![[2024] UKUT 287 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Conclusions
The outcome
For the reasons that we have set out above, we conclude that the FTT erred in law:
In concluding that there was a contravention of s. 4(4) Data Protection Act 1998 (“DPA 1998”) by reason of third party access to payment card data comprising only (i) primary account numbers; and (ii) expiry dates (“EMV Data”), on the basis that the EMV Data was personal data in the hands of DSG. EMV Data is not “personal data” in itself as it does not directly identify a living individual (Issue 4);
In determining that DSG had failed to comply with DPP7 in respect of the EMV Data on the basis that this was “personal data” in DSG’s hands, rather than deciding whether the security shortcomings that it had upheld entailed a failure to take appropriate protective measures against “unauthorised or lawful processing of personal data”, which required consideration of whether the data that was rendered vulnerable would be “personal data” in the hands of third parties who could access it (Issue 1);
In taking an inconsistent approach to whether it was necessary to determine the Issue 1 point (albeit failing to do so); and in relying on the undisputed fact that the EMV Data was “personal data” in DSG’s hands, rather than a finding on the Issue 1 point, when reaching its conclusions on the section 55A DPA 1998 criteria (in particular whether there had been a “serious contravention” and, if so, whether it was “of a kind likely to cause substantial damage or substantial distress”) and on the quantum of the MPN (Issue 2);
In finding that the contravention of the section 4(4) DPA 1998 duty was “serious”, without having assessed the applicable standard or how far below it DSG’s conduct had fallen (Issue 5).
As we also explained, we accept that Issue 2 is within the scope of the grant of permission to appeal; and in light of our conclusion on Issue 1, it was unnecessary for us to determine Issue 3, albeit we have thought it right to emphasise the departure from procedural fairness that occurred.
On remission, the FTT will need to decide whether the EMV Data is “personal data” in the hands of those who could access it as a result of security shortcomings on the part of DSG (the limb (iii) question). In this regard, the FTT will be assisted by:
Focusing on the risk of “unauthorised or unlawful processing of personal data” that DPP7 required DSG to take ATOMS to guard against;
Assessing the data that was put at risk as a result of those shortcomings, in particular whether the EMV Data could be linked by a motivated attacker to other data put at risk by DSG that would identify the cardholders in question. It will also be necessary to consider the extent to which, if at all, it was possible to establish the identity of the cardholders by means of externally obtained information;
Keeping in mind that as the duty on DSG is of an anticipatory, protective nature, the answers to these questions involve assessing what was put at risk as a result of security shortcomings, as opposed to simply what was obtained in the attack that took place (albeit, that is likely to be good evidence of the vulnerabilities in the system); and,
The summary of the principles to be applied when considering limb (iii) issues provided in Miller (paragraph 76 above).
We give the decision, and direct the new FTT to redecide the appeal, in the terms set out at the beginning of this decision. It was not contested before us that the non-financial data which was exfiltrated and the 8,628 payment cards without EMV protection that were accessed by the Attackers both constituted personal data, and the new FTT should redecide the appeal on this basis. Nor were the FTT’s findings of fact in relation to contraventions 3 and 9 in terms of the FTT’s findings about the security shortfalls identified or DSG’s state of knowledge disputed before us, and the new FTT should redecide the remitted appeal accordingly (although the new FTT Tribunal will need to consider afresh to what data those shortfalls related in order to decide whether there was in fact a contravention).
DSG invited us to be more specific as to the errors that we have found in the FTT’s decision. We have taken their submissions into account, but have considered it appropriate to summarise our findings in the way we have done in paragraph 171 above. The ICO invited us specifically to direct that the findings at paragraphs 99-110 of the FTT’s decision are not challenged by DSG and should not be re-opened at a remitted hearing. We record that it is our understanding that it should not be necessary for those findings to be re-opened, but we do not make such a specific direction lest it have an unintended consequence of restricting the FTT’s freedom to decide the matters that need to be decided on remission in the way it considers appropriate in the light of our judgment.
Mrs Justice Heather Williams DBE
Chamber President
Stewart Wright
Judge of the Upper Tribunal
Holly Stout
Judge of the Upper Tribunal
Approved for issue on 23 September 2024
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Decision date: 23 September 2024
- A summary of the relevant background
- The ICO’s MPN
- The FTT’s decision
- Personal data
- The contravention of DPP7
- Seriousness of the contravention
- Substantial damage and distress and knowledge
- The substituted MPN
- The issues on this appeal
- The grant of permission to appeal
- The legal framework
- Scope of grants of permission
- Relevant provisions of the DPA 1998
- Relevant case law and guidance on the meaning of “personal data”
- Security of processing
- Relevant principle of judicial decision-making
- Issue 1: the EMV Data Issue: the parties’ submissions
- The respondent’s submissions
- Issue 1: the EMV Data Issue: discussion and conclusions
- The statutory provisions
- The case law
- The FTT’s reasoning and the FTT’s error
- Issue 2: the Consistency Issue: the parties’ submissions
- The respondent’s submissions
- Issue 2: the Consistency Issue: discussion and conclusions
- Scope of the grant of permission
- The FTT’s errors
- Issue 3: the Procedural Fairness Issue
- Issue 4: the Implications Issue: the parties’ submissions
- The respondent’s submissions
- Issue 4: the Implications Issue: discussion and conclusions
- Issue 5: the Seriousness Issue: the parties’ submissions
- The respondent’s submissions
- Issue 5: the Seriousness Issue: discussion and conclusions
- Conclusions