The Information Commissioner’s Office is not giving up on its fight against DSG Retail – now rebranded as Currys – after seeking permission to appeal an Upper Tier Tribunal ruling which the regulator claims has “misinterpreted the meaning of personal data”.
The protracted and complex case actually dates back to 2017, when an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores, collecting personal data between July of that year right up when the hack was finally detected in April 2018. This was weeks before GDPR came into force – and with it the potential for much larger fines.
In its original ruling, made in January 2020, the ICO found that the retail company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of about 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers. It fined the firm the maximum at the time, £500,000.
However, DSG launched an appeal, the result of which was published in July 2022. The presiding judge criticised much of the regulator’s case and slashed the monetary penalty to £250,000.
Even so, DSG was still not satisfied, and was subsequently granted permission to appeal that decision on a limited number of grounds. In the resulting 2024 ruling, published late last month, the tribunal not only allowed DSG’s appeal, it remitted the case to be re-decided.
But the ICO is now seeking permission to appeal this latest decision at the Court of Appeal.
The regulator argues that the ruling makes it clear that the duty on an organisation to put in place appropriate technical and organisational measures to guard against the risks of unauthorised or unlawful processing of personal data is an anticipatory one.
The obligation is to take precautionary steps to guard against those security risks and this duty is breached if the appropriate measures are not taken, whether or not those risks materialise, the ICO claims.
The regulator reckons the tribunal interpreted the law incorrectly by finding that an organisation is not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller but not in the hands of the third party.
Commissioner John Edwards said: “We welcome the tribunal’s clarity that organisations have an anticipatory duty to put in place measures to keep people’s information safe. But it is my view the tribunal misinterpreted the meaning of personal data in this context. This is a core concept of data protection law, and we are seeking clarification so there’s certainty for organisations and people’s information is better protected.
“The DPA 1998 was clear – organisations must put technical and organisational security measures in place to protect personal data, irrespective of whether this data is pseudonymised. We have seen many cases where people have been affected when malicious actors have accessed, deleted or encrypted pseudonymised personal data, for example when medical or financial data is compromised.
“Similar security requirements apply in the current data protection regime (UK GDPR), so it’s crucial that we seek clarification on this important issue from the courts.”
Related stories
ICO forced to slash fine for DSG after losing appeal
Currys PC World battered over contact centre meltdown
Dixons Carphone appeals ICO fine for ‘systemic’ failings
Dixons slams £500k fine but it could have been £400m
Carphone Warehouse rocked by £400,000 ICO data fine