Court upholds Information Commissioner's appeal in DSG retail case

In a series of LinkedIn posts (here and here), data protection specialist Jon Baines discusses a recent Court of Appeal (CoA) judgment in case CA-2024-002895 between the Information Commissioner v DSG Retail Limited.

The background of the case focuses on the definition of personal data following a 2020 cyberattack in which the attackers acquired customer payment card numbers and expiry dates. The ICO originally fined DSG £500,000 under the Data Protection Act 1998, arguing that even if attackers could not identify individuals from the data, the information remained personal data because DSG could link it to other internal records.

DSG challenged the fine. The First-Tier Tribunal (FTT) upheld that the card numbers were personal data in DSG's hands and noted a lack of appropriate security; however, it reduced the monetary penalty to £250,000. Following an appeal, the Upper Tribunal (UT) ruled that the FTT erred by failing to determine whether the stolen information constituted personal data in the hands of the third-party attackers. The UT subsequently ordered a rehearing, but the ICO was granted permission to challenge this at the CoA.

In its ruling today, the CoA upheld the Information Commissioner's appeal, concluding that: "Information is "personal data" if it falls within the statutory definition of that term. One of the statutory criteria, and the key criterion for present purposes, is that the individual to whom the information relates is identifiable to the data controller. The security duty requires any data controller of any such information to safeguard it – to the extent laid down in the 1998 Act - against any unauthorised or unlawful processing (as well as against its accidental loss, destruction or damage), whether or not the person carrying out that processing (or causing the loss, destruction or damage) would be able to identify the individual(s) to whom the data relate. If the data are "personal" from the perspective of the data controller, it will be unnecessary to pose the further question of whether they are personal data "in the hands of" or "from the perspective" of any other person. Again, these observations relate to the 1998 Act. In my judgment, the FtT reached the right conclusion and its reasoning was essentially correct. This appeal should be allowed and the matter remitted to the FtT to be determined in accordance with this judgment."

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.