[2024] UKUT 287 (AAC)

Mr Pitt-Payne submitted that if we were with him on Issue 1 and we accepted that the FTT erred in law in failing to assess whether the data that was put at risk of the shortcomings in security was personal data from a limb (i) or a limb (iii) perspective, then the former was a pure question of law which we should determine (whereas resolution of the limb (iii) question involved disputed evidence and further findings of facts, which inevitably would require remission to the FTT). Mr Lockley accepted that the Upper Tribunal was in a position to decide the limb (i) question.

Mr Pitt-Payne contended that the EMV Data (the 16 digit number on the payment card (the PAN) and the expiry date) was not personal data. The PAN simply identified an item of property. He drew an analogy with the VINs in Scania, which the Court of Justice concluded were not personal data in themselves; they simply identified a unique item of property, namely a motor vehicle. Similarly, a PAN links to a particular bank account, but it does not provide information that identifies a particular individual. He said that even if the EMV Data enabled a third party attacker to extract funds from the bank account (which was not accepted), this did not make it data about an identifiable individual. In this regard he observed that a cloakroom ticket enabled the person who possessed it to present it and receive an item of property in return, but the ticket contained no data that identified an individual.

Mr Pitt-Payne emphasised that the limb (i) definition of personal data required that the data identified a living individual directly; it was quite clear that the PAN and the expiry date on a payment card did not do so.