Navigating GDPR Transparency: Insights from the Upper Tribunal in the Appeal Against Experian
In a recent decision, the Upper Tribunal dismissed an appeal by the UK Information Commissioner, finding that Experian’s data processing practices had in fact been lawful.
The appeal focussed on whether Experian had properly discharged its transparency obligations under the GDPR (the Transparency Principle), an issue that has not previously been the subject of detailed judicial consideration in the United Kingdom. The Upper Tribunal undertook a thorough assessment of the Transparency Principle and, in doing so, provided general guidance that will no doubt be of wider benefit to the marketing industry.
It remains to be seen whether the Information Commissioner will challenge the Upper Tribunal’s decision.
Background
Experian is a well-known credit reference agency that holds and processes data pertaining to over 51 million individuals living in the United Kingdom - effectively the whole adult population. Less well known is that a business unit within Experian processes such data in order to provide marketing services to third-party clients. It does so by combining the names and addresses of these individuals with up to 13 actual attributes obtained via various sources, including public sources; such data is then processed to create modelled information on the demographic, social, economic, and behavioural characteristics of these individuals on a predictive basis.
Experian’s website includes a Consumer Information Portal, which sets out the ways in which Experian processes data. The adequacy (or otherwise) of this portal from a transparency perspective was one of the central issues in this case. In relation to data derived from Experian’s credit reference agency business, Experian relies on an Information Notice on its website to notify individuals about its personal data sources and how such data is used. The Information Notice contains hyperlinks to the Consumer Information Portal. The accessibility of this route to the portal was also in dispute.
On 12 October 2020, following a wider investigation into the data broking sector, the Information Commissioner issued Experian with an Enforcement Notice. The Commissioner found that Experian’s data processing practices contravened the GDPR transparency requirements and exceeded what many data subjects would reasonably expect. The Commissioner further required Experian to, among other things, revise its Consumer Information Portal and provide all data subjects with an Article 14 compliant privacy notice.
Experian challenged the Enforcement Notice before the First-tier Tribunal in early 2022, contending that it should be set-aside in its entirety. Experian argued that, through the Enforcement Notice, the Information Commissioner was seeking to impose its subjective preferences as if they were legal requirements under the GDPR (these preferences being based on a mischaracterisation of Experian’s business and its impact on privacy), and that if Experian were to comply with the Enforcement Notice, it would be forced to shut down its offline marketing services business. After an extensive delay (over a year following the hearing), the First-tier Tribunal issued a decision in which it allowed the appeal and issued a Supplementary Enforcement Notice; this was the subject of the appeal before the Upper Tribunal.
Guidance on the Transparency Principle
At the heart of the appeal lay the GDPR's Transparency Principle, which mandates that personal data be processed “lawfully, fairly and in a transparent manner” (Article 5(1)(a)). It places the onus on the controller to demonstrate compliance with the Transparency Principle. The Upper Tribunal also considered the specific obligation under Article 14, which requires controllers to provide certain information to data subjects where the personal data has been obtained otherwise than directly from the data subject (as was the case for Experian).
Before setting out its conclusions, the Upper Tribunal provided helpful guidance on the meaning of the Transparency Principle, summarising that:
- There is an overarching obligation to process personal data in a transparent manner in relation to the data subject (Article 5(1)(a)). Articles 13 and 14 impose specific obligations that are linked to this core principle.
- Compliance with the Transparency Principle is principally achieved by providing information to data subjects about how their personal data is being processed. It is a lynchpin of, or gateway to, the GDPR because data subjects cannot enforce the rights afforded to them without this information.
- The accessibility and comprehensibility of the information is as important as its content (being a reference to the requirements of Article 12).
- Depending on the particular circumstances, the Transparency Principle may require the provision of information that goes beyond the requirements of Articles 13 and 14.
- Where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality, including:
-
-
- The level of sensitivity of personal data being processed. For example, the level of transparency required when sharing intimate health details will not be the same as people consenting to the processing of data about their preferred supermarket.
- The degree to which the processing is intrusive and whether the processing falls outside the reasonable expectations of data subjects.
- The consequence of the processing, including the nature and degree of harm to data subjects that may result.
- The costs for the controller of taking additional steps to ensure the desired outcomes.
