The Upper Tribunal Provides Some Clarity On The Transparency Principle

Transparency is a key requirement under the UK GDPR. In accordance with Article 5(1)(a) of the UK GDPR, personal data should be processed lawfully, fairly, and in a transparent manner. The UK GDPR also provides more specific provisions about the information that data controllers/processors must give to data subjects.

In a recent appeal, the Upper Tribunal offered some much-needed guidance in relation to the overarching duty of transparency and the detailed obligations.

The Information Commissioner’s Office v Experian Limited [2024] UKUT 105 (AAC)

Background

Experian is a credit reference agency that holds and processes data relating to over 51 million people in the UK. Experian publishes on its Consumer Information Portal (CIP) information about its processing of personal data.

The Information Commissioner’s Office (ICO) carried out an investigation in relation to Experian’s processing. The ICO took the view that the processing undertaken by Experian would be surprising to those individuals whose personal data is processed and therefore concluded that the processing by Experian was not transparent. The ICO issued an enforcement notice in relation to this.

Within the enforcement notice, the ICO required Experian to provide all data subjects with a GDPR-compliant privacy notice and to cease the processing of the personal data of any data subject who had not been sent the privacy notice.

First Tier-Tribunal (FTT)

Experian appealed the enforcement notice to the FTT. The FTT emphasised that transparency is central to the UK GDPR. Their decision centred around the requirement under Article 14 of the UK GDPR to provide a compliant privacy notice to all data subjects except in the very limited circumstances set out within the Article itself.

The FTT considered the CIP and concluded that the information provided was clear and sufficiently prominently displayed and accessible to data subjects. The FTT was therefore satisfied that it complied with Article 14.

Experian accepted that around 5.3 million data subjects whose information was processed had not received a privacy notice. Experian argued that the provision of such information would involve a disproportionate effort and therefore they were not required to provide such information in line with the exception in Article 14. The FTT disagreed, commenting that the Article 14 privacy notice requirement cannot be easily avoided. They concluded that the fact that notifying 5.3 million data subjects would involve a considerable business expense did not mean that it would be disproportionate. They found that there had therefore been a contravention of the UK GDPR in relation to this element. The appeal was allowed in part and a substituted and a scaled down enforcement notice was issued.

Upper Tribunal

The ICO appealed the decision to the Upper Tribunal. In essence, the ICO argued that the FTT had misapplied the transparency principle and so had erred in law. Prior to the hearing before the Upper Tribunal, it was agreed by both parties that the CIP contained all of the information required by Article 14.

One of the grounds of appeal was in relation to the data subject’s journey to the CIP. The ICO argued that the FTT did not adequately address whether the data subject’s journey to the CIP via a series of hyperlinks was sufficient to meet the transparency requirement in the UK GDPR. The Upper Tribunal concluded that the hyperlinks leading to the CIP were simple to follow and the relevant information was accessible to data subjects who wanted to understand how their data would be processed. The Upper Tribunal however agreed with the FTT’s conclusion.

The Upper Tribunal upheld the FTT’s findings, and the appeal was dismissed.

Comment

This case is a reminder of the importance of sending a compliant privacy notice to all data subjects to ensure that you are complying with your obligation in accordance with the transparency principle.