Clifford Chance

In whose hands – the data controller's or the hacker's – should hacked data be assessed to determine if it is "personal data" under UK data protection law?

On 4 November 2024, the UK Information Commissioner's Office (ICO) filed an application seeking permission to appeal the Upper Tribunal's recent decision relating to a personal data breach involving DSG Retail Ltd (DSG). The appeal focuses on the definition of "personal data" in UK data protection law and argues that the Upper Tribunal interpreted the term too narrowly in the context of this breach.

The data breach

The decision relates to a cyber-attack on DSG between July 2017 and April 2018. An attacker installed malware on targeted point of sale terminals (ie card machines) at DSG's retail stores (Currys PC World and Dixons Travel). Although no chip and pin data was obtained by the attackers from the payment terminals, the attackers obtained the unique 16-digit number (the PAN) and card expiry date from each credit or debit card.

ICO penalty notice and subsequent appeals

In January 2020 the ICO issued a penalty notice fining DSG £500,000 for this data breach. This was the maximum fine permitted under the Data Protection Act 1998 (DPA), the incident having occurred before the EU General Data Protection Regulation (including as it subsequently became part of UK domestic law, GDPR) took effect. The fine was imposed on the basis that DSG had failed to secure its system to prevent the data breach. Specifically, the ICO determined that DSG had breached the seventh data protection principle in Schedule 1 to the DPA (DPP7), which required appropriate technical and organisational measures to be taken against (amongst other things) unauthorised or unlawful processing of personal data. The ICO had determined that the PANs were personal data, although without explaining why, and that DSG had failed to protect them with appropriate measures. DSG appealed this decision to the First-tier Tribunal (Information Rights) (the FTT).

In July 2022 the FTT published its decision on the appeal. The presiding judge criticised the ICO’s case, pointing to flaws in its technical understanding of the facts and interpretation of data protection law. In its decision the FTT halved the monetary penalty to £250,000, noting that a number of the alleged security failures identified by the ICO did not breach DPP7, particularly as DSG had made efforts to enhance its security measures after the breach was discovered. However, the FTT did agree with the ICO that there had been a breach of DPP7, as senior managers at DSG had been made aware of a critical security vulnerability in relation to its approach to patch management and password policies, and had not taken appropriate steps to address the vulnerability. DSG appealed this decision to the Upper Tribunal.

A key point on which the FTT focused in its decision was whether certain data obtained in the security breach (the PAN numbers and card expiry dates) amounted to "personal data". The FTT considered a three limb definition of "personal data":

(i) data which identifies a living individual directly

(ii) data which identifies a living individual indirectly when combined with other information in the possession of (or likely reasonably to be in the possession of) the data controller

(iIi) as limb (ii) but where the additional information is or is likely reasonably to be in the possession of a third party.

The FTT began its analysis by considering limb (ii), whether the card data amounted to personal data in the hands of the controller (DSG). The FTT determined that as DSG held other data to match up to the PAN and the card expiry dates, such as transaction records, it could therefore link them to a living individual indirectly. Consequently, the PAN numbers together with card expiry dates were deemed "personal data" for DSG. As the FTT concluded that the PAN met limb (ii) of the definition of "personal data", it did not consider whether the PAN met limb (i) or limb (iii). DSG appealed this decision to the Upper Tribunal on a limited number of grounds, particularly focusing on the status of the PAN numbers, since classifying them as "personal data" would have a significant knock on effect in respect of civil claims arising out of this data breach.

The Upper Tribunal published its decision on DSG's appeal in September 2024 and remitted the case to be re-decided by the FTT. The Upper Tribunal found that FTT had taken the wrong approach when considering whether the PAN met the definition of "personal data" in the DSG incident. As the ICO alleged that DSG had failed to take appropriate steps to guard against the risk of unauthorised or unlawful processing of personal data by third parties, the Upper Tribunal took the view that it was necessary to consider what information is in the hands of third parties, who might engage in that unauthorised processing, and whether the PAN would constitute personal data in their hands. This involves considering whether the data meets limb (i) and/or (iii) of the definition of "personal data", not limb (ii). The Upper Tribunal concluded that the PAN does not amount to personal data in itself (ie it does not satisfy limb (i)) as it does not identify any individual directly. Therefore the PAN would need to be considered in terms of limb (iii).

ICO application to appeal Upper Tribunal's decision

The ICO has now filed an application seeking permission to appeal the Upper Tribunal’s September 2024 decision to the Court of Appeal. The ICO believes that the Tribunal misinterpreted the law relating to the definition of "personal data" and obligations to protect personal data held by third parties. If the Upper Tribunal and/or the Court of Appeal grants the ICO permission to appeal, the subsequent case could have significant impact on the interpretation of data protection law in the UK.

If the Court of Appeal finds in favour of the ICO, data controllers would be responsible for third party cyber incidents irrespective of whether the data taken by the third party is pseudonymised such that, if disclosed, it cannot be used by the recipient to identify individuals. This could increase the number of potential data breach complaints and/or claims following an incident. Entities which have faced data breaches following the implementation of the GDPR (May 2018) will also face more severe penalties for failing to protect data than under the DPA 1998.

Alternatively, if the Court of Appeal upholds the Upper Tribunal's decision, this would make it harder to bring a personal data breach claim where data is exfiltrated by a third party actor. For third party data breaches the personal data analysis will therefore, if the Upper Tribunal decision is upheld, require an examination of what identifying information is available to the third party, rather than the data controller. That may be challenging to ascertain. The ICO has indicated that it: "considers the Tribunal interpreted the law incorrectly in then finding that an organisation is not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller but not in the hands of the third party."

It is worth highlighting that this case and the subsequent appeals relate to a decision made under the DPA and not to UK data protection law as it stands now under the GDPR. The definition of "personal data" in the GDPR is the same as that in the DPA, but the GDPR's equivalent to DPP7 (in articles 5(1)(f) and 32) is differently formulated.

Potential impact in Europe

When discussing the test for personal data, the Upper Tribunal also referred to two European Court (CJEU) cases, Single Resolution Board v European Data Protection Supervisor (SRB) and Gesamthverband Autoteile-Handel eV v Scania (Scania). The SRB case related to pseudonymised data provided to a third party vendor and found that it did not matter that the data was still personal in the hands of SRB as it was not personal in the hands of the third party, and therefore there had not been unlawful disclosure. [See our article: When does pseudonymized data stop being personal data?]

Similar to the DSG case, Scania examined whether vehicle identification numbers (VIN) fell into the definition of "personal data" if provided to a third party vendor. The Court found that the relevant test was to assess whether the individual could be identified using the VIN and information reasonably available to the third party vendor. [See our article  ECJ rules on vehicle data sharing obligations and GDPR (Gesamtverband v Scania)] 

As the above cases demonstrate, the European position appears to align with the Upper Tribunal's decision and position on "personal data". However, if the Court of Appeal finds in favour of the ICO, deciding that data controllers are responsible for unauthorised access in the context of third party cyber breaches even where there is no reasonable likelihood of the third parties being able to identify the affected data subjects, this could lead European policy makers to consider pushing the European courts to provide clarification on the interpretation of personal data under the GDPR in order to ensure that they are affording their citizens the same data protections as are provided by UK law.