Experian’s GDPR Appeal: Lawfulness, Fairness, and Transparency

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO). 

This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications. 

The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). 

Fair and Transparent Processing: Art 5(1)(a) 

The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to: 

  • Provide an up-front summary of Experian’s direct marketing processing. 
  • Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice. 
  • Use clearer and more concise language. 
  • Disclose each source and use of data and explain how data is shared, providing examples.  

The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects. 

Lawful Processing: Arts. 5(1)(a) and 6(1) 

All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to: 

  • Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests. 
  • Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits. 
  • Review the GDPR compliance of all third parties providing Experian with personal data. 
  • Stop processing any personal data that has not been collected in a GDPR-compliant way. 

Transparency: Art. 14 

Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14. 

Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”. 

The ICO did not agree that these exceptions applied to Experian, and ordered it to: 

  • Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source. 
  • Stop processing personal data about Data Subjects who had not received an Art. 14 notice. 

The FTT Decision  

The FTT found that Experian committed only two GDPR violations: 

  • Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources. 
  • Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this). 

The FTT said that the ICO’s Enforcement Notice should have given more weight to:  

  • The costs of complying with the corrective measures. 
  • The benefits of Experian’s processing. 
  • The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice. 

The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources. 

FTT on Transparency 

Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices. 

However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources. 

FTT on Risks of Processing 

An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data. 

The ICO’s Planned Appeal 

The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.  

The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.  

The WhatsApp GDPR Fine 

mika-baumeister-uKdkh25_wc0-unsplash

On 2nd September, the instant messaging service WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) under GDPR. It is the largest fine issued by the DPC and the second highest in the EU (In July Luxembourg’s National Commission for Data Protection fined Amazon €746 million after finding that the way the e-commerce giant handles people’s personal data, especially around personalised ads, was not GDPR compliant).

The background to the WhatsApp fine is an investigation by the DPC, which started in December 2018. WhatsApp users are required to provide the company with all their contacts’ phone numbers. Some of these will inevitably belong to non-WhatsApp users.
The DPC found that these numbers were also personal data because the subjects were identifiable and consequently WhatsApp was the data controller in relation to such data.

The DPC then evaluated WhatsApp’s compliance with the transparency obligations set out in Articles 14 and 12(1) of GDPR. WhatsApp argued that it took “appropriate measures” to inform non-users of the “very limited ways” in which it processed their personal data.
This was supposedly done by stating users provide the company with all their contacts’ phone numbers in their privacy policy. 

The DPC rejected this argument, pointing to the lack of a discoverable and accessible “public notice” that would provide non-users of WhatsApp services with the information they are entitled to under Article 14. For example, they should be provided with details about the “circumstances in which any non-user personal data is shared with any of the Facebook Companies”(Facebook bought WhatsApp in 2014). It emphasised that the burden of providing such information is outweighed by “the role and utility of the right to be informed”.

The DPC also ruled that WhatsApp had not complied with Article 13 in relation to the privacy information it provided to users. It specifically assessed the extent to which WhatsApp explained its relationship with the Facebook companies and any consequent sharing of data. It criticised the manner in which the information is spread out “across a wide range of texts”, and how a significant amount of it is so high level as to be meaningless. It pointed out how the Facebook FAQ is only linked to WhatsApp’s privacy policy in one place. The information being provided was “unnecessarily confusing and ill-defined”. 

In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a eight specified remedial actions.  WhatsApp has 3 months to comply. One of the remedial actions is to remind users of their GDPR rights which will lead to substantially more work for WhatsApp in meeting these requests.

Data Controllers need to assess how well their privacy policies and notices comply with Article 13 and 14. This cases shows that regulators are willing to enforce GDPR transparency obligations on data controllers even where the obligations are difficult to meet because, like WhatsApp, they have millions of non-service user data subjects with whom there is no direct relationship.

WhatsApp has confirmed that it will appeal the decision. 

Most of our courses are now available as both classroom and online options. The GDPR Practitioner Certificate is our most popular certificate course with may courses filling up fast. We have added more dates.

Veni, Veto, Vici : Court of Appeal FOI Veto Case and its Implications

Image

What effect will the Court of Appeal’s recent decision on the FOI – and EIR – ministerial veto have on another recent case – the vetoing of the decision to require disclosure of the High Speed Rail assessment review?

