[2024] UKUT 287 (AAC)

Mr Pitt-Payne KC submitted that the FTT had erred in focusing on the information available to DSG in determining whether appropriate security measures had been taken “against unauthorised or unlawful processing of personal data” for the purposes of DPP7. He contended that, rather than adopting a limb (ii) approach to the question of whether the EMV Data constituted “personal data”, the FTT should have taken a limb (iii) approach, addressing whether this data was personal data in the hands of the third party attackers. He said that it was clear from paragraph 97 of the FTT’s decision that, having concluded that at least some of the EMV Data processed by DSG was personal data in terms of the information to which it held the key, it did not go on to determine whether this data was also personal data from the attackers’ perspective. Mr Pitt-Payne emphasised that both parties addressed the FTT on the basis that if the EMV Data was not personal data in itself (Issue 4, below), then the limb (iii) definition of personal data had to be met for there to be a contravention of DPP7.

Mr Pitt-Payne confirmed that DSG had accepted before the FTT that the EMV Data was personal data in its hands. This was not on the basis that it had the ability to combine Batch 1 and Batch 4.1 data (as the FTT apparently thought), but because it had the means to combine the EMV Data with data that it held in a secure server which had not been accessed and was not accessible by others. However, that was irrelevant to whether there had been a contravention of DPP7 as a result of the Batch 1 and Batch 4.1 data being compromised.

Mr Pitt-Payne’s original submission to us was based on the proposition that at the point of exfiltration the third party attacker became the data controller for the purposes of the DPA 1998 definition of “personal data” and thus it was incumbent on the FTT to determine whether their actions amounted to the processing of “personal data” in their hands, by reference to any ability on their part to identify living individuals from combining the data with other information likely to be available to them (which DSG denied the attackers were able to do). He submitted that the caselaw we have summarised at paragraphs 78 – 85 above, showed that, where it is not possible for a third party to identify one or more individuals from the information in question, that information lost its character as personal data and was not personal data vis-à-vis third parties. Mr Pitt-Payne suggested that there was no reason in principle to distinguish the FOIA case law from the present circumstances; it mattered not whether there was an intended disclosure of data or an escape of data.

Mr Pitt-Payne said that it was necessary to know what it was that DSG had failed to protect and what data had got out into the world in consequence, in order to determine whether there had been a failure to protect personal data. If DSG had simply failed to protect information that would be anonymous data if it was attacked and released to the outside world, then there would have been no failure to take appropriate measures against “unauthorised or unlawful processing of personal data”.

During the course of his oral submissions, Mr Pitt-Payne refined his position. He accepted that the section 4(4) DPA 1998 duty to comply with the data protection principles, was a duty that was placed on DSG as the data controller, including in respect of DPP7. However, he said that, in order to determine whether DSG had breached its DPP7 duty, it was necessary to consider the risks that DSG was required to guard against. The relevant risk for present purposes was the risk of an “unauthorised or unlawful processing of personal data”; and whether there was a breach would therefore depend upon the kind of data that was insufficiently protected. If that data was anonymous in the hands of third parties, the sheer fact that DSG had other data that it could combine with this data to identify living individuals was irrelevant if that other data was held securely and was not at risk of being accessed by third parties.

Mr Pitt-Payne also advanced an argument based on the terms of paragraph 9 of Part II of Schedule 1 DPA 1998. He emphasised that, pursuant to paragraph 9, DPP7 requires protective measures that are appropriate to the harm that might result from an unauthorised or unlawful processing of personal data. Accordingly, in order to set the applicable standard and to assess whether the data controller has achieved the appropriate level of security, it is necessary to assess the prospect of an unauthorised or unlawful processing of personal data taking place. DSG’s case was that it had achieved an appropriate level of protection by effectively separating the EMV Data that it held from data that was capable of identifying the cardholders. However, by focusing on a limb (ii) approach, the FTT failed to engage with this.