Experian appeal ruling provides guidance on GDPR transparency requirements

According to data protection law expert Malcolm Dowden of Pinsent Masons, a ruling by the upper tribunal highlighted that particular care is required when personal data is acquired from a third party rather than directly from the individual concerned. In those “indirect transparency” cases, businesses may need to provide more than the “bare minimum” prescribed under UK data protection law, the tribunal said, which Dowden added may require businesses to take more proactive steps to ensure that individuals have the information required to understand why and how their personal data is being processed.

The clarification was provided by the upper tribunal in a recent decision in which it dismissed an appeal brought by the Information Commissioner’s Office (ICO) in a case concerning the privacy practices of Experian Marketing Services (EMS), a business unit of credit reference agency Experian. EMS processes the data of around 51 million people in the UK to provide marketing services which it sells to its third-party clients. As well as using data from publicly available sources such as the Open Electoral Roll (OER), Companies House and the register of county court judgments, EMS acquires data from third party suppliers to create modelled information on the demographic, social, economic, and behavioural characteristics of individuals and households.

The ICO issued Experian with an enforcement notice in 2020 over concerns it had about the legal basis for the company’s processing of personal data and its compliance with transparency obligations under UK data protection law. However, Experian was largely successful in raising an appeal against that enforcement notice, with the first-tier information rights tribunal issuing its decision in February last year. In its subsequent appeal, the ICO claimed the FTT had made a number of errors of law in reaching its decision, but the upper tribunal has now rejected those assertions. The ICO has said it considering whether to raise a further appeal.

In its decision, the upper tribunal provided some guidance on the transparency principle under the UK General Data Protection Regulation (GDPR).

Article 5(1)(a) of the GDPR requires that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject. That principle is supplemented by further rules that set out what information organisations need to provide data subjects with when either collecting personal data directly from them (Article 13) or obtaining such data about them indirectly (Article 14). Article 12 further sets out the nature and form the information to be provided should take, including that it is in a concise, transparent, intelligible and easily accessible form, and in clear, plain language.

Some of the data Experian holds about individuals has been obtained indirectly from third parties. As such, the Article 14 requirements have been at the centre of the dispute between the ICO and Experian.

Information that organisations must provide data subjects with under Article 14 includes, among other things, information about who they are, their contact details, the purposes of processing and the legal basis for that processing, the categories of personal data they intend to process, and at least the categories of other organisations they intend to share the data with. Further information about how long they intend to retain the data and about the rights data subjects can exercise in respect of the data, is among the other information that has to be provided.

According to the upper tribunal, though, the Article 14 list of information, and the similar list under Article 13, is just the “basic minimum” that organisations need to provide to data subjects. It said that, depending on the circumstances, more information may need to be provided to data subjects by organisations if they are to comply with the transparency principle under Article 5(1)(a).

The upper tribunal said that the information shared with data subjects should achieve the specific outcomes of ensuring those people are aware of risks, rules, safeguards and rights in relation to the processing of personal data and the specific purposes for which data is being processed. It acknowledged, though, that the GDPR does not prescribe exactly how to achieve that.

Therefore, the upper tribunal said the requirements for transparency from case to case will be context specific and underpinned by considerations of proportionality. It said it would also be based on an evaluative judgement with reference to relevant circumstances, which could include, for example, the sensitivity of the data being processed, how intrusive the processing is, and the potential consequences of the processing – including the nature and degree of harm, or benefit, to data subjects that may result – as well as the cost organisations would incur to take the additional steps to achieve the desired outcomes.

Another issue that arose in the ICO’s appeal was the extent to which Experian could be said to fall within an exception to the Article 14 requirements. Article 14(5)(a) provides an exception where the data subject “already has the information”.

Experian argued that data subjects already had the relevant Article 14 information because it was accessible via a hyperlink or series of hyperlinks that users could access via its consumer information portal. The FTT had accepted that a hyperlink or series of hyperlinks could engage the exception, but the ICO argued on appeal that that finding was an error in law. The upper tribunal said, though, that the FTT had been entitled to reach the conclusion it did on the point. However, it emphasised that it is always a question of fact and degree, rather than a matter of rigid principle, as to whether the ability to access the relevant information via a hyperlink or a series of hyperlinks satisfies the Article 14(5)(a) exception.