[2024] UKUT 287 (AAC)

The first error that DSG relies upon is readily apparent from paragraphs 96 and 97 of the FTT’s decision. On the one hand, the FTT said that it was unnecessary for it to determine whether EMV Data was personal data in a limb (i) or limb (iii) sense; at the same time it acknowledged that whether or not the data was “personal data” in the hands of the third party “must be relevant to any assessment of the risk of consequent damage and distress”. Accordingly, there is a clear contradiction between the FTT’s reasoning in these paragraphs.

We accept that this was a material error. We have already explained under Issue 1 why this determination was directly relevant to whether there had been a breach of DPP7 in respect of the EMV Data. We accept that it was also relevant to whether the section 55A criteria was satisfied, in particular as to whether there had been a “serious contravention” of section 4(4) by DSG and, if so, whether it was “of a kind likely to cause substantial damage or substantial distress”. Whilst the FTT was in any event able to rely on its findings in respect of the non-financial data and the personal data obtained from the 8,628 cards (paragraphs 21 - 22 above), given the nature of the EMV Data, the very large number of payment cards involved and the ICO’s emphasis upon this aspect, proper findings in respect of the EMV Data were required.

Mr Lockley sought to argue rather faintly that the FTT did in fact make some assessment as to the likelihood of third parties being able to combine the EMV Data with identifying details of the cardholders. However, we consider it clear that this was not addressed by the FTT. First, the FTT said itself at paragraph 97 that it had not made findings to this effect. Secondly, it is apparent that paragraphs 93f, 94 and 95 are solely focused upon whether DSG as the data controller was able to combine the data in this way. Thirdly, there are no findings of fact or reasoning that address a limb (iii) analysis. Fourthly, whilst we agree that it was not directly relevant to the “substantial distress” issue, it is apparent that at paragraph 113 of its decision, the FTT placed significance upon DSG’s ability to link its records of personal data with the EMV Data (rather than to a third party’s ability to do so), as the FTT introduced this point by saying, “As previously stated…”. That can only be a reference to its earlier limb (ii) conclusions at paragraphs 92 – 97.

We take the same view in relation to the FTT’s reference at paragraph 111(b) of its decision. When considering if the contravention was “serious”, the FTT said that it had regard to the EMV Data being “capable of being used to indirectly identify a living individual”. The FTT introduced this paragraph by referring back to the contravention of DPP7 that it had “identified”, thereby tethering its conclusion on the seriousness issue to its earlier finding that DSG was able to combine the EMV Data with personal records that it held (limb (ii)). Again, we do not see why the fact that the data controller was able to combine the data impacted on the seriousness of the failure to protect against unauthorised access by third parties. The data controller was able to do so, absent any DPP7 failings at all. The real question was whether personal data was put at risk of escaping as a result of the shortcomings identified.

Lastly, a similar error is apparent from paragraph 120 of its reasons, when the FTT came to consider quantum. It relied upon its earlier finding on seriousness “for reasons already given relating to the nature and volume of data processed by DSG”. Accordingly, our previous comment applies.

We therefore conclude that the FTT’s central error of law in respect of Issue 1 was compounded by the errors that we have accepted in respect of Issue 2.