The Court of Appeal has revived a £500,000 fine against DSG Retail – the then parent company of Currys PC World and Dixons Travel – in a long-running legal battle with the Information Commissioner’s Office (ICO).
At the heart of the case was a deceptively simple question: are 16-digit card numbers and expiry dates “personal data” if they don’t include a name?
The answer from Lord Justice Warby was clear. Yes.
What happened in the original breach?
In 2017, attackers installed malware on more than 5,000 tills across DSG’s stores. The malicious software remained undetected for nine months.
During that time, hackers captured:
- Around 5.6 million payment card details (16-digit numbers and expiry dates)
- Personal information belonging to approximately 14 million individuals.
The ICO later described the failings as relating to “basic, commonplace security measures” and issued a £500,000 penalty in 2020 under the Data Protection Act 1998 – the maximum fine available at the time, before GDPR came into force.
DSG challenged the fine. And that is where the legal argument became more nuanced.
The dispute did not centre on the wider personal information taken in the breach. Instead, it focused specifically on the card details – the long number and expiry date, but not the cardholder’s name.
DSG accepted that it, as the retailer, could link those numbers to real individuals. But it argued that the attackers could not identify customers from the card details alone.
Therefore, it said, those details should not count as “personal data” in the hands of the hackers.
The Upper Tribunal agreed with that reasoning and overturned the ICO’s fine. But the Court of Appeal has now reversed that decision.
Why the Court of Appeal sided with the ICO
Lord Justice Warby rejected the idea that personal data should be assessed solely from the perspective of the attacker. Instead, he confirmed that data must be viewed from the perspective of the data controller – in this case, DSG Retail.
If the organisation can link the data to an identifiable individual, then it is personal data. Full stop.
That means the legal duty to protect it applies, even if a third party cannot immediately identify someone from the information in isolation.
The judgment also addressed a wider risk: so-called “jigsaw identification”. In today’s world, fragments of data can be combined with other publicly available information to build a fuller picture of an individual