The Court Affirms Data Controllers’ Duty to Protect Personal Data

This appeal is about the scope of the duty that data protection law imposes on data controllers to protect personal data to which they are the data controller by taking “appropriate technical and organisational measures”. This obligation is now known as the security principle under Article 5(1)(f) of the UK GDPR. This case however was before the UK GDPR came into force and therefore, the Court had to analyse the wording given by the Data Protection Act 1998. The principles however are equally applicable to the UK GDPR.

The question raised by the appeal is whether the law requires a data controller to guard against the risk that data which relates to individuals who can be identified by the data controller will be subject to unauthorised or unlawful processing by a third party who cannot identify those individuals.

Background: the DSG cyber-attack

In 2017-2018, there was a cyber-attack on the systems of DSG Retail Limited. Over a period of 9 months, the attackers obtained millions of items of data by “scraping” transaction details from point-of-sale terminals and/or card readers as transactions were made. More than 5.6 million payment cards were affected. Crucially, most cards were protected by the “chip-and-pin” system (EMV Data) and in those instances, the attackers were only able to obtain the card number and the expiry date, not the cardholder’s name and information that would enable them to be identified.

The data controller security duty dispute: tribunal proceedings

The ICO carried out an investigation and found that DSG had breached the security principle and served a monetary penalty notice in the maximum sum of £500,000. DSG appealed to the First-Tier Tribunal and submitted that the security principle did not require them to take appropriate technical and organisations measures against third-party acquisition of the EMV Data because the individuals could not be identified from the data and therefore, was not technically personal data in the hands of third parties. The First-Tier Tribunal rejected this argument and found that the principle did apply as the EMV Data was personal data in the hands of DSG.

Upper tribunal decision

DSG appealed the decision to the Upper Tribunal. The Upper Tribunal agreed with DSG’s analysis and reversed the findings of the First-Tier Tribunal on the issue. The key finding was that the question of whether third-party acquisition of the EMV Data involved personal data had to be analysed from the perspective of the third-party. Therefore, third-party acquisition of data was not “unauthorised or unlawful processing” if the data did not identify the individuals and the third-party had no other means of identifying those individuals.

Court of Appeal: ICO’s arguments

The ICO appealed the decision to the Court of Appeal.

The ICO submitted that the Upper Tribunal’s interpretation was too narrow and it did not properly reflect the ordinary meaning of the language used by Parliament and/or the EU, nor did it give proper effect to the legislative purposes. On the Upper Tribunal’s approach, a data controller would have no duty to protect against malicious third-party action to destroy or alter personal data held by the controller where the third party could not identify the data subjects. The ICO would have no basis for taking regulatory action against such a data controller.

Court of Appeal decision

The Court of Appeal ultimately concluded that if the data is “personal data” from the perspective of the data controller, it will be unnecessary to consider whether it is “personal data” in the hands of or from the perspective of any other person. The First-Tier Tribunal’s decision was upheld and the appeal allowed.

The above highlights that data controllers still have a responsibility to ensure that they have appropriate technical and organisational measures in place to protect personal data even if a third-party would be unable to identify any data subjects from the information in question.