Muddied Waters: Why (Data Protection) Tribunals Must Explain Their Factual Assessments

A. Introduction/Summary

International credit referencing agency Experian was hit in 2020 with an Enforcement Notice by the Information Commissioner’s Office (ICO) for lack of transparency and unlawful processing of personal data in its marketing services. Two rounds of appeal have led to a final decision by the Upper Tribunal (UT) that largely overturns the Enforcement Notice.

In this piece, we examine how the case raises significant concerns as to the proper application of data protection law. The First-Tier Tribunal (FTT) judgment relied on a flawed and incomplete assessment, interpretation and explanation of the key factual and contextual aspects of the case and was openly criticised by the UT for being unclear and poorly reasoned [UT §§143, 198]. But because of the UT’s role as an appellate court and consequent restrictive engagement with the factual details of the case, the result hinged upon the FTT’s substandard and untransparent reasoning.

This case is emblematic of litigation proceedings dealing with complex technology and data processing, where lower courts’ assessment and interpretation of facts have an oversized impact on the outcome. Facts and law are intimately intertwined in data protection, such that subjective or otherwise flawed assessments of facts can threaten standards and rights.

It is ironic that the failure to provide clear, understandable and transparent information that formed the basis of the ICO’s case against Experian is what also undermined the FTT’s judgment. It is difficult to see how the result is one where data subjects are better informed about (and better protected against) this sort of intensive and intrusive processing.

B. Background

Experian Marketing Services (EMS) processes the data of the entire adult UK population to provide marketing services to its clients. To do so, it collects personal data from a number of public and commercial sources (including a number of third party websites). It processes all this data to identify known, modelled and derived attributes about individuals, and to create groups, household types and person types. It then uses these attributes to advise its clients on which individuals or groups are most likely to be receptive to their marketing materials.

In its Enforcement Notice, the ICO found that Experian had breached the principle of transparency and that its activities constituted ‘processing on a scale and for detailed analytical purposes which few data subjects would expect’ [EN §28]. It could not rely on its third party suppliers of personal data to effectively provide data subjects with the relevant privacy information, and the latter wasn’t sufficiently detailed nor understandable.

Experian appealed the Enforcement Notice to the FTT, which largely overturned the ICO’s decision.

C. Flaws in the FTT Judgment

The FTT’s decision turned on an assessment of the intrusiveness of Experian’s processing. In an unusual judgment, it significantly downplayed the impact of Experian’s processing on individuals and did not consider that it fell outside of people’s reasonable expectations.

The Impact of Experian’s Processing

The FTT accepted Experian’s submission that the worst outcome of their processing is someone being ‘likely to get a marketing leaflet which might align to their interests rather than be irrelevant’ [§160]. The FTT failed to engage with the problematic nature of Experian’s processing, and made the troubling finding at §166 that ‘actually most people do not care about what happens to their data.’

These claims were unsupported and misinformed. First, whether data processing is particularly privacy intrusive or not has no bearing on the obligations of a controller to provide transparency to data subjects: data subjects must be able to decide for themselves whether they consider a particular type of processing to be intrusive or otherwise undesirable, and to exercise their rights accordingly.

Second, the FTT’s approach ignores a wealth of evidence and contextual facts around Experian’s processing. Experian operates in an ecosystem of interconnected actors who exchange personal data on a mass scale and so cannot be considered in isolation: this recognition underpins data protection’s very purpose and logic. One bad link in the chain can, and does, poison the whole well.

Being a ‘Data Broker’

The FTT also accepted Experian’s submissions that it was not a ‘data broker’ because they produce marketing services [§132]. But this is ignorant of the nature of data broking. Data brokers are rarely, if ever, only data brokers. They extract profit from their mass data processing precisely by turning it into valuable information for various industries, in this case the marketing industry.

Inferred Data

The FTT’s assessment of the intrusiveness of inferred data processed by Experian was that ‘modelled data points may not in fact reflect a person’s actual characteristics,’ and that this ‘makes them less intrusive than processing actual data’ [§145]. This is wrong both in law and in fact.

First, ‘inferred data’ falls within the GDPR definition of personal data and is covered by the same rights and principles. Second, in an age where ‘Big Data’ analytics and AI make predictions about individuals’ behaviours and take significant decisions about them, using inferences is risky and can ‘create new opportunities for discriminatory, biased, and invasive decision-making.’

Providing Information to Data Subjects

Individuals whose data is collected and shared with third-parties (eg Experian) are often presented with a single notice at point of collection that simply refers to the privacy policies of all third party recipients of that data. Recent decisions show that EU authorities are leaning towards holding all controllers (ie not just the original collector) responsible for providing information about their own processing to data subjects—even if they can rely on a third party to provide this information.

The FTT, on the other hand, simply accepted that the existence of a link to Experian’s Consumer Information Portal (CIP) in third party suppliers’ privacy policies was sufficient. The complexity of the data supply chain with its numerous intermediaries demands a much stronger approach to transparency.

