[2024] UKUT 105 (AAC)

As well as the bare statutory provisions, the section at [111]-[129] also included some commentary by the FTT, as follows:

“119.

We accept the Information Commissioner’s submission that the right to transparency in the processing of personal data is foundational as it enables data subjects to access and exercise their own GDPR rights. We accept it is essential to affording data subjects autonomy and to achieving the purpose of the GDPR that a person should have control of their own personal data.

... 

121.

With respect to the requirements of transparency, we find that Mr Hulme’s evidence on this makes little sense. Given how it is defined, what is or is not transparent will be fact-specific and context related. The level of transparency required, for example, when sharing intimate health details will not be the same as people consenting to the processing of, for example, data about their preferred supermarket. 

…

128.

Whilst we understand why counsel for the Information Commissioner would wish to distance himself from Mr Hulme’s evidence, nonetheless, it has the effect of there being little or no evidence to support some of the positions taken in the enforcement notice; and, for reasons to which we will turn below, there are a number of factual errors identified in the enforcement notice. In addition, in his cross-examination Mr Hulme accepted that the scenarios set out in his witness statement as to how people would be distressed by the data processing were incorrect to the extent that he accepted his evidence in his witness statement was “completely wrong, completely misleading and perverse”. Despite this, we did not feel the need to give ourselves a “Lucas” direction.”

Under the heading ‘Findings’ the FTT indicated that they would set out their findings “as to what Experian does with the data it collects”. They began with some observations about the extent to which the data processing aspects of Experian’s business were well-known:

“133.

We accept that Experian’s credit reference agency business is well-known. We take notice of the fact that we have observed marketing carried out on television and on billboards. We consider, however, that it would be speculative to consider how well-known their marketing business, EMS, is. We note Mr Grieves’ evidence that Experian presents itself as a business that processes credit data, sharing data and providing access to offers. We note the submission that over 17 million individuals will have interacted with third party websites that supply data to Experian and will thus have seen the reference to the Experian privacy notice, but we do not accept that that is good evidence that that number of people will be aware of EMS. That is because of the other evidence, on which Experian relies. We accept also that approximately 10 million people will have been notified of the existence of Experian if they had been in direct contact with ECS but how much that impinged on their awareness we do not know.”

The FTT then returned to the subject of Mr Hulme’s evidence, about which they were highly critical:

“135.

The core of the Information Commissioner’s case is that the processing undertaken by Experian will be surprising to those individuals whose personal data is processed, the processing is intrusive, and that the assessments undertaken in balancing Experian’s legitimate interests are flawed.

136.

We found Mr Hulme’s evidence to be significantly flawed in a number of respects. As noted above he accepted that in certain core parts of his evidence what he had said in his witness statement was not just wrong but that the position was in fact the direct opposite of what he had said in that witness statement to which his statement of truth had been appended.  

…

138.

We accept the submission that in order for weight to be attached to the Information Commissioner’s opinion that it has to be based in evidence. We accept also that in reaching a decision, the Commissioner and this panel must have regard to the regulatory decisions in respect of the economy, the environmental impact and positive benefits for the consumers of processing (which appear from Mr Hulme’s evidence not to have been taken into account in the enforcement notice).”

The FTT referred to whether Experian’s processing would be surprising to data subjects in the following terms:

“142.

It is part of the Information Commissioner’s case that individuals on the OER would find Experian’s use of their data surprising. The source for that is primarily Mr Hulme whose evidence is, for the reasons set out above, less than reliable. It is not in reality grounded in evidence but is supposition. Further, the mere fact that some people might subjectively find some things “surprising” is not a particularly useful yardstick.”

The FTT then found that the use of modelled data points was less intrusive than the processing of actual data:

“145.

We bear in mind the evidence, as accepted to an extent by Mr Hulme, that modelled data points may not in fact reflect a person’s actual characteristics. This, we find, makes them less intrusive than processing actual data...”

