The decision to uphold the FTT’s earlier findings, which modified the enforcement notice (“EN”) served on Experian at the time, has significant implications for organisations, as data controllers, and for individuals.
Background
The EN related to Experian’s direct marketing business, Experian Marketing Services (“EMS”) which holds and processes data relating to 51 million people across the UK. The data held by EMS would then be sold to provide marketing services to third party clients.
The ICO’s saga with Experian dates back to October 2020, when the company was handed an EN in relation to their data processing activities. This was subsequently appealed by Experian in 2023, where their position was predominantly favoured by the FTT and, as such, the EN was modified and scaled down. As expected, the ICO later appealed this decision to the Upper Tribunal, alleging that the FTT involved errors of law and failed to adequately address several issues within their initial findings.
What can be learnt from the ICO’s failed appeal?
Are your privacy notices compliant?
One of the key principles of data protection law is that personal data must be used lawfully, fairly, and transparently (Article 5(1)(a) of UK GDPR). To assist in attaining this principle, the UK GDPR details the information that organisations must provide to individuals (usually provided in the form of a privacy notice) when either collecting personal data directly from the individual (Article 13) or obtaining personal data about them indirectly (Article 14).
In their appeal, the ICO alleged that the FTT had erred in law when considering Experian’s processing of personal data. Some of the data Experian processed was obtained from sources other than the individual (e.g. public sources such as the electoral register and Companies House, and third party companies), and so required consideration of Article 14.
Throughout the appeal, the ICO claimed that Experian had not provided sufficient and clear information required to data subjects when processing their personal data. As such, the ICO asserted that the FTT had failed to apply a legally accurate interpretation of Article 5(1)(a). Whilst the Upper Tribunal admitted that FTT’s decision was poorly structured and lacked clear reasoning, they were satisfied that there was no error in law and the FTT’s application of the GDPR remained.
What was of note, however, was that according to the Upper Tribunal, the list of information under Article 14 is just the ‘basic minimum’ that organisations need to provide to individuals, and more information may need to be provided to individuals by organisations if they are to comply with the transparency principle.
The Upper Tribunal also noted that the information shared with individuals should achieve the specific outcomes of ensuring those people are aware of risks, rules, safeguards and rights in relation to the processing of their personal data.
Are you providing privacy notices in a compliant way?
Experian argued that individuals already had the relevant Article 14 information because it was accessible via a hyperlink, or series of hyperlinks, that users could access via its Consumer Information Portal (CIP).
Ultimately, the ICO argued that the information provided by the CIP was layered and not readily accessible to data subjects and, as such, did not meet the exception at Article 14(5)(a) whereby data subjects already have the information. Experian argued that data subjects already had the information, as it was readily available through a series of links, and this was the position upheld by the FTT.
The Upper Tribunal detailed that the FTT was entitled to reach this decision. However, this is examined on a case-by-case basis as opposed to being a set rule to satisfy the exception.
Confirmation that direct marketing can be a legitimate interest
Provided individuals’ fundamental rights are not contravened, personal data can be processed, provided that the information is required for the data controller’s legitimate interests.
In the initial decision, the FTT outlined that the ICO had failed to recognise the commercial benefits for all parties, including the data subjects themselves. On appeal, the ICO argued that the FTT had neglected to address the need for Experian to re-conduct its Legitimate Interest Assessments (LIAs), despite the adverse findings against Experian in this regard. The Upper Tribunal rejected this, detailing that the ICO’s argument here relied on propositions that Experian’s processing was intrusive, non-transparent and harmful. The Upper Tribunal agreed with the FTT in rejecting this. Moreover, as the Upper Tribunal dismissed the ICO’s appeal regarding transparency, this ground of appeal ultimately fell as a result.
Summary
It is clear from both cases that both the FTT and Upper Tribunal are taking a practical approach to data protection and compliance issues. As with the first instance decision, the appeal will be seen as a positive for businesses and data processors, specifically those who carry out direct marketing services.
The decision does, however, stress the importance of transparent data practices. In particular, it suggests that following Articles 13 and 14 when preparing privacy notices might not always be sufficient.
How can MFMac help?
Our data protection experts, Valerie Armstrong-Surgenor and Melissa Hall, advise businesses on all aspects of data protection law including preparation of compliant privacy notices.
If you have any queries about what this article means for your business, please get in touch with our team.