On 6 June 2013 the Information Commissioner (IC) served a Decision Notice under the Environmental Information Regulations 2004 (EIR). Section 50(4) of the Freedom of Information Act 2000 (FOIA) gives the IC the power to do so (those powers being extended to the EIR by Regulation 18). The Decision Notice required the Cabinet Office to disclose a Project Assessment Review (“PAR”) report concerning the high-speed rail link, High Speed Two (HS2).  On 30 January 2014 Patrick McCloughin, Secretary of State for Transport, signed a certificate pursuant to section 53 of FOI and Regulation 18(6) of the EIR. The effect of this certificate was that the Cabinet Office was no longer required to comply with the IC’s Decision Notice:

“the decision taken by the Cabinet Office not to disclose the PAR report in response to the relevant request was fully in accordance with the provisions of the EIR, or the Act, as appropriate”

Of course, this exercise of ministerial veto – described as a “constitutional aberration” by the Lord Chief Justice (Evans, R (on the application of) v HM Attorney General & Anor [2013] EWHC 1960 (Admin)), is not unprecedented; the power has now been wielded seven times (twice by the Labour government and five times by the coalition). The minister, notably, was minded to disagree with the IC that the request had fallen to be determined under the EIR, rather than FOIA:

“there is considerable force in the Cabinet Office’s position that the information within the PAR report was insufficiently proximate to the environmental impact of the HS2 project itself to amount to “environmental information” for the purposes of the EIR”

However, he went on to say that:

“it is not necessary for me to determine whether the PAR report is environmental information, because I take the view that the Cabinet Office was entitled to withhold it from disclosure, whether or not it consisted of environmental information”

This is perhaps surprising, because at the time he issued that veto certificate there was an argument, being aired in the Court of Appeal, that the power to exercise the veto does not exist under the European law to which the EIR give domestic effect.

Now, the Court of Appeal has handed down judgment (Evans, R (on the application of) v HM Attorney General & Anor [2014] EWCA Civ 254). The case is being recognised, correctly, as primarily about the specific lawfulness of the vetoing of the disclosure of private correspondence on policy matters between the Prince of Wales and government departments. However, as in the Divisional Court beforehand, one point which fell to be determined was about the general status of the veto power in relation to environmental information. On this point the Court of Appeal held that

“the certificate is incompatible with EU law in so far as the information to which it relates is environmental information”

The court’s reasoning was that, although, the EIR, by Regulation 18, provide for a ministerial veto no such power exists in the Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information (“the Directive”) which is implemented in domestic legislation by the EIR. Moreover, Article 6(2) of the Directive says, crucially

Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final

And this requirement to have a “final” review before a court or independent and impartial body could not be satisfied by the availability of judicial review of a ministerial veto. Article 6(2) and (3) should be given their natural and ordinary meaning: the right is to have the acts or omissions of the public authority reviewed, but in judicial review proceedings the question becomes whether the accountable person had reasonable grounds for forming the opinion that the public authority had in fact complied with its EIR obligations and, “that difference is not a mere matter of form”. Moreover, and for broadly similar reasons, the veto power offended Article 47 of The EU Charter of Fundamental Rights which provides:

“Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article”

So what does this mean for the veto on the HS2 “PAR” request? It certainly appears at the moment that following the Court of Appeal’s ratio in Evans, and to the extent that the HS2 request was for environmental information, that the veto may be unlawful, if (as has been suggested, it is challenged). However, there are two caveats to that. Firstly, the Attorney General has been given permission to appeal Evans to the Supreme Court: it seems highly likely that the general EIR point will be appealed, as well as the overarching specific point about the public law validity of the veto (if the former is not appealed, then it would mean in effect that the government accepts that the EIR fail properly to implement the Directive). Secondly, we must look back to the suggestion by the Minister when issuing the certificate in the HS2 veto that he tended to disagree with the IC that the information in question was environmental. Much, despite what he implied about the lack of need to determine this point, may now turn on this: if the information was environmental then Evans, providing the EIR point is not overturned by the Supreme Court, may well lead to the veto being struck down. If, however, the information was not environmental, and FOIA applied, then any appeal of it will presumably be on domestic public law grounds.

At this point it is probably otiose to start speculating on what will happen with requests which are classed as hybrid ones – namely, those which seek information which is a mix of environmental and non-environmental (as, indeed, those in both Evans and the HS2 case arguably are). All these matters are by no means yet resolved.

Jon Baines, who is Chairman of the National Association of Data Protection Officers (NADPO) and works in local government.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops and online webinars.

NEW FOI Podcast – Episode 27

In this episode Ibrahim Hasan discusses FOI developments and decisions during September and December 2011. This includes Commissioner and Tribunal decisions on:

  • Information in private e mails
  • Section 11 and providing summaries
  • Vexatious requests
  • Empty properties
  • The Qualfied Person’s Opinion
  • And disclosure of statistics

There is also a quick review of recent developments in the world of transparency and FOI. Click here to listen.

We have a few places left on our upcoming ISEB courses in Birmingham.

%d bloggers like this: