[2024] UKUT 287 (AAC)

First, we are satisfied that the points raised by Issue 2 are within the scope of the grant of permission. Consistent with the earlier caselaw, any ambiguity in the grant has to be resolved in favour of the applicant (paragraph 55 above). The points raised by paragraphs 19(3) and (4) of the Grounds of Appeal were part of Ground 1, they were not explicitly excluded from the grant and they were closely allied to what we are referring to as Issues 1 and 3, in respect of which permission was clearly given. When asked to clarify his ruling, Judge Wright did not consider that his grant of permission had unambiguously excluded these points and, to the contrary, suggested that the ICO was seeking to read a great deal into particular words that he had used during the course of the 39 paragraphs of his reasons.

Lastly, we do not consider that treating the grant of permission as encompassing these points gives rise to any inconsistency. Paragraphs 19(3) and (4) were, like the rest of Ground 1, focused on the FTT’s failure to consider the alleged breach of DPP7 in respect of the EMV Data on a limb (i) or limb (iii) basis. Whilst one aspect of paragraph 19(4) referred to the FTT’s reasoning at paragraph 113 of its decision on the “substantial distress” criterion, this was in the context of highlighting the Issue 1 error. The complaint in question under Ground 4 was that the FTT had erred in assuming that the attackers could link the EMV Data to personal cardholders’ information. By contrast, the complaint at paragraph 19(4) of the grounds was put on the basis that at paragraph 113 the FTT was referring to the irrelevant fact of DSG’s ability to link the information.