ICO wins lengthy battle against UK retailer
If data is personal in the hands of a controller it must be protected
In a significant victory for the UK’s Information Commissioner’s Office (ICO), the Court of Appeal (CoA) has ruled controllers are required to take appropriate technical and organisational measures to protect personal data even where an unauthorised third party would not be able to identify individuals.
The lengthy legal battle started in 2020 when the ICO issued DSG, the owner of Currys, PC World and Dixons, with a £500,000 fine. This followed a 2017/18 cyber -attack, and the fine was the maximum permitted under the Data Protection Act 1998. The Regulator’s investigation found failures to patch software systems, install firewalls, segregate networks and conduct routine security testing.
Initially the ICO’s monetary penalty was upheld by the First-Tier Tribunal, but this was then reversed by the Upper Tribunal, which found in DSG’s favour. DSG had argued the duty to secure personal data did not extend to protecting information which was not identifiable in the hands of the attacker.
At the nub of DSG’s defence was the fact hackers had accessed 16-digit card numbers and expiry dates, but not the names on the cards. While DSG could identify the people affected from these payment details, it was argued the hackers could not.
However, the CoA has now rejected this argument, making it clear personal data must be viewed from the perspective of the controller, not any unauthorised party who may have access to it. In other words, organisations must have appropriate measures in place to information, regardless of whether a third party is able to use it to identify individuals.
There were concerns if DSG had won this would lead to a weakening of the obligation on organisations to take appropriate measures against the risk of malicious attacks.
The ICO’s General Counsel, Binnie Goh, said:
“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.
“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”
The case will now go back to the First Tier Tribunal. This may not be end of it. The legal wrangling may continue if DSG appeals the CoA decision, and it could become a matter for the UK Supreme Court.