DSG Retail Limited v The Information Commissioner: [2024] UKUT 287 (AAC)
Upper Tribunal Administrative Appeals Chamber decision by Judges H Williams, S Wright, H Stout on 23 September 2024
Read the full decision in
.Judicial Summary
The appeal concerned a Monetary Penalty Notice (MPN) issued by the Information Commissioner (IC) under section 55A of the Data Protection Act 1998. The MPN was issued against the appellant company (“DSG”) following a cyber-attack on the company’s in-store payment systems. The IC had imposed the then maximum penalty of £500,000. On appeal to the First-tier Tribunal, the Tribunal allowed DSG’s appeal in part, substituting a penalty of £250,000. DSG appealed to the Upper Tribunal. The appeal is allowed and the case remitted to the First-tier Tribunal for further determination.
The appeal raised issues about: (i) the scope of the seventh data protection principle (DPP7) which provides “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”; (ii) the proper interpretation and application of the monetary penalty provision in section 55A of the DPA 1998; and (iii) the definition of personal data in section 1 of the DPP 1998.
The Upper Tribunal holds that the unique 16-digit number and expiry date on a credit or debit card (together “EMV data”) are not themselves “personal data” for the purposes of the DPA 1998 because they identify only a bank account and not any individual directly. This data will only be personal data if it can be combined with other personal data in the hands of the data controller or a third party.
The Upper Tribunal further holds that although DPP7 requires data controllers to take “appropriate technical and organisational measures” (“ATOMS”) against accidental loss or destruction of, or damage to, all data that is personal data in the hands of the data controller, DPP7 will only be breached in an ‘accidental loss’-type case if the data controller has failed to take ATOMS in respect of data which would be personal data in the hands of a third party. The First-tier Tribunal erred in this case in determining that DSG had failed to comply with DPP7 in respect of the EMV Data on the basis that this was “personal data” in DSG’s hands, rather than deciding whether the security shortcomings that it had upheld entailed a failure to take ATOMS against “unauthorised or lawful processing of personal data”, which required consideration of whether the data that was rendered vulnerable would be “personal data” in the hands of third parties who could access it.
The Upper Tribunal also held that the First-tier Tribunal erred in law in relying on the undisputed fact that the EMV Data was “personal data” in DSG’s hands, when reaching its conclusions on the section 55A DPA 1998 criteria (in particular whether there had been a “serious contravention” and, if so, whether it was “of a kind likely to cause substantial damage or substantial distress”) and on the quantum of the MPN. The First-tier Tribunal had also erred in law by finding that the contravention of DPP7 was “serious”, without having assessed the applicable standard or how far below it DSG’s conduct had fallen.