Under the heading “CRA derived data”, the FTT addressed the use made of data subjects’ data as follows:

“152.

We accept that the CRA-derived data is used to validate or update address data, and in the creation of Experian’s models. It is important to note that EMS does not have access to any account transaction data. We accept the evidence that there are benefits to data being used in such a way. It ensures that the mailing lists are up-to-date, which in turn means that mailing is not sent to former addresses which may in itself be problematic if it were then to be accessible by those who should not have access to it, depending on what material is in a mailshot. We accept also that it has a utility in that it allows businesses to, as Experian’s evidence indicates, cut down on duplicate names, misspellings and similar errors. There are therefore benefits to this. We note that Mr Hulme accepted these were benefits, and we note that offering a service to check accuracy is supporting compliance with the accuracy principle.

153.

Looking at the evidence as a whole we consider that the Information Commissioner did not properly appreciate the limited extent to which CRA data was used. However, we do note that this source of data is used to produce the ConsumerView profiles even if the address information is not prospectable. The CRA data is therefore, to an extent, used in the building up of Experian’s products. 

154.

We consider that the credit pre-screening product is of use in that it removes people from marketing lists for credit products in circumstances where they would likely to be declined as is the evidence from Experian’s witnesses. We accept that this does not prevent people from applying for the credit product, merely that material is not sent to them. We consider that there is a utility in this because it means that they will not be offered products which (a) might not be affordable for them (b) where a refusal may cause difficulties for their credit score with an ongoing difficulty, spiralling, in obtaining credit... We accept that the FCA does not require firms to process data held by CRA to screen people out, but Experian has never said that that is a requirement, and we note that the PRA and the FCA have confirmed that the service offered is beneficial and helps lenders comply with the FCA’s rules which we consider is a matter in the public interest.

155.

We do not accept the emotive evidence from Mr Hulme that the use of CRA data to screen individuals stigmatises poor people...

156.

We accept also Experian’s submission that what its clients are seeking to do is not to target particular individuals but merely to have a list of those who are more likely to respond to the offer their client intends to send. That is to say that the chances of direct mail marketing being effective are higher by sending mail to a list of individuals who may have particular characteristics, which is better than sending them at random. Experian’s customers are, we accept, interested in the aggregated picture and we bear in mind that this is not a situation, unlike some direct online marketing, where the buying habits of particular individuals are known. We accept Mr Grieves’s evidence that retailers do not pore over the names and addresses from ConsumerView.

157.

With regard to the amount of data sent out, we accept the evidence from Experian that on average four attributes are provided to clients; that data representing the last twenty attributes and that impact of this fact is that they do not sell the entire data profile of a cohort of data subjects. We accept Ms Shearman’s evidence that each disclosure of data by Experian to a client is considered on a case-by-case basis subject to controls including whether it is to be used for a permitted purpose as agreed in the contract. We accept also that there is some auditing of the use to which the data is put and Experian contracts with data brokers contain audit rights requiring the brokers to provide monthly reports on the use of data. We accept also that there are red and amber lists of organisations with whom Experian will not do business or may well not do business, and we note the evidence that the only gambling company which is a customer of Experian uses the service to prevent underage people from gambling. One might have thought that was in the public interest but that too must be balanced.

158.

We consider it difficult to quantify how much material would or would not be sent if Experian’s activities were curtailed. We consider the suggestion that Experian’s products help stop one billion communications to be excessive and not properly sourced in evidence. We accept Mr Grieves’ evidence that some of the suppression services may act to prevent stress in certain circumstances and we note, worryingly, that Mr Hulme accepted that proposition and, in the example, whereby marketing was sent to pregnant mother who had suffered a miscarriage that his statement was perverse, wrong and misleading in this regard.

159.

With regard to the evidence whereby those who might be in fuel poverty are identified, and the suggestion that may be problematic, we note that such data might, if used by utility companies and relevant service providers be in the public interest.

160.

