The Court of Appeal has upheld an appeal by the Information Commissioner (i), in long-running regulatory litigation arising from a cyber breach DSG Retail Ltd suffered in 2017-2018, and which led the ICO to impose a fine of the then-maximum £500,000, under the now-repealed Data Protection Act 1998. The breach had involved the taking, by the attackers, of a large volume of financial card information, but in the very large majority of cases, the information only consisted of the cards' PAN number (the 16 digit one on the front of a card) and their expiry date (the "EMV data"). So (in that majority of cases) no names or CVV numbers were disclosed. It is common ground that the EMV data is personal data in the hands of DSG Retail, because it can match it with the other information it holds, and identify individuals to whom the data relates. What has been at issue is whether the EMV data is personal data in the hands of the attacker.
On initial appeal, the First-tier Tribunal (FTT) agreed with the ICO that DSG Retail had contravened the data security principle requirement to take "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data". However, the FTT reduced the fine to £250,000, holding that the contravention was not as serious as the ICO had determined.
On next appeal to the Upper Tribunal, DSG Retail focused its case on an argument that, when assessing whether a controller has complied with the data security principle, the ICO - and the courts - must consider whether the information accessed by the attacker was personal data from the perspective of the attacker. As the very large majority of exfiltrated information in this case was incapable of being connected by the attacker to any identifiable individual, it was not personal data in the attacker's hands. In agreeing with this submission, and upholding DSG's appeal, the Upper Tribunal held that the ICO had fallen into error in finding that there had been a contravention of the data security principle without considering whether the data that was rendered vulnerable would be "personal data" in the hands of third parties who could access it.
The Court of Appeal has now overturned the Upper Tribunal's decision, with the court saying that the data security principle applies if the data is "personal" from the perspective of the data controller, and that it is unnecessary to consider whether it is the personal data "in the hands of" or "from the perspective" of any other person.
This is the latest in a long line of cases, including from the European courts, which deal with the questions of "identifiability" and "perspective", and the issues remain both complex and controversial. It is quite possible that there will be a further appeal to the Supreme Court, although DSG Retail is not believed to have made any announcement as yet.