The Court of Appeal recently handed down a long-awaited judgment addressing the scope of the security duty on data controllers to protect personal data. In many aspects, the judgment confirms the status quo: if a controller can identify data as personal data based on other information it holds, then it must treat and protect that data as personal data.
However, of particular interest are the obiter comments of Lord Justice Warby. Relevant to breach risk assessments and damages, these comments emphasised that it will "often prove impossible to rule out the risk that unauthorised access to part of a data set, which does not itself identify any individual, could lead to processing by some unknown third party with (legitimate) access to the means of identification."
Warby LJ observed the risk of the 'jigsaw effect', whereby other pieces of publicly accessible information could, when combined, reveal an individual's identity. Although arguments about how the 'jigsaw' effect should be approached remains to be resolved by his comments, Warby LJ has made it clear that data controllers cannot simply dismiss the possibility of such identification or their responsibility to protect against it.
Summary
The judgment is the latest chapter in a longstanding dispute between the Information Commissioner's Office (ICO) and DSG Retail Limited (DSG) following a cyber-attack on the retailer between 2017 and 2018.
The attack resulted in transaction details being scraped from more than 5.6 million payment cards, although only a small number of cardholder names were obtained. The Court of Appeal restored the ruling of the First‑tier Tribunal that DSG had breached its security duty under the pre-GDPR Data Protection Act 1998 (the "DPA 1998").
The duties under the DPA 1998 and GDPR are materially similar, and as noted by the ICO, "the legal interpretation of the security duty by the [Court of Appeal] offers an important guide to similar requirements in the current data protection regime."
The Court of Appeal ruling confirms that information such as payment card numbers can qualify as personal data if the data controller is able to identify the associated individual, regardless of whether a cyber attacker can do so.
When assessing a potential breach, the question of whether exfiltrated data constitutes personal data must be analysed from the perspective of the controller (considering all the information held by the controller) rather than from the perspective of the third party who accessed it. The judgment also confirms that similar instances must be reported to the ICO where the controller can identify individuals from the compromised data, reinforcing the ICO's authority.
Importantly, the Court of Appeal emphasised that controllers must consider the risk of 'jigsaw' identification - where separate data points may be combined to identify an individual. The judgment emphasised that it will often be impossible to rule out the risk that apparently non‑identifying data could be used by another party with access to additional information.
Background
DSG was subject to a cyber-attack in 2017 and 2018, affecting their point-of-sale terminals, and 5.6 million payment cards. The vast majority of card information taken was identified as EMV data, specifically card numbers and expiry dates. The ICO investigated the breach, and issued a monetary penalty notice (MPN) of £500,000 for breaches of the seventh data protection principle (DPP7) under the DPA 1998.
DPP7 stated that when processing personal data, data processors have a duty to ensure "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data." DSG was found to have failed to take these appropriate technical and organisational measures and allowing the unauthorised or unlawful processing of personal data.
DSG appealed to the First-tier Tribunal, arguing that DPP7 did not require protection against third-party acquisition of EMV data because such data would not be “personal data” in the hands of the third parties. The First-tier Tribunal ("FTT") rejected DSG’s argument, holding that it was sufficient that the EMV data was personal data in DSG’s hands. The financial penalty was upheld but reduced by half.
DSG appealed to the Upper Tribunal ("UT"). Reversing the FTT's findings, the UT concluded that whether third-party acquisition of EMV data involved personal data must be analysed from the perspective of the third party, in this instance, the cyber criminal. The UT held that if a third party could not identify the individuals, the acquisition did not constitute unauthorised or unlawful processing of personal data, and appropriate technical or organisational measures were not required.
Submissions and judgment
The ICO appealed to the Court of Appeal, arguing that the UT’s interpretation was unduly narrow and inconsistent with the statutory language and legislative purpose. The ICO submitted that, on the approach of the UT, "a data controller would, for instance, have no duty to protect against malicious third-party action to destroy or alter personal data held by the data controller, where the third party could not identify the data subjects." DSG argued that the approach of the UT was correct; it had no duty under the DPA 1998 to protect access to or use of personal data by a third party that could not identify the individual(s) to whom the data relates.
The Court of Appeal considered the DPA 1998, EU Data Protection Directive 95/46/EC, and relevant case law in the UK and EU courts and found that the language, context and purpose of DPP7 required controllers to safeguard personal data regardless of whether an attacker could identify individuals.
The definition of personal data was considered to be clear, as was the general duty imposed on controllers to comply with the data protection principles. The language used contained no express or implicit indication that the general duty was expanded or limited by any indirect identifiability by a third party. Furthermore, there was no basis within the DPA1998 to find that DPP7 should be read in the way DSG contended.
Case law in the UK such as CSA v Scottish Information Commissioner were not applicable. That action had held that fully anonymised data is no longer 'personal data' and can be disclosed under freedom of information legislation. However, the Court of Appeal distinguished CSA, noting it concerned deliberate anonymisation and disclosure, not the security duty owed by a data controller.
The Court of Appeal also referred to the CJEU decision in Scania (a GDPR decision), which found that Vehicle Identification Numbers (while not personal data on their own, as they do not identify any natural person) could be considered personal data when combined with other information, such as registration certificates containing the owner's personal details. This principle was summarised in the SRB v EDPS decision where the CJEU held that "data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified .... where those data are put at their disposal – those data are personal data both for those persons and, indirectly, for the controller."
Reflecting on DPP7, the Court of Appeal held that it seemed unlikely that the legislators intended to "restrict the scope of that duty so that a data controller has no obligation to safeguard some parts of [the] data."
The interpretation by the UT created the risk of gaps in protection, exposing data subjects to harm from malicious third-party actions, such as ransomware attacks, even where the attacker is unable to identify the individuals involved.
Concluding, the Court of Appeal held that information qualifies as 'personal data' when it falls within the definition, with one of the criteria being that the data subject is identifiable to the data controller. The security duty under DPA 1998 required the safeguarding of that data against unauthorised or unlawful processing by the data controller. In summary, if the data is 'personal' from the perspective of the data controller, it is not necessary to consider whether it is personal data from the perspective of, or in the hands of, any other party. The ICO's appeal was allowed, and the case has been remitted to the FTT for determination in accordance with this judgment.
Obiter Dictum and the 'jigsaw effect'
Although Warby LJ emphasised that the Court of Appeal was not tasked with determining whether the attackers could, in fact, identify cardholders by obtaining additional information, he nevertheless observed that a controller can never rule out identification arising through the 'jigsaw effect', where other pieces of publicly accessible information could, when combined, reveal an individual's identity.
Following any personal data breach, a controller must, in accordance with the GDPR, consider the risks posed to a data subject. Unless a risk is unlikely, the controller must notify the ICO; and if a high risk is likely, then it must notify affected data subjects. Typically, that risk assessment would be based on the particular data set that was impacted. However, if Warby LJ's obiter comments are applied, then the data controller cannot rule out the possibility that the compromised data could be combined with other publicly accessible information. For example, even if a date of birth or postcode is absent from the breached dataset, such information may still be publicly obtainable elsewhere, creating the potential for identification through the “jigsaw effect".
Warby LJ recognises the inherent difficulty of assessing the risk of 'jigsaw' identification. However, his comments offer little guidance to data controllers as they neither rule out the possibility nor provide guidance as to what should be treated as "likely" or proportionate in a risk assessment. Equally, while his observations may assist claimants seeking to rely on the jigsaw effect, the burden is also on them to demonstrate that such identification is, on the facts, likely.
