“Transparency is central” – but perhaps only if you care to read: what you need to know about Experian’s appeal at the First Tier Tribunal

The background to the appeal

The Information Commissioner’s enforcement against Experian followed a lengthy investigation into the actions of the three largest credit reference agencies (CRAs) in the UK, focussing on CRAs’ collection and reuse of data within their various postal direct marketing products. Although the ICO produced a general report into the practices of “data brokers”, the Commissioner only took formal enforcement action against Experian. The Commissioner’s enforcement notice, still available on the ICO’s website, explained that Experian had erred:

• in its failure to provide an adequate notice to all data subjects ,and any notice at all to a sizeable number whose information Experian had received indirectly;
• in reusing data collected for credit referencing purposes for certain additional purposes, including the screening out of individuals where there were affordability concerns;
• in relying on legitimate interests where it was carrying out “surprising” and “intrusive” processing;
• in relying on legitimate interests where the original lawful basis of a supplier was consent; and
• in failing to do sufficient due diligence on its suppliers.

For a more detailed analysis of the original enforcement notice, please see our article from November 2020.

Experian appealed against the Information Commissioner’s findings, and argued that the notice should be set aside in its entirety. Experian’s grounds of appeal, summarised in paragraphs 31 to 46 of the FTT judgment, explained its belief that the Commissioner had sought to impose her “subjective preferences” as if they were legal obligations, applying a “counsel of perfection rather than adequacy” and that those preferences were “based on a mischaracterisation of Experian’s business and its impact on individual’s privacy”. Experian also argued that the Commissioner’s enforcement approach was disproportionate, and would have the “perverse” impact of requiring a privacy notice to be “rendered less and not more meaningful” and that it would result in more direct marketing being sent, including to vulnerable people, due to the inevitable withdrawal of its products.

Between the issuing of the notice in October 2020, and the eventual hearing before the FTT in early 2022, changes were made by Experian in how it collects data – notably, it no longer uses any suppliers who rely on consent to share data - and how it provides its privacy notice. These proved important to the Tribunal’s findings.

The FTT findings, in short…

The FTT upheld much of Experian’s appeal, rejecting the ICO’s views on the meaningful transparency of Experian’s privacy notice and on Experian’s ability to rely on legitimate interests for much of its processing. It also criticised the ICO’s approach to its enforcement action, and its presentation of evidence both within the enforcement notice and before the Tribunal.

The FTT agreed with the ICO that Experian had unlawfully failed to notify over 5 million individuals, and that the disproportionate effort exemption to providing notice is narrow – but imposed a more lenient obligation on Experian to rectify this breach.

…and in more depth

Transparency may be “central”, but the FTT believes it reasonable that data subjects make the effort to read into layered links.

The Commissioner’s enforcement notice had found several failings in Experian’s transparency notice. In particular, she found that Experian’s Consumer Information Portal (“CIP”) (at least in October 2020):

• did not set out clearly in one place the information that might be processed about an individual;
• only presented information likely to surprise individuals in the third or fourth layer of the CIP;
• placed too much emphasis on the benefits rather than the potential risks of data broking;

The Experian CIP (both at the time of the hearing and…