-
-
The Appeal
The Information Commissioner advanced five grounds of appeal, including that the First-tier Tribunal had failed to address what the Transparency Principle required as a matter of law and then failed to apply a legally accurate interpretation of the principle to the facts before it. The Commissioner argued that the First-tier Tribunal had focussed on the (benign) consequences to data subjects without taking account of the intrinsic nature of Experian’s processing and the extent to which the processing went beyond the data subjects’ reasonable expectations.
Experian admitted that the First-tier Tribunal’s reasoning could have been expressed more clearly but submitted that it was clear from the content of the First-tier Tribunal’s reasoning that it had taken Article 5(1)(a) into account, despite not referring to the provision in its conclusions.
Having considered the First-tier Tribunal’s decision and drawn the relevant inferences, the Upper Tribunal concluded that the First-tier Tribunal had not erred in law in its application of the Transparency Principle. Whilst the Upper Tribunal accepted that the answer to what transparency requires will be context specific, it noted that transparency is not defined in the GDPR and concluded that it would not have been helpful if the First-tier Tribunal had tried to provide a definition of this concept or put a gloss upon its meaning.
On the specific issue of whether the First-tier Tribunal had regard to the intrinsic nature of Experian’s processing, the Upper Tribunal found that this had been taken into consideration. The First-tier Tribunal had found that the worst outcome of Experian’s processing was that an individual might receive a marketing leaflet that was more aligned to their interests and that Experian’s use of modelled data points was less intrusive than the processing of actual data.
As for the relevance of the reasonable expectations of data subjects, the Upper Tribunal considered that, in line with Article 29 Working Party guidelines on transparency, additional information may need to be provided to individuals where the processing is objectively unexpected. Whilst Experian’s processing had gone beyond the reasonable expectations of data subjects, it found that the First-tier Tribunal had taken the reasonable expectations of data subjects into account when concluding (as it was entitled to do) that the transparency requirements had nonetheless been met.
Takeaway points
The Upper Tribunal’s decision helpfully took the opportunity to provide guidance on the Transparency Principle and reaffirm the centrality of transparency in GDPR compliance.
This decision highlights the importance of providing accessible and comprehensible information to data subjects, whilst also clarifying that transparency requirements are context-specific and must therefore be balanced with considerations of proportionality. Given the ever-evolving nature of the marketing industry, organisations should ensure that they are regularly reviewing their data protection policies in light of their current data processing and data subjects' expectations.
Background
Experian is a well-known credit reference agency that holds and processes data pertaining to over 51 million individuals living in the United Kingdom - effectively the whole adult population. Less well known is that a business unit within Experian processes such data in order to provide marketing services to third-party clients. It does so by combining the names and addresses of these individuals with up to 13 actual attributes obtained via various sources, including public sources; such data is then processed to create modelled information on the demographic, social, economic, and behavioural characteristics of these individuals on a predictive basis.
Experian’s website includes a Consumer Information Portal, which sets out the ways in which Experian processes data. The adequacy (or otherwise) of this portal from a transparency perspective was one of the central issues in this case. In relation to data derived from Experian’s credit reference agency business, Experian relies on an Information Notice on its website to notify individuals about its personal data sources and how such data is used. The Information Notice contains hyperlinks to the Consumer Information Portal. The accessibility of this route to the portal was also in dispute.
On 12 October 2020, following a wider investigation into the data broking sector, the Information Commissioner issued Experian with an Enforcement Notice. The Commissioner found that Experian’s data processing practices contravened the GDPR transparency requirements and exceeded what many data subjects would reasonably expect. The Commissioner further required Experian to, among other things, revise its Consumer Information Portal and provide all data subjects with an Article 14 compliant privacy notice.
Experian challenged the Enforcement Notice before the First-tier Tribunal in early 2022, contending that it should be set-aside in its entirety. Experian argued that, through the Enforcement Notice, the Information Commissioner was seeking to impose its subjective preferences as if they were legal requirements under the GDPR (these preferences being based on a mischaracterisation of Experian’s business and its impact on privacy), and that if Experian were to comply with the Enforcement Notice, it would be forced to shut down its offline marketing services business. After an extensive delay (over a year following the hearing), the First-tier Tribunal issued a decision in which it allowed the appeal and issued a Supplementary Enforcement Notice; this was the subject of the appeal before the Upper Tribunal.
