[2024] UKUT 105 (AAC)

On 12 October 2020 the Information Commissioner issued Experian with an EN under sections 149(2)(a) and (b) of the DPA 2018. The EN made detailed findings that Experian had contravened, and was still contravening, Articles 5(1)(a), 6 and 14 of the GDPR. The EN imposed a series of requirements on Experian, set out in an Annex, to be completed within either three or nine months. These requirements were organised into five categories. Category A requirements were based on alleged breaches of GDPR Article 5(1)(a) and the obligation to process personal data fairly and transparently. Category B requirements were derived from alleged breaches of GDPR Article 14, while Category C requirements were founded on alleged breaches of GDPR Article 5(1)(a) and Article 6 and the obligation to process personal data lawfully. The Category D and E requirements related to matters where by the time of the FTT the Information Commissioner no longer considered that enforcement action was required, and so they are not discussed further here.

Here we just summarise the main import of those various stipulations – we refer a little later to the full text of the most significant requirements, namely A1, B4-B5 and C6-C8. (The requirements at A2 and C3 are no longer live issues, as we will come on to explain.)

The EN is a detailed and lengthy document – and indeed the FTT’s summary of the EN in their decision runs to six pages – but we will highlight the main features.

In relation to the Category A and Category B requirements, the Information Commissioner considered that the collation of a wide range of personal data about a huge number of data subjects constituted processing on a scale and for detailed analytical purposes which few data subjects would expect and constituted data profiling within the meaning of Article 4(4) GDPR. On that basis, the Information Commissioner considered it was incumbent on Experian to ensure that it was as transparent as possible about the data it was using; where it had been obtained from; and the ways in which it was used. In the Information Commissioner’s view, data subjects were precluded from being able to exercise their GDPR rights without clear detailed and transparent information, provided in a way that a data subject could readily understand. The Information Commissioner considered that the requirement of transparency in Article 5(1)(a) went beyond simple compliance with Article 14 and was context dependent. The Information Commissioner recognised that improvements had been made to the CIP, but considered that even in its most recent version it still failed to achieve the necessary transparency (in the respects summarised by the FTT at [18(a)]-[18(l)] of their decision). In sum, the Information Commissioner concluded that the extensive processing carried out by Experian, coupled with what she characterised as the largely invisible nature of that process (in particular the profiling of data subjects), was intrusive. Although not the most intrusive type of processing, it nonetheless involved the compilation of a wide range of data from public and private sources so as to build a profile of approximately 50 million data subjects, few of whom would expect such processing on a mass scale.

The Information Commissioner accepts that the requirement at A2 of the EN was overturned by the FTT and does not seek to challenge this. Accordingly, we need say no more about that aspect.

As regards the Category C requirements, the Information Commissioner considered that Experian had contravened both Article 5(1)(a) and Article 6(1) GDPR. Experian processed all of the personal data held for direct marketing purposes on the basis of its legitimate interest, but the information provided by third party suppliers was provided on the basis that those third parties data subjects’ data was obtained by consent. However, by the time of closing submissions before the FTT, it was accepted that data was no longer processed on the basis of consent. Thus the requirement at C3 became academic, and we focus on the requirements relating to processing on the basis of legitimate interests. In this respect, the Information Commissioner was not satisfied, in circumstances where a very large amount of personal data was being processed in highly targeted ways and where there were significant issues of non-transparency, that Experian had correctly or properly concluded there was a lawful basis for processing the personal data. The Information Commissioner rejected Experian’s assertion that the processing for profiling was not intrusive of privacy. The Information Commissioner’s case was that little weight could be attached to the supposed benefit of the data subject receiving direct marketing communications that were more appropriate to them and that this was a consequence of processing and profiling which they would not have anticipated. The Information Commissioner considered that it was unlikely that a controller would be able to rely on legitimate interests for intrusive profiling for direct marketing purposes.

As mentioned above, the Annex to the EN then set out the detailed requirements imposed on Experian. The Category A1 requirement, which was required to be met within three months, was framed in the following terms:

“Category A

1)

Revise the CIP to:

a)

set out clearly in one place and at the forefront of the privacy information an "at a glance" summary of the direct marketing processing that Experian undertakes, including what attributes (actual and modelled) Experian processes about individual data subjects;

b)

place information that is likely to surprise individuals (for example, that connect together multiple data sources to build a marketing profile) more prominently than in the third or fourth layers;

c)

include language concise, clear and not unduly euphemistic or industry-based language (such as "insight") to ensure it is intelligible to data subjects; and

d)

include intelligible information about each source of data (including modelled data), each use of data and the onward disclosure of data and illustrate them with examples and possible outcomes.”

The further requirements under Categories B and C were stipulated to be met within a nine month timescale:

“Category B

4)

Directly provide all data subjects with an Article 14-compliant privacy notice (by mail or other acceptable means of communications) where Experian has acquired their personal data from any source other than the data subject, which clearly and directly informs the data subject that their personal data has been obtained by Experian for purposes which include direct marketing and the form that processing for marketing purposes takes, in terms and form consistent with paragraph 1) above (save that no notice is required to be sent where Experian's processing concerns only the retention or sale of the Open Electoral Register and no other processing of the personal data in that Open Register has occurred, or relates to the obtaining and use of directory enquiry databases like BT OSIS or suppression databases like the TPS).

5)

Cease the processing of the personal data of any data subject to whom an Article 14-compliant notice is not sent.

Category C

6)

Cease processing any personal data where the objective legitimate interest assessment cannot be said to favour the interests of Experian, having particular regard to the transparency of the processing and the intrusive nature of profiling.

7)

In the case of all suppliers of personal data to Experian, review the compliance with the GDPR of the privacy notices and data capture mechanisms of those suppliers and collect data from only those suppliers where it is the case that:

a)

the suppliers' notices provide the same standard of transparency as the CIP,

b)

the suppliers' consent capture mechanisms are sufficient to constitute valid consent (including being informed and specific) to the collection, disclosure and onward processing of the data; and

c)

the suppliers' privacy information is clear and intelligible, with processing that the individual is unlikely to expect or would be surprised by to the fore and not buried in lengthy and jargon-heavy text.

8)

Cease the processing of any personal data where there is insufficient evidence that it was collected in a compliant manner.”

We now outline the main features of Experian’s challenge to the EN.