Finally, we accept the submission that the worst outcome of Experian’s processing in terms of what happens to the data at the end of the process is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant. To some extent we accept that the effect of suppression lists and removing certain types of data may result in some people not receiving distressing or inappropriate communication. That does not of course mean that there has been compliance with the DPA or the GDPR but, following Lloyd v Google LLC [2021] UKSC 50, it is unlikely that there would, in this scenario, be a data subject who is likely to succeed in a damages claim.”

As regards the CRAIN and then the CIP, the FTT made the following findings:

“CRAIN

161.

The route for an individual to learn what happens to data acquired via the CRA involves following a link from material supplied by, for example, a bank to the CRAIN and from there to the CIP maintained by Experian. The great majority of lenders make the CRAIN available to individuals by providing them with a link from their own privacy notice. We accept Experian’s position that this route was decided after consultation with the Information Commissioner. The Information Commissioner were also, we accept in the light of the evidence of Mr Cresswell and Mr Hulme, involved in the development of the CRAIN and considered that it was a good transparency notice. We find, examining it that it provides individuals with an understanding of Experian’s business and links to further material.

162.

The route noted above will usually be facilitated by hyperlinks if the material from the bank, as is often the case, is supplied in electronic form. We consider that the reasonable data subject will be familiar with hyperlinks and how to follow them.

Consumer Information Portal

163.

We were taken at length through the consumer information portal (CIP) which we accept now includes a freestanding notice collating the information required to be provided by Article 14. That was introduced in October 2020 at the same time as the issue was noticed by the Information Commissioner. It has been amended so that it no longer pops up only on a user’s first visit but also on subsequent visits to the site.

164.

The Information Commissioner’s case is that Experian made no attempt to identify the information that individuals were likely to find concerning or surprising and did not address its mind to the questions of what steps it should take to ensure the information was promptly located in the CIP.

165.

Stepping back from the particular circumstances of this case, there is a tension between providing large amounts of information on the one hand with the aim of improving transparency and accessibility of information and on the other the resultant information overload. To an extent that is met by layering which is the staggering of provision of information to the customer, which is more easily adapted to a website scenario. That is because an individual accessing it can see headlines and click on them for more information. Whether, and to what extent, a particular piece of information is surprising or for that matter important or unusual will be a matter of judgment. It is self-evident that not all users will take the same view, nor will their knowledge as to how data is processed in general be the same. Put bluntly, what surprises one person may not surprise another but what is in issue is an individual’s reasonable expectations.

166.

We accept the evidence that Experian’s website receives some 7 million visits per month but equally that only 130,000 unique IP addresses have visited the CIP since April 2018. There is no evidence regarding the number of visitors to the CIP who have gone beyond the first layer. This is borne out to an extent by the research data which shows that actually most people do not care about what happens to their data.

167.

With regard to the opt out option we do not consider that people are improperly pushed towards not opting out totally.

168.

We note the evidence that a report from the Competition & Markets Authority suggests that on average individuals spend 73 seconds reading a privacy policy. In that context, it is more likely than not that most people will not assimilate the substance of the entire policy in that time. That is of course a matter of individual choice.

169.

Common sense would tend to suggest that it is only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice and, if they were concerned to read further, we consider that there is a sufficiently easy to follow trail through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more. If people are not concerned about their privacy or what happens to their data, and they must be assumed to know those people are going to process it, then to a significant extent that is their choice. It may not be the choice of others or particularly data professionals but you cannot force people into reading privacy policies and the data controller is still obligated to provide a privacy notice. The processing must still be fair, lawful and transparent. Compliance with Data Protection law is the core focus and function of the Information Commissioner and therefore the Tribunal on appeal.

170.

There are, we consider, difficulties with the basis upon which data obtained by third-party suppliers was previously processed by Experian. We do, however, note the evidence that the model used is now that data is processed on the basis of legitimate interests and not on the basis of consent. That issue would thus appear now to be academic.”