The Court of Appeal has overturned the Upper Tribunal’s approach to identifiability in the long‑running enforcement action against DSG Retail Ltd, reinstating a controller‑focused interpretation of “personal data” under the Data Protection Act 1998 (DPA 1998).
The judgment in DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140 confirms that DSG was required to take appropriate security
measures to protect personal data from unauthorised access – regardless of whether people could be identified from the data exfiltrated by the hackers.
The ruling is expected to have significant implications for cyber‑security enforcement and litigation strategy across the public and private sectors.
The case stems from a 2017 cyber‑attack on DSG’s Currys PC World and Dixons Travel stores, in which malware was installed on 5,390 point‑of‑sale tills over a nine‑month period. The attackers scraped transaction data, compromising 5.6 million payment card records, consisting of PANs and expiry dates and personal data relating to approximately 14 million individuals
In 2020, the ICO issued a £500,000 monetary penalty notice, the statutory maximum under the DPA 1998. Following appeals by DSG to the First-tier Tribunal (FTT) and Upper Tribunal (UT), the ICO appealed to the CoA in 2024 to seek clarification from the court on an important point of data protection law.
The appeal turned on whether payment card numbers and expiry dates - without cardholder names - constituted “personal data” for the purposes of the security duty in DPP7.
DSG argued that because a malicious actor could not identify individuals from the EMV data alone, the data should not be treated as personal data in that context.
While the Upper Tribunal accepted this reasoning, the Court of Appeal rejected it. Lord Justice Warby held that identifiability must be assessed “from the perspective of the data controller”, not the attacker. “Where the individual to whom information relates is identifiable to a data controller the security duty requires the data controller to safeguard that information… whether or not the person carrying out the processing would be able to identify the individual.”
The Court of Appeal also emphasised the risk of “jigsaw identification”, noting that datasets which appear anonymous in isolation may become identifying when combined with other information reasonably likely to be available.
The Court of Appeal found that the UT’s interpretation would lead to “surprising” and undesirable consequences, including the absence of any obligation to guard against ransomware or other deliberate interference where attackers could not identify data subjects.
It said: “There would… be no obligation to take measures against the risk of deliberate third‑party interference… such as ransomware attacks.”
This would undermine the purpose of the Directive and the DPA 1998, which aim to ensure robust protection of personal data held by controllers.
The ICO issued a public statement welcoming the ruling. Binnie Goh, ICO General Counsel, said: “Today’s judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.
“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.
“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”
The judgment restores a ‘broad and purposive’ interpretation of personal data, aligning with EU jurisprudence and Recital 26 GDPR.
While this case is rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA offers an important guide to similar requirements in the current data protection regime. It reinforces that security obligations attach to all personal data identifiable to the controller, regardless of the attacker’s capabilities.
It also strengthens the ICO’s hand in cases involving partial or pseudonymised datasets, tokenised financial information and ransomware exfiltration where attackers lack full identifiers.
For claimant firms, the decision may influence arguments around materiality, risk, and loss in group litigation arising from cyber incidents.
The case will now return to the FTT to apply the Court of Appeal’s interpretation to the facts of the DSG breach. DSG may still seek permission to appeal to the Supreme Court.
