian to provide all data subjects with an article 14 GDPR compliant privacy notice and to cease processing the personal data of any data subject to whom an article 14 compliant notice has not been sent.

174.

Experian, in ground 4 of its appeal, says that the requirements of the Enforcement Notice are disproportionate and unfair. The Information Commissioner says that the requirement of transparency is a high-level obligation.

175.

The Tribunal finds that transparency is central to the GDPR. The relevant transparency requirement here is the requirement to provide an article 14 notice. The GDPR is clear about the limited circumstances in which the requirement to give an article 14 notice may be avoided. …

176.

The Tribunal was presented with some difficulty in assessing the historic position in terms of what the CIP actually said at the time the Enforcement Notice was issued by the Information Commissioner because Experian had made changes during negotiations with the Information Commissioner in the course of the investigation. We note that the position is that both articles 13 and 14 lay down a timescale for the provision of privacy notices. Neither party assisted us on the issue of the relevant version for us to consider.

177.

We do not consider that the Information Commissioner has provided us with evidence that would allow us to conclude that the CIP was defective at the time of the enforcement notice. We note also the relevance of the current position to the steps which the Tribunal may now order. We find that the processing, so far as it relates to CRA derived data, is now sufficiently transparent in the context of the privacy notices which are served on those data subjects who provide CRA data to lenders. The hyperlinks and websites are simple to follow, and we find, having considered the CIP in detail, that in its current form, as provided to us, it is adequately clear. We do accept that the scale of the processing undertaken is very large, and that is something which would be surprising to data subjects as indeed would be the uses to which that data is put when considering the purposes for which it was collected. But, having considered the CIP, we consider that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed.”

The FTT then addressed the sub-group of data subjects who had not been provided with either a copy of or a link to Experian’s privacy notice as their data had been taken from public sources, primarily the OER. The parties referred to this sub-group as “the residual cohort” (and the remainder of the data subjects as “the main cohort”). The FTT found that there had been a breach of Article 14 in respect of this cohort, reasoning as follows:

“178.

Experian has accepted that around 5.3 million data subjects, out of the circa 51 million data subjects whose information is processed by Experian, have not received a privacy notice but contends that Experian can rely on paragraph 5 of article 14 on the basis that the provision of such information would involve a disproportionate effort. The GDPR is clearly written so that the article 14 privacy notice requirement cannot be easily avoided and so that ‘disproportionate effort’ is to be construed narrowly. Whilst we note that we are not bound by it, we have had regard to the Article 29 Working Party guidance on Transparency as adopted by the European Data Protection Board. In the context of the GDPR, the fact that notifying the 5.3 million data subjects would involve a considerable business expense does not mean that it would be a disproportionate effort for the purposes of article 14 GDPR. That is a business expense which should have been incurred over time as a matter of routine compliance. If the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing. We find that Experian should have provided the residual cohort with an article 14 privacy notice and did not do so. It was therefore non-compliant in that respect.

179.

On that basis, we find that there has been a contravention of the GDPR in respect of that cohort in that the processing has not been transparent, fair or lawful.”

The FTT then referred to the now academic consent issue:

“180.

We find also that there has, in the past, been a contravention of the GDPR with respect to the data obtained from third-party suppliers where that material was obtained on a consent basis, and we do not accept that legitimate interests is a proper means by which that data could have been used by Experian for the purpose it was processed. But we accept that this no longer occurs.”

After this the FTT gave a composite indication that:

“181.

We do not find that there has been any other material contravention.”

In concluding, the FTT turned to consider the terms of any EN to be substituted and what steps it should order, bearing in mind the need for any steps to be proportionate:

“183.

In so doing, we must stand in the shoes of the Information Commissioner and ask whether the Information Commissioner should have exercised her discretion differently. A broader concept of proportionality comes into the exercise of discretion by the Information Commissioner which involves a consideration of what could be achieved by imposing a requirement that Experian should rectify its non-compliance by providing a privacy notice to the residual cohort. The answer to that question is that it would be informing the data subjects about the use of their personal data as they were entitled to be informed previously and that this could enable them to object if they so wished. It would also prevent Experian from benefitting from non-compliance by having saved business costs by not providing an article 14 notice. It would also potentially dissuade other Data Controllers from non-compliance, but the main object of the enforcement notice would be to make sure that Experian would comply with the GDPR in the future.

184.

We find that the Information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects, (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years, and (c) the likely reaction of the data subjects to receiving an ‘out of the blue’ notification, which reaction we find was likely to be either disinterest resulting, for example, in the data subject just putting it in the bin or possibly some confusion or even distress. We are satisfied that the Information Commissioner got the balance wrong in terms of proportionality in exercising her discretion because the Information Commissioner had fundamentally misunderstood the actual outcomes of Experian’s processing. We note in particular that section 150(2) provides ‘In deciding whether to give an enforcement notice in reliance on section 149(2), the Information Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress’.

185.

The Tribunal must also consider what steps it will order now, and we find that to order notification of the residual cohort now would be disproportionate. However, the Tribunal would stress that it has made a finding that Experian did not comply with the requirements of article 14 and it fully expects that Experian will rectify this non-compliance in respect of its future personal data collections. The Tribunal recognises the considerable expense and practical difficulties which Experian would face in attempting to identify the residual cohort and issue them with an article 14 notice.

186.

The Tribunal is cognisant of the fact that some of the personal data has been used to build models from which Experian may continue to derive a commercial benefit. Any processing of personal data collected in circumstances where an article 14 privacy notice should have been given and has not been given will continue to be non-compliant and Experian should consider what it can do to discontinue this processing. This applies even where the personal data has ceased to be personal data because its inclusion in the models is anonymised. It is clear that taking personal data and anonymising it is a form of processing of personal data and that processing must be compliant. However, the Tribunal cannot order steps which are unclear or incapable of implementation.

187.

The Tribunal is also satisfied that it is unlikely that any person has suffered damage or distress as a result of Experian’s failure to provide an article 14 notice.”