![[2024] UKUT 287 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Issue 1: the EMV Data Issue: discussion and conclusions
Issue 1: the EMV Data Issue: discussion and conclusions
As we have explained at paragraph 40 above, Issue 1 is solely concerned with whether the EMV Data (the 16-digit PAN, plus the expiry date on the 5,592,349 payment cards that had EMV protection) is “personal data” for the purposes of DPP7. Mr Pitt-Payne confirmed that it was accepted that the non-financial data that was exfiltrated and the 8,628 instances where the attackers had obtained the cardholder’s name as well as the PAN and the card expiry date did involve personal data (paragraph 40 above). As we understand it, the EMV Data was the focus of both parties’ submissions below, because the ICO had been particularly concerned about the degree of access that was obtained to payment data and this had been a significant factor in the decision to issue the MPN (albeit the ICO did so on a limb (i) basis as we explained at paragraph 11 above). The EMV Data Issue is also relevant because the nature and extent of any contravention of DPP7 may be significant in deciding whether the section 55A DPA 1998 criteria is met and, if it is, to the consideration of whether to issue a MPN and, if so, in what sum.
As we have noted in summarising the submissions, Mr Pitt-Payne accepted that the EMV Data was personal data in DSG’s hands (albeit not on the basis found by the FTT). However, he disputes the relevance of this to the question of whether there was a contravention of DPP7 in respect of this data. The question raised by Issue 1 is whether the FTT were correct to find that the DPP7 duty to take ATOMS against “unauthorised or unlawful processing of personal data” refers to data that was personal data in the hands of DSG (the limb (ii) definition) or whether this refers to data that would be personal data in the hands of potential third party attackers, either because the data itself is personal data or by virtue of their ability to link it with data that would identify the individuals whose payment card data had been obtained (the limb (i) and limb (iii) definitions). The FTT concluded at paragraph 97 of its decision that the limb (ii) definition was “much more obviously appropriate and applicable” and that in the circumstances it was not required to make findings in respect of the limb (i) or limb (iii) definitions.
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Decision date: 23 September 2024
- A summary of the relevant background
- The ICO’s MPN
- The FTT’s decision
- Personal data
- The contravention of DPP7
- Seriousness of the contravention
- Substantial damage and distress and knowledge
- The substituted MPN
- The issues on this appeal
- The grant of permission to appeal
- The legal framework
- Scope of grants of permission
- Relevant provisions of the DPA 1998
- Relevant case law and guidance on the meaning of “personal data”
- Security of processing
- Relevant principle of judicial decision-making
- Issue 1: the EMV Data Issue: the parties’ submissions
- The respondent’s submissions
- Issue 1: the EMV Data Issue: discussion and conclusions
- The statutory provisions
- The case law
- The FTT’s reasoning and the FTT’s error
- Issue 2: the Consistency Issue: the parties’ submissions
- The respondent’s submissions
- Issue 2: the Consistency Issue: discussion and conclusions
- Scope of the grant of permission
- The FTT’s errors
- Issue 3: the Procedural Fairness Issue
- Issue 4: the Implications Issue: the parties’ submissions
- The respondent’s submissions
- Issue 4: the Implications Issue: discussion and conclusions
- Issue 5: the Seriousness Issue: the parties’ submissions
- The respondent’s submissions
- Issue 5: the Seriousness Issue: discussion and conclusions
- Conclusions