Court upholds Information Commissioner's appeal in DSG retail case

The Court of Appeal has ruled in favour of the Information Commissioner's Office in its appeal against a previous Upper Tribunal decision regarding DSG Retail Limited. The judgment, in case CA-2024-002895, confirms that organisations have a clear legal responsibility to maintain appropriate security measures for personal data.

The court clarified that this obligation applies regardless of whether individuals can be identified from the specific data exfiltrated during a cyberattack. The ruling reinstates the interpretation that data controllers must protect information that is identifiable in their own hands, even if it remains anonymous to an unauthorised third party who accesses it.

In a statement, Binnie Goh, ICO General Counsel, said: "Today's judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry. 

"We welcome the CoA's confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can't identify people individually from stolen datasets, cyber attacks can and do still cause real harm. 

"With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold."

The background of the case focuses on the definition of personal data following a 2020 cyberattack in which the attackers acquired customer payment card numbers and expiry dates. The ICO originally fined DSG £500,000 under the Data Protection Act 1998, arguing that even if attackers could not identify individuals from the data, the information remained personal data because DSG could link it to other internal records.

DSG challenged the fine. The First-Tier Tribunal (FTT) upheld that the card numbers were personal data in DSG's hands and noted a lack of appropriate security; however, it reduced the monetary penalty to £250,000. Following an appeal, the Upper Tribunal (UT) ruled that the FTT erred by failing to determine whether the stolen information constituted personal data in the hands of the third-party attackers. The UT subsequently ordered a rehearing, but the ICO was granted permission to challenge this at the CoA.

In his conclusions to today's ruling to uphold the ICO's appeal, the Judge said: "Information is "personal data" if it falls within the statutory definition of that term. One of the statutory criteria, and the key criterion for present purposes, is that the individual to whom the information relates is identifiable to the data controller. The security duty requires any data controller of any such information to safeguard it – to the extent laid down in the 1998 Act - against any unauthorised or unlawful processing (as well as against its accidental loss, destruction or damage), whether or not the person carrying out that processing (or causing the loss, destruction or damage) would be able to identify the individual(s) to whom the data relate. If the data are "personal" from the perspective of the data controller, it will be unnecessary to pose the further question of whether they are personal data "in the hands of" or "from the perspective" of any other person. Again, these observations relate to the 1998 Act. In my judgment, the FtT reached the right conclusion and its reasoning was essentially correct. This appeal should be allowed and the matter remitted to the FtT to be determined in accordance with this judgment."

Additional commentary from Jon Baines with this excellent LinkedIn post and ComputerWeekly.