[2024] UKUT 105 (AAC)

The fourth alleged error caused us some anxiety. In setting out their findings at [161], [162] and [177], the FTT referred in terms to data subjects whose data was supplied via its CRA business and who were provided with a link to the CIP via the CRAIN. By contrast, the FTT did not refer to those data subjects whose personal data was provided to Experian by third party suppliers when it addressed the route to the CIP and the applicability of Article 14(5)(a). Moreover, the terms of [170]-[171] and [180] of their decision might suggest that the FTT thought that issues involving data supplied by the third parties had become entirely academic, as opposed to the issue of consent based processing raised by the EN’s Requirement C3 becoming academic (as we explained at [18] above).

However, ultimately we are persuaded by Ms Proops’ submissions that it is inconceivable in the circumstances that the FTT could have entirely overlooked this central issue. We infer that the FTT’s composite indication at [181] that they “did not find that there has been any other material contravention” included their assessment as to the accessibility of the user route from the third party suppliers’ websites, indicated in a very compressed way in light of the conclusion that they had already set out at [177] in respect of the CRA data subjects. We explain our reasoning in the paragraphs that follow.

The FTT were plainly aware that a substantial amount of the personal data processed by Experian was derived from third party suppliers; the FTT referred to this at [4], [8] and [148] of their decision, including noting that data was collected by some 148 third party websites and that the information held on ChannelView was predominantly provided to Experian by third party data suppliers. Equally, the FTT would have been aware that Requirements B4 and B5 of the EN did not distinguish between data subjects whose personal data was supplied via the CRA and those whose data was provided to Experian from the third parties. Accordingly, on the face of it, the Article 14 issues applied equally to both of these groups of data subjects.

Furthermore, there was nothing in the parties’ submissions before the FTT that suggested that the Article 14 issues had narrowed to exclude the latter group of data subjects from their consideration. This is confirmed by the parties’ closing submissions.The Information Commissioner’s written closing submissions noted at [50]-[51] that Experian relied upon Article 14(5)(a) in respect of (amongst other groups) the notices provided to data subjects by third party suppliers. The evidence relating to the information provided by third party suppliers to data subjects was then addressed in more detail at [51(2)]. At [53] and [54] it was said in terms that the Commissioner did not accept that any of the mechanisms discussed in [52] satisfied the requirements of Article 14(5)(a). Accordingly, this included the user route to the CIP from the third party suppliers’ websites. Additionally, the contents of [6(6)], [6(6)(b)] and [123(3)] of Experian’s written closing submissions confirmed that Experian continued to rely upon the Article 14(5)(a) exception in respect of those whose data was obtained by the third party websites.

We have also considered the Schedule of agreed and disputed facts. The provision of data by third party suppliers was referred to at points 3.9, 3.21, 3.25 and 3.27. In addition, point 6.19 referred to Experian’s contention that 90% of individuals had been notified of Experian’s processing of their data via the links to the CRAIN, the third party supplier information which linked to the CIP or ECS privacy information that linked to the CIP. Points 7.1 and 7.2 referred to Experian’s position that third party suppliers clearly explained to individuals who signed up, that their data would be provided to Experian for processing and provided them with a link to the CIP. We note that the Information Commissioner’s response included the observation that the evidence before the FTT had covered examples of the information provided by the third party suppliers, rather than comprehensive evidence regarding the information given to all 17 million individuals whose data was derived from these sources, but the Commissioner “does not suggest that these examples are atypical”. It appears from the Commissioner’s written closing submissions that the examples that had been provided in evidence related to four of the 148 third party suppliers.

This material all supports the proposition that the FTT would have been aware that the Article 14(5)(a) issue included the data subjects whose personal data had been provided to Experian by the third party suppliers.

We have also considered [133] of the FTT’s decision. Its terms further confirm that the FTT were aware that data was supplied to Experian from the 17 million individuals who had interacted with the relevant third party websites. Mr Pitt-Payne suggested that the FTT’s observations tended to show that they were not satisfied that the Article 14(5)(a) criterion was met in respect of these data subjects. However, we do not read [133] in that way. At this stage of the decision the FTT were not addressing the Article 14 exceptions, rather the FTT were responding to a suggestion that Experian’s data processing business was well-known to the 17 million individuals who had interacted with the third party websites. In this regard the FTT indicated that they did not accept that the reference to the Experian privacy notice on the third party websites was “good evidence that that number of people will be aware of EMS”. As the FTT were plainly referring to the (lack of) actual awareness on the part of data subjects at this stage, this observation was entirely consistent with their later remarks at [166] and [168] regarding the limited attention that people gave to privacy notices. (Indeed, it appears that their reference in [133] to “the other evidence, on which Experian relies” is a reference to the research material that the FTT had in mind in these later paragraphs.). In any event, it is clear that at [133] the FTT were not addressing the accessibility or clarity of the user route to the CIP or the CIP itself. In contrast to the point that the FTT were addressing at [133], we have already explained when addressing the third alleged error, that “having” the prescribed information for Article 14(5)(a) purposes does not require the data subject to have actually read it.

We accept that the FTT’s finding at [177] also in effect determined the position in relation to Article 14(5)(a) for those individuals whose data was provided by the third party suppliers. Given that their route to the CIP involved clicking on only one hyperlink from the third party website to the CIP, as opposed to the CRA route via the CRAIN involving the data subject clicking on two hyperlinks to arrive at the CIP, it would have been very surprising indeed if the FTT had arrived at the opposite conclusion as to the applicability of the Article 14(5)(a) exception in relation to this group of data subjects. Furthermore, the FTT’s observations about users’ familiarity with hyperlinks and ability to follow them at [162] would have applied equally to the third party situation; and, on their face, their findings at [163] – [169] in respect of the CIP applied equally to this group of data subjects, including that, “there is a sufficiently easy trail to follow through hyperlinks to the CIP from the privacy notices which enables people who are concerned about their privacy to follow that route to learn more”. In the circumstances we see no reason to differentiate in terms of the data subjects’ respective routes to the CIP between the FTT’s assessment at [177], explicitly stated to be in respect of the CRA derived data, and the position of those whose data was supplied by the third parties.

Mr Pitt-Payne suggested two specific reasons as to why the positions of these two groups was not materially analogous. We were unpersuaded by these points. Firstly, he submitted that the position was distinct as the data subjects’ personal data obtained from the third party websites was prospectable, whereas the CRA derived data was non-prospectable. However, as we have indicated at [165] above, the question of whether the data subject “already has” the prescribed information in the present kind of context is likely to turn on questions of accessibility and clarity, rather than on the extent to which the processing itself is intrusive. Accordingly, we do not consider that this distinction gives rise to a material difference.

Secondly, Mr Pitt-Payne submitted that not all of the third party websites displayed the Experian related information in the same way. Ms Proops showed us the Gardener’s Club example, where the reference to Experian and the hyperlink to the CIP appeared clearly on the first sign-up page of the website. In his reply, Mr Pitt-Payne said that this was not the universal position and referred us to the “MyOffers” site where the reference to Experian and the hyperlink were not on the signing-up page. However, in light of the relatively global way in which the parties had approached the evidence regarding the third party websites (as illustrated by the Schedule of agreed and disputed facts) and the fact that they were all one click away from the CIP, we consider that the FTT were entitled to arrive at an overall conclusion in respect of the third party websites route, rather than setting out an individualised assessment in relation to particular websites.