Data Protection Interpretation Affirmed by the Court of Appeal in DSG Retail Case

In each of the UK’s successive Data Protection Acts (DPA 1984, 1998 and 2018) the concept of ‘personal data’ has remained at the very heart of the legislation.  It is a foundational defined term, as the protection of personal data is fundamentally the central purpose of these Acts.  So it was highly unusual when, in November 2024, the ICO for the very first time appealed against a decision of the UT, the senior information tribunal, which hinged on the definition of what constitutes ‘personal data’ in a relatively common circumstance – that of a data breach.  

The ICO’s decision to make this unprecedented appeal against a ruling of the UT came following a September 2024 decision by the Tribunal concerning a long-running case, that of DSG Retail Limited (DSG), which was formerly the parent company of computer and electrical appliances retail outlets Currys and Dixons.  The matter’s longevity is only one of its distinctive features.  It was prompted by a data breach which spanned July 2017 to April 2018 when a cyber attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores, allowing the hackers unauthorised access to 5.6 million payment card details used in transactions, and the personal information of about 14 million people.

The breach was discovered only a few weeks before the current DPA 2018 the UK  GDPR came into force.  As such, it was dealt with by the ICO under the previous legislation, the DPA 1998.  In 2020, the regulator fined DSG £500,000, the maximum penalty available under the DPA 1998 at the time, for its failures to secure the personal data of the individual customers whose transactions had been hacked.  After successive appeals, it is possibly the last lawsuit in the UK litigating the 1998 Act.  

DSG appealed to the specialist information regulation court the First-tier Tribunal (FTT) and, in 2022, had its fine cut in half to £250,000.  The retail group did not stop here, appealing further to the next level of information tribunal, the UT, which upheld most of the Company’s grounds of appeal and directed the case to be remitted back to the FTT for reconsideration.

The UT disagreed with the FTT, ruling that the unique 16-digit number found on payment cards, together with the expiry date of those cards (the information accessed by the attackers), did not by themselves constitute personal data for the purposes of the DPA 1998 (i.e., data which had been ‘pseudonymised’ by having the identifying information removed and stored elsewhere on DSG’s system, but was still capable of being reidentified).  

According to the UT, the relevant test that the FTT should have applied was not whether this data could be combined with other data in DSG's hands to identify an individual cardholder, which the FTT said made it personal data ‘in the hands of’ the controller DSG and also therefore in the hands of the cyber criminals.  Instead, the UT considered that the correct test was what data third parties might obtain if perpetrating a successful cyber attack, and whether that data could be combined with the two pieces of card data to identify an individual.  The hackers in the DSG attack had not been able to access the other customer identifiers (name, 3-digit CVC number, etc.) and therefore, in the UT’s judgement, the information accessed did not in itself comprise personal data, and there had been no infringement of the DPA 1998.

The Information Commissioner, in his November 2024 press release, explained the significance of challenging the UT’s judgement, and the reasoning for escalating the case to the Court of Appeal of England and Wales.  In the Commissioner’s view, the UT ‘misinterpreted the meaning of personal data in this context’, an opinion he justified by reminding readers of his press release that ‘the DPA 1998 was clear – organisations must put technical and organisational security measures in place to protect personal data, irrespective of whether this data is pseudonymised’.   The Commissioner also highlighted that there have been many cases of malicious actors accessing, erasing or encrypting pseudonymised personal data, incidents that had an impact on the data subjects involved.

The ruling on the ICO’s appeal was issued on 19 February 2026.  And, no doubt to the enormous relief of the regulator, the ruling is in the ICO’s favour.  The Court has found that deidentified ‘pseudonymised’ data in the hands of a third-party (the hackers) can constitute personal data capable of indirectly identifying an individual.  Contrary to the UT’s ruling, this pseudonymised data still constitutes personal data, despite the keys to reidentify it remaining inaccessible in the hands of the controller (DSG), as those identifiers were not exfiltrated by the thieves.  

The Court of Appeal held that the UT’s decision could not stand because it might encourage data controllers to afford pseudonymised data a lower level of protection than personal data, even though pseudonymised data, if compromised, can still cause significant harm to the data subjects it belongs to.  The Court also noted that, given the huge amounts of publicly available, digitally searchable information, ‘jigsaw identification’ of data subjects from partial data is becoming ever easier.

This decision is welcome from a number of angles: first, because it maintains the alignment of UK data protection law on this point with precedents set by the highest judicial authority in Europe, the European Court of Justice (ECJ), in both the 2016 Breyer case and more recently the SRB case (2025).  Second, it saves the ICO from having to reopen and review past enforcement cases.  In those cases, the ICO took action on the basis that pseudonymised data (as opposed to fully anonymised data) can still count as personal data, even when it ends up in the hands of third parties (including criminals) who lose, misuse, or steal it.  If the UT’s decision had been upheld, some of those past cases might no longer have been considered personal data breaches at all.  That could have weakened years of regulatory action and raised doubts about the validity of penalties and enforcement decisions that have already been issued.

Additionally, because the UK GDPR’s current definition of personal data practically mirrors that of the DPA 1998, all future cases involving similar facts would have had to be decided using the UT’s interpretation of what qualifies as personal data in these circumstances.  This would represent a substantial pivot away from the theory and practice the ICO has followed on this fundamental point for its entire history to date.  However, with the Court of Appeal’s ruling, the ICO can continue to rely on the interpretation of personal data that it has always applied.

The Court of Appeal’s ruling comes as a reminder to organisations that pseudonymisation, while a useful weapon in their data security technical and organisational measures (TOMs) armoury (and indeed explicitly recommended by two of the UK GDPR’s Articles, 25 and 32), is not in itself a ‘magic bullet’.  It does not automatically and completely protect stolen or inappropriately disclosed deidentified personal data to which cyber attackers or other malicious actors gain access, even if the keys necessary to reidentify the data are not also in the bad actors’ possession. Instead, it should be seen as a part of an organisation’s data defensive strategy, with only full anonymisation (so that it is impossible for anyone, including the organisation holding it, to reidentify the data) or encryption of personal data offering permanent and total protection to the rights and freedoms of the data subjects.

The DSG Retail case was already (in)famous for being the last data breach still being litigated under the old DPA 1998.  DSG has already, in the 6 years that the action has been running, successfully (or partially successfully) appealed against adverse rulings twice.  But the Court of Appeal is a very senior court, and many proceedings stop there: appeals against its judgements (to the UK Supreme Court) are rare, successful appeals even rarer.  However, DSG may consider that, having pursued the matter this far, it is worth seeking one final review by petitioning the Supreme Court.  If the organisation did so, the prospect of yet another appeal would undoubtedly cause renewed anxiety for the regulator and see the case of DSG Retail Ltd v The Information Commissioner set yet another record.