ICO seeks appeal in DSG ruling

The UK Information Commissioner, John Edwards, has formally sought permission to appeal a recent judgment by the Upper Tribunal in a high-profile case involving DSG Retail Ltd, following a data breach that affected millions of individuals. This legal challenge centers on the interpretation of the duty organisations have to protect personal data under the Data Protection Act 1998 (DPA 1998). The Information Commissioner’s Office (ICO) has expressed concerns that the ruling, which reduces the scope of responsibility for data controllers, could set a problematic precedent in the fight against data breaches.

The Background of the Case

In 2020, DSG Retail Ltd, the parent company of well-known brands such as Currys PC World, was fined £500,000 by the Information Commissioner’s Office (ICO) after a cyber attack exposed personal data belonging to at least 14 million individuals. The breach involved a vulnerability in DSG’s IT systems, which allowed hackers to access sensitive personal information, including names, email addresses, dates of birth, and even payment details. This fine was the maximum permissible penalty under the Data Protection Act 1998, which was in force at the time of the breach.

DSG Retail Ltd, however, disputed the ICO’s decision, arguing that the fine was excessive and that it had taken reasonable steps to protect customer data. In 2022, the First-tier Tribunal (FTT) agreed with DSG, reducing the fine from £500,000 to £250,000. While the FTT acknowledged the breach was serious, it ruled that DSG had not been negligent in its handling of personal data and had made significant efforts to bolster security measures after the breach was discovered. The decision to halve the fine was seen by some as a more lenient approach to data protection enforcement.

The Upper Tribunal’s Ruling

In 2024, the Upper Tribunal issued a ruling that further narrowed the scope of DSG’s responsibilities under data protection law. The Tribunal’s decision focused on the interpretation of the DPA 1998 and the anticipatory nature of security obligations imposed on organisations. It confirmed that organisations are required to take proactive steps to ensure the security of personal data, but it also found that this duty does not extend to protecting personal data that has already been handed over to a third party for processing.

This ruling was significant because it suggested that the duty to protect personal data may not extend beyond the immediate control of the data controller — in this case, DSG Retail Ltd. The ruling seemed to imply that once personal data is transferred to a third party, the original data controller is no longer fully responsible for safeguarding that data from external threats, such as hackers or unauthorised access.

Information Commissioner’s Concerns

John Edwards, the UK’s Information Commissioner, has strongly criticised this interpretation of data protection law, particularly the suggestion that organisations are not required to ensure the security of personal data once it is in the hands of a third party. The Commissioner has argued that this interpretation of the law is flawed and undermines the principles of data protection, which require that personal data be safeguarded throughout its lifecycle — whether held by the data controller or processed by a third-party vendor.

In a statement, Edwards said:
"We welcome the Tribunal’s clarity that organisations have an anticipatory duty to put in place measures to keep people’s information safe. However, it is my view that the Tribunal misinterpreted the meaning of personal data in this context. This is a core concept of data protection law, and we are seeking clarification so there’s certainty for organisations and people’s information is better protected."

He continued:
"The DPA 1998 was clear — organisations must put technical and organisational security measures in place to protect personal data, irrespective of whether this data is pseudonymised. We have seen many cases where people have been affected when malicious actors have accessed, deleted, or encrypted pseudonymised personal data, for example when medical or financial data is compromised. Similar security requirements apply in the current data protection regime, so it’s crucial that we seek clarification on this important issue from the courts."

Edwards stressed the need for legal certainty, particularly as the UK transitions to the new data protection framework under the Data Protection Act 2018, which aligns with the EU’s General Data Protection Regulation (GDPR). He argued that the duty to safeguard personal data should remain robust, regardless of whether that data is held in-house by the data controller or transferred to third parties.

The Appeal and Its Potential Impact

The Information Commissioner has now filed an application seeking permission to appeal the Upper Tribunal’s decision to the Court of Appeal. Edwards is seeking a clearer interpretation of the law on whether organizations must implement security measures not only for data in their immediate control but also when data is outsourced or transferred to external processors.

If the Court of Appeal accepts the appeal, the case could have far-reaching consequences for the interpretation of data protection law in the UK. A ruling in favour of the ICO could reaffirm the principle that data controllers are responsible for ensuring the security of personal data at all stages, regardless of where it is processed. This would offer stronger protections for individuals and impose clearer obligations on businesses and public bodies to safeguard personal data from cyber threats and other security risks.

Conversely, if the Court of Appeal upholds the Upper Tribunal’s decision, it could effectively reduce the scope of responsibility for data controllers, shifting the focus primarily to the measures taken by third-party processors. This could potentially make it more difficult for regulators to enforce data security standards in the future, particularly in cases where data is handled by multiple third-party vendors or subcontractors.

As the Information Commissioner seeks permission to appeal, the DSG Retail Ltd case underscores the ongoing challenges in balancing effective data protection enforcement with the realities of modern business practices, where outsourcing and third-party processing are commonplace. While DSG’s case may seem like a technical dispute over the interpretation of specific legal provisions, it could have significant consequences for how data protection law is applied in the UK.

For businesses and data controllers, the outcome of this appeal could provide much-needed clarity about their responsibilities in protecting personal data. For individuals, it could help ensure that their personal information remains adequately protected, even when handled by third parties. The Court of Appeal’s decision, once made, will undoubtedly be a landmark moment in the evolution of UK data protection law.