D. The Upper Tribunal’s Tribulations 

The ICO put five grounds of appeal before the UT. A cross-cutting element of their submissions was summarised by the UT as follows:

The FTT failed to appreciate or engage with the significance of the overarching Article 5(1)(a) transparency obligation, erred by failing to determine key issues and, in substance, treating Experian’s failures in transparency as being of no account (or to not amount to failures), because of the FTT’s own view as to the innocuous nature of the processing ([§100]).

While the UT did find the FTT judgment lacking for its poor structure, poor reasoning, lack of clarity and length of time it took to issue judgment, it did not find any error of law. The result is the unsatisfying juxtaposition of an entangled FTT judgment approving of Experian’s opaque processing.

Transparency About Transparency

The ICO argued two separate grounds of appeal in relation to transparency requirements, whose treatment had been muddled together by the FTT: ground 1 in relation to Article 5 UK GDPR and ground 2 for Article 14. 

Ground 1

The UT had to work hard to find that the FTT had actually considered whether the standard of transparency required by Article 5(1)(a) had been met, not least because of a strange failure by the FTT to refer to Article 5(1)(a) at the salient moments of the judgment [§116]. The UT noted the lack of clarity in the FTT’s reasoning and conclusions [§122], but found that, taking the whole decision together, it wasn’t bad enough to warrant finding an error of law.

Considerable energy was expended by the UT on reading the runes of the FTT judgment. In a convoluted back and forth between various paragraphs of the FTT judgment, the UT concluded that the FTT ‘did not find that Experian’s processing was not objectively surprising to data subjects’ [§142] (the FTT found that it ‘would be surprising to data subjects as indeed would be the uses to which that data is put when considering the purpose for which it was collected’ [FTT §177]), but (somewhat contradictorily) did find that it went beyond the reasonable expectations of data subjects [§141]. This finding should have been made clearer as it is a key consideration in the application of data protection law. But the UT chose not to do anything against the FTT’s flawed findings or lack of engagement with facts and lack of clear reasoning in finding that the transparency requirements had nonetheless been met [§122, 126, 140-143].

Ground 2

Both parties and the UT also had to make considerable efforts to elucidate the FTT’s approach to Article 14 UK GDPR. The UT again proceeded by inference to figure out which exception of Article 14(5) the FTT was applying [§159, 180], but was unable to ‘re-take the evaluative assessment arrived at by the FTT’ [§168].

The FTT’s silence on transparency over data provided to Experian by third parties caused the UT ‘some anxiety’ [§169]. But the UT relied on the FTT’s generic twelve-word ‘composite indication’ [UT §170] that there was ‘no other material contravention’ [FTT §181] to infer that this included the issue of third party-provided data as it would be ‘inconceivable […] that the FTT could have entirely overlooked this central issue’ [§170]. It is quite stunning that a conclusion on such a fundamental principle of data protection, in circumstances of data sharing between hundreds of entities, for purposes of particularly intrusive processing, would be reached without once explaining why.

E. The UT in a Bind, the FTT in a Fog

The logic of preventing appellate courts from re-opening a lower court’s assessment of facts is understandable. In a case like this, however, it can have dramatic consequences. Ultimately, the UT couldn’t re-perform the FTT’s factual assessment despite the latter’s failure to properly address and explain essential context. The ICO did not argue that the FTT’s evaluative findings were perverse, irrational or unsound and only barely that its reasoning was flawed (perhaps because of the high bar for such arguments to succeed) [§55, 57, 103, 149].

Time and again, the UT declined to inquire into the FTT’s assessment of facts - even if that assessment was nowhere to be found - because it was ‘not a situation in which it would be appropriate for us to re-take the evaluative assessment arrived at by the FTT’ [§168]. While the FTT’s judgment was ‘neither well-structured nor well-reasoned’ [§143], this did not amount to an error of law.

There are some important lessons to draw from this case.

First, a tribunal like the FTT that is able to ‘step into the shoes’ of a decision maker carries a responsibility to provide a well-reasoned and evidenced decision, explaining its engagement with the facts and its reasoning. As the UT concluded, ‘this appeal could have been avoided if the FTT had provided a timely and better reasoned decision’ [§198]. Given how central that analysis is in areas such as data protection law, having such a low bar for transparency and poor quality of reasoning has not proved sufficient in this case.

The interpretation of facts in this case mattered enormously, perhaps decisively—but the FTT’s failure to appreciate the full context and lack of clear reasoning on the application of the evidence before them left the ICO with little (if any) chance of overturning its findings. The FTT effectively acted as a court of last resort for consideration of how complex facts apply to a legal framework, despite it being the first stage of appeal.

F. Conclusion

If both the ICO and the FTT, bodies designed to investigate companies’ data processing, struggled to understand and explain how Experian processed millions of people’s data, how can we expect these very people to understand themselves?

The most important lesson of this litigation may therefore be for improvement in how intensive and intrusive data profiling is explained to the millions of ordinary people affected by it every day. This may be especially important as new approaches to ad-tech are taken in a post-cookie world and as AI further incentivises mass collection of data. Clarity in the form of transparency and sound reasoning are essential to effectively regulate the data-driven advertising industry.

Tom West is a Legal Officer at Privacy International.

Lucie Audibert is a Lawyer at AWO Agency.

Privacy International brought a related complaint against Experian in 2018; information is available here.