[2024] UKUT 287 (AAC)

As the grant of permission was restricted to two of DSG’s proposed six grounds (Grounds 1 and 3), a number of the FTT’s findings were not the subject of free-standing challenges in this appeal. This included: the failings identified in relation to contraventions 3 and 9; that the contravention was of a kind likely to cause substantial distress; that DSG had the requisite knowledge in respect of the contravention; and the quantum of the penalty. Ground 1 concerns the FTT’s conclusion that the data obtained from the 5,592,349 cards with EMV protection (the PAN and the card expiry date data) was “personal data” for the purposes of DPP7. We refer to this data as the “EMV Data”. DSG accepted that the non-financial data that was exfiltrated and the cardholder plus PAN and expiry date data obtained from 8,628 of the cards that did not have EMV protection constituted “personal data”. Ground 3 challenges the FTT’s finding that there had been a “serious” contravention of DSG’s data responsibilities, within the meaning of section 55A DPA 1998.

Five issues were argued before us. We shall use the same numbering and nomenclature as was used by DSG to identify those issues.

Issue 1 is the EMV Data Issue. Did the FTT err in law in deciding that there had been a contravention of the DPA 1998, in relation to the EMV Data which was personal data in DSG’s hands, without determining whether that data would be personal data in the hands of a third party such as the attackers? DSG argued that in so far as the EMV Data was not personal data in itself (Issue 4, below), it was a necessary quality of a contravention, on the facts of this case, that the data should be personal data in the hands of a third party such as the attackers and that the FTT wrongly directed itself that it did not need to determine this.

Issue 2 is the Consistency Issue. Did the FTT err in: (i) failing to determine whether that data was personal data in the attackers’ hands, in circumstances in which the FTT had (rightly) identified that that question “must be relevant” to other statutory preconditions; and/or (ii) then asserting, in relation to seriousness, distress, and quantum, that the fact that the data was personal data in DSG’s hands was relevant to those issues? A logically prior issue arises here of whether DSG has permission to appeal on Issue 2.

Issue 3 is the Procedural Fairness Issue. Did the FTT act unlawfully by reaching its conclusions on the EMV Data Issue on a basis that was not argued before it (that the EMV Data was personal data in DSG’s hands), without giving the parties an opportunity to make representations and/or lead evidence on the FTT’s newly-raised issue?

Issue 4 is the Implications Issue. If the FTT did err in law in relation to its personal data finding, DSG submits that the Upper Tribunal should itself decide whether the EMV Data on its own constituted “personal data” (with all other questions remitted to the FTT).

Issue 5 is the Seriousness Issue. Did the FTT err in law in its determination of the question whether the contravention identified was serious?There are three elements to this ground of appeal. First, did the FTT err in law in conflating the consequences of the contravention with the seriousness of the contravention? Second, did the FTT err in law in taking into account the “expectations of individuals and society”? Third, did the FTT err in law in relying on an “unknown quantity of PAN capable of being used to indirectly identify a living individual”?