[2024] UKUT 287 (AAC)

Whilst accepting that his submissions below had been based on a limb (iii) approach, Mr Lockley sought to persuade us that the FTT had been correct in focusing upon whether the data was personal data in the hands of DSG and that in light of its finding that it was, the FTT had been right to decide that it did not need to determine whether the EMV Data would be personal data in the hands of the attackers.

Mr Lockley emphasised that, unlike other data protection principles, DPP7 imposes a duty to protect data which is anticipatory in nature. The duty was on DSG as the data controller and the duty would be breached if and at the point the data controller had not taken ATOMS in respect of the personal data that it held, whether or not any exfiltration of data actually occurred. Accordingly, the focus was upon the prior failure of DSG’s responsibilities in relation to the personal data that it held, rather than on the data that the attackers obtained in the particular attack or what they were able to combine it with. Accordingly, he said, the duty imposed by DPP7 applied to all data that was personal data in the data controller’s hands.

Mr Lockley noted that the “personal data” in section 4(4) DPA 1998 was clearly a reference to data that was personal data in the hands of the data controller. He submitted that it was unlikely that “personal data” meant something different when it was then used in the phrase “unauthorised or unlawful processing of personal data” in DPP7. Furthermore, the second reference to “personal data” in DPP7 (“accidental loss or destruction of, or damage to, personal data”) was plainly a reference to material that was personal data in the hands of the data controller and the same phrase could not have shifted its meaning within the same data protection principle. He also stressed that the DPP7 duty to protect data was a broad one, that required the data controller to guard against a multitude of risks, not only data exfiltration, but also deletion, malicious encryption or alteration of data. The focus was not upon what a particular attacker did in a particular situation; DSG’s contentions impermissibly sought to reason backwards from the attackers’ actions.

Mr Lockley also emphasised the nature of contraventions 3 and 9. The shortcomings upheld by the FTT were of a basic and sustained nature, which in a general sense failed to protect the DSG estate. They did not directly relate to particular data, whether the EMV Data or otherwise; they allowed for access to large amounts of data and what was actually accessed showed the minimum of what was at risk.

Mr Lockley contended that the authorities which Mr Pitt-Payne relied upon (those we have discussed at paragraphs 78 – 85 above) were not on point. They were concerned with the fundamentally different exercise of a controlled disclosure of a known set of data, not with DPP7 which impose a duty in advance of any attack or other release of data. Furthermore, these judgments recognised that pseudonymised data remained personal data in the hands of the data controller as it held the key to the identification of data subjects, even though at the moment of disclosure the anonymised information lost its character as personal data in terms of third parties.

Mr Lockley accepted that the FTT had not made findings as to whether the attackers could have combined the EMV Data with identifying data in respect of living individuals, but for the reasons we have summarised, he maintained that it was not required to make findings on a limb (iii) basis.