Guidance on the Transparency Principle
At the heart of the appeal lay the GDPR's Transparency Principle, which mandates that personal data be processed “lawfully, fairly and in a transparent manner” (Article 5(1)(a)). It places the onus on the controller to demonstrate compliance with the Transparency Principle. The Upper Tribunal also considered the specific obligation under Article 14, which requires controllers to provide certain information to data subjects where the personal data has been obtained otherwise than directly from the data subject (as was the case for Experian).
Before setting out its conclusions, the Upper Tribunal provided helpful guidance on the meaning of the Transparency Principle, summarising that:
- There is an overarching obligation to process personal data in a transparent manner in relation to the data subject (Article 5(1)(a)). Articles 13 and 14 impose specific obligations that are linked to this core principle.
- Compliance with the Transparency Principle is principally achieved by providing information to data subjects about how their personal data is being processed. It is a lynchpin of, or gateway to, the GDPR because data subjects cannot enforce the rights afforded to them without this information.
- The accessibility and comprehensibility of the information is as important as its content (being a reference to the requirements of Article 12).
- Depending on the particular circumstances, the Transparency Principle may require the provision of information that goes beyond the requirements of Articles 13 and 14.
- Where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality, including:
-
-
- The level of sensitivity of personal data being processed. For example, the level of transparency required when sharing intimate health details will not be the same as people consenting to the processing of data about their preferred supermarket.
- The degree to which the processing is intrusive and whether the processing falls outside the reasonable expectations of data subjects.
- The consequence of the processing, including the nature and degree of harm to data subjects that may result.
- The costs for the controller of taking additional steps to ensure the desired outcomes.
-
-
The Appeal
The Information Commissioner advanced five grounds of appeal, including that the First-tier Tribunal had failed to address what the Transparency Principle required as a matter of law and then failed to apply a legally accurate interpretation of the principle to the facts before it. The Commissioner argued that the First-tier Tribunal had focussed on the (benign) consequences to data subjects without taking account of the intrinsic nature of Experian’s processing and the extent to which the processing went beyond the data subjects’ reasonable expectations.
Experian admitted that the First-tier Tribunal’s reasoning could have been expressed more clearly but submitted that it was clear from the content of the First-tier Tribunal’s reasoning that it had taken Article 5(1)(a) into account, despite not referring to the provision in its conclusions.
Having considered the First-tier Tribunal’s decision and drawn the relevant inferences, the Upper Tribunal concluded that the First-tier Tribunal had not erred in law in its application of the Transparency Principle. Whilst the Upper Tribunal accepted that the answer to what transparency requires will be context specific, it noted that transparency is not defined in the GDPR and concluded that it would not have been helpful if the First-tier Tribunal had tried to provide a definition of this concept or put a gloss upon its meaning.
On the specific issue of whether the First-tier Tribunal had regard to the intrinsic nature of Experian’s processing, the Upper Tribunal found that this had been taken into consideration. The First-tier Tribunal had found that the worst outcome of Experian’s processing was that an individual might receive a marketing leaflet that was more aligned to their interests and that Experian’s use of modelled data points was less intrusive than the processing of actual data.
As for the relevance of the reasonable expectations of data subjects, the Upper Tribunal considered that, in line with Article 29 Working Party guidelines on transparency, additional information may need to be provided to individuals where the processing is objectively unexpected. Whilst Experian’s processing had gone beyond the reasonable expectations of data subjects, it found that the First-tier Tribunal had taken the reasonable expectations of data subjects into account when concluding (as it was entitled to do) that the transparency requirements had nonetheless been met.
Takeaway points
The Upper Tribunal’s decision helpfully took the opportunity to provide guidance on the Transparency Principle and reaffirm the centrality of transparency in GDPR compliance.
This decision highlights the importance of providing accessible and comprehensible information to data subjects, whilst also clarifying that transparency requirements are context-specific and must therefore be balanced with considerations of proportionality. Given the ever-evolving nature of the marketing industry, organisations should ensure that they are regularly reviewing their data protection policies in light of their current data processing and data subjects' expectations.
Related Attorneys
Related Capabilities
Related Locations
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
In a recent decision, the Upper Tribunal dismissed an appeal by the UK Information Commissioner, finding that Experian’s data processing practices had in fact been lawful.
The appeal focussed on whether Experian had properly discharged its transparency obligations under the GDPR (the Transparency Principle), an issue that has not previously been the subject of detailed judicial consideration in the United Kingdom. The Upper Tribunal undertook a thorough assessment of the Transparency Principle and, in doing so, provided general guidance that will no doubt be of wider benefit to the marketing industry.
It remains to be seen whether the Information Commissioner will challenge the Upper Tribunal’s decision.
Background
Experian is a well-known credit reference agency that holds and processes data pertaining to over 51 million individuals living in the United Kingdom - effectively the whole adult population. Less well known is that a business unit within Experian processes such data in order to provide marketing services to third-party clients. It does so by combining the names and addresses of these individuals with up to 13 actual attributes obtained via various sources, including public sources; such data is then processed to create modelled information on the demographic, social, economic, and behavioural characteristics of these individuals on a predictive basis.
Experian’s website includes a Consumer Information Portal, which sets out the ways in which Experian processes data. The adequacy (or otherwise) of this portal from a transparency perspective was one of the central issues in this case. In relation to data derived from Experian’s credit reference agency business, Experian relies on an Information Notice on its website to notify individuals about its personal data sources and how such data is used. The Information Notice contains hyperlinks to the Consumer Information Portal. The accessibility of this route to the portal was also in dispute.
On 12 October 2020, following a wider investigation into the data broking sector, the Information Commissioner issued Experian with an Enforcement Notice. The Commissioner found that Experian’s data processing practices contravened the GDPR transparency requirements and exceeded what many data subjects would reasonably expect. The Commissioner further required Experian to, among other things, revise its Consumer Information Portal and provide all data subjects with an Article 14 compliant privacy notice.
Experian challenged the Enforcement Notice before the First-tier Tribunal in early 2022, contending that it should be set-aside in its entirety. Experian argued that, through the Enforcement Notice, the Information Commissioner was seeking to impose its subjective preferences as if they were legal requirements under the GDPR (these preferences being based on a mischaracterisation of Experian’s business and its impact on privacy), and that if Experian were to comply with the Enforcement Notice, it would be forced to shut down its offline marketing services business. After an extensive delay (over a year following the hearing), the First-tier Tribunal issued a decision in which it allowed the appeal and issued a Supplementary Enforcement Notice; this was the subject of the appeal before the Upper Tribunal.
Guidance on the Transparency Principle
At the heart of the appeal lay the GDPR's Transparency Principle, which mandates that personal data be processed “lawfully, fairly and in a transparent manner” (Article 5(1)(a)). It places the onus on the controller to demonstrate compliance with the Transparency Principle. The Upper Tribunal also considered the specific obligation under Article 14, which requires controllers to provide certain information to data subjects where the personal data has been obtained otherwise than directly from the data subject (as was the case for Experian).
Before setting out its conclusions, the Upper Tribunal provided helpful guidance on the meaning of the Transparency Principle, summarising that:
- There is an overarching obligation to process personal data in a transparent manner in relation to the data subject (Article 5(1)(a)). Articles 13 and 14 impose specific obligations that are linked to this core principle.
- Compliance with the Transparency Principle is principally achieved by providing information to data subjects about how their personal data is being processed. It is a lynchpin of, or gateway to, the GDPR because data subjects cannot enforce the rights afforded to them without this information.
- The accessibility and comprehensibility of the information is as important as its content (being a reference to the requirements of Article 12).
- Depending on the particular circumstances, the Transparency Principle may require the provision of information that goes beyond the requirements of Articles 13 and 14.
- Where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality, including:
-
-
- The level of sensitivity of personal data being processed. For example, the level of transparency required when sharing intimate health details will not be the same as people consenting to the processing of data about their preferred supermarket.
- The degree to which the processing is intrusive and whether the processing falls outside the reasonable expectations of data subjects.
- The consequence of the processing, including the nature and degree of harm to data subjects that may result.
- The costs for the controller of taking additional steps to ensure the desired outcomes.
-
-
The Appeal
The Information Commissioner advanced five grounds of appeal, including that the First-tier Tribunal had failed to address what the Transparency Principle required as a matter of law and then failed to apply a legally accurate interpretation of the principle to the facts before it. The Commissioner argued that the First-tier Tribunal had focussed on the (benign) consequences to data subjects without taking account of the intrinsic nature of Experian’s processing and the extent to which the processing went beyond the data subjects’ reasonable expectations.
Experian admitted that the First-tier Tribunal’s reasoning could have been expressed more clearly but submitted that it was clear from the content of the First-tier Tribunal’s reasoning that it had taken Article 5(1)(a) into account, despite not referring to the provision in its conclusions.
Having considered the First-tier Tribunal’s decision and drawn the relevant inferences, the Upper Tribunal concluded that the First-tier Tribunal had not erred in law in its application of the Transparency Principle. Whilst the Upper Tribunal accepted that the answer to what transparency requires will be context specific, it noted that transparency is not defined in the GDPR and concluded that it would not have been helpful if the First-tier Tribunal had tried to provide a definition of this concept or put a gloss upon its meaning.
On the specific issue of whether the First-tier Tribunal had regard to the intrinsic nature of Experian’s processing, the Upper Tribunal found that this had been taken into consideration. The First-tier Tribunal had found that the worst outcome of Experian’s processing was that an individual might receive a marketing leaflet that was more aligned to their interests and that Experian’s use of modelled data points was less intrusive than the processing of actual data.
As for the relevance of the reasonable expectations of data subjects, the Upper Tribunal considered that, in line with Article 29 Working Party guidelines on transparency, additional information may need to be provided to individuals where the processing is objectively unexpected. Whilst Experian’s processing had gone beyond the reasonable expectations of data subjects, it found that the First-tier Tribunal had taken the reasonable expectations of data subjects into account when concluding (as it was entitled to do) that the transparency requirements had nonetheless been met.
Takeaway points
The Upper Tribunal’s decision helpfully took the opportunity to provide guidance on the Transparency Principle and reaffirm the centrality of transparency in GDPR compliance.
This decision highlights the importance of providing accessible and comprehensible information to data subjects, whilst also clarifying that transparency requirements are context-specific and must therefore be balanced with considerations of proportionality. Given the ever-evolving nature of the marketing industry, organisations should ensure that they are regularly reviewing their data protection policies in light of their current data processing and data subjects' expectations.
Background
Experian is a well-known credit reference agency that holds and processes data pertaining to over 51 million individuals living in the United Kingdom - effectively the whole adult population. Less well known is that a business unit within Experian processes such data in order to provide marketing services to third-party clients. It does so by combining the names and addresses of these individuals with up to 13 actual attributes obtained via various sources, including public sources; such data is then processed to create modelled information on the demographic, social, economic, and behavioural characteristics of these individuals on a predictive basis.
Experian’s website includes a Consumer Information Portal, which sets out the ways in which Experian processes data. The adequacy (or otherwise) of this portal from a transparency perspective was one of the central issues in this case. In relation to data derived from Experian’s credit reference agency business, Experian relies on an Information Notice on its website to notify individuals about its personal data sources and how such data is used. The Information Notice contains hyperlinks to the Consumer Information Portal. The accessibility of this route to the portal was also in dispute.
On 12 October 2020, following a wider investigation into the data broking sector, the Information Commissioner issued Experian with an Enforcement Notice. The Commissioner found that Experian’s data processing practices contravened the GDPR transparency requirements and exceeded what many data subjects would reasonably expect. The Commissioner further required Experian to, among other things, revise its Consumer Information Portal and provide all data subjects with an Article 14 compliant privacy notice.
Experian challenged the Enforcement Notice before the First-tier Tribunal in early 2022, contending that it should be set-aside in its entirety. Experian argued that, through the Enforcement Notice, the Information Commissioner was seeking to impose its subjective preferences as if they were legal requirements under the GDPR (these preferences being based on a mischaracterisation of Experian’s business and its impact on privacy), and that if Experian were to comply with the Enforcement Notice, it would be forced to shut down its offline marketing services business. After an extensive delay (over a year following the hearing), the First-tier Tribunal issued a decision in which it allowed the appeal and issued a Supplementary Enforcement Notice; this was the subject of the appeal before the Upper Tribunal.
Guidance on the Transparency Principle
At the heart of the appeal lay the GDPR's Transparency Principle, which mandates that personal data be processed “lawfully, fairly and in a transparent manner” (Article 5(1)(a)). It places the onus on the controller to demonstrate compliance with the Transparency Principle. The Upper Tribunal also considered the specific obligation under Article 14, which requires controllers to provide certain information to data subjects where the personal data has been obtained otherwise than directly from the data subject (as was the case for Experian).
Before setting out its conclusions, the Upper Tribunal provided helpful guidance on the meaning of the Transparency Principle, summarising that:
- There is an overarching obligation to process personal data in a transparent manner in relation to the data subject (Article 5(1)(a)). Articles 13 and 14 impose specific obligations that are linked to this core principle.
- Compliance with the Transparency Principle is principally achieved by providing information to data subjects about how their personal data is being processed. It is a lynchpin of, or gateway to, the GDPR because data subjects cannot enforce the rights afforded to them without this information.
- The accessibility and comprehensibility of the information is as important as its content (being a reference to the requirements of Article 12).
- Depending on the particular circumstances, the Transparency Principle may require the provision of information that goes beyond the requirements of Articles 13 and 14.
- Where the GDPR is not prescriptive, the answer to what transparency requires will be context specific and underpinned by considerations of proportionality, including:
-
-
- The level of sensitivity of personal data being processed. For example, the level of transparency required when sharing intimate health details will not be the same as people consenting to the processing of data about their preferred supermarket.
- The degree to which the processing is intrusive and whether the processing falls outside the reasonable expectations of data subjects.
- The consequence of the processing, including the nature and degree of harm to data subjects that may result.
- The costs for the controller of taking additional steps to ensure the desired outcomes.
-
-
The Appeal
The Information Commissioner advanced five grounds of appeal, including that the First-tier Tribunal had failed to address what the Transparency Principle required as a matter of law and then failed to apply a legally accurate interpretation of the principle to the facts before it. The Commissioner argued that the First-tier Tribunal had focussed on the (benign) consequences to data subjects without taking account of the intrinsic nature of Experian’s processing and the extent to which the processing went beyond the data subjects’ reasonable expectations.
Experian admitted that the First-tier Tribunal’s reasoning could have been expressed more clearly but submitted that it was clear from the content of the First-tier Tribunal’s reasoning that it had taken Article 5(1)(a) into account, despite not referring to the provision in its conclusions.
Having considered the First-tier Tribunal’s decision and drawn the relevant inferences, the Upper Tribunal concluded that the First-tier Tribunal had not erred in law in its application of the Transparency Principle. Whilst the Upper Tribunal accepted that the answer to what transparency requires will be context specific, it noted that transparency is not defined in the GDPR and concluded that it would not have been helpful if the First-tier Tribunal had tried to provide a definition of this concept or put a gloss upon its meaning.
On the specific issue of whether the First-tier Tribunal had regard to the intrinsic nature of Experian’s processing, the Upper Tribunal found that this had been taken into consideration. The First-tier Tribunal had found that the worst outcome of Experian’s processing was that an individual might receive a marketing leaflet that was more aligned to their interests and that Experian’s use of modelled data points was less intrusive than the processing of actual data.
As for the relevance of the reasonable expectations of data subjects, the Upper Tribunal considered that, in line with Article 29 Working Party guidelines on transparency, additional information may need to be provided to individuals where the processing is objectively unexpected. Whilst Experian’s processing had gone beyond the reasonable expectations of data subjects, it found that the First-tier Tribunal had taken the reasonable expectations of data subjects into account when concluding (as it was entitled to do) that the transparency requirements had nonetheless been met.
Takeaway points
The Upper Tribunal’s decision helpfully took the opportunity to provide guidance on the Transparency Principle and reaffirm the centrality of transparency in GDPR compliance.
This decision highlights the importance of providing accessible and comprehensible information to data subjects, whilst also clarifying that transparency requirements are context-specific and must therefore be balanced with considerations of proportionality. Given the ever-evolving nature of the marketing industry, organisations should ensure that they are regularly reviewing their data protection policies in light of their current data processing and data subjects' expectations.
Related Attorneys
Related Capabilities
Related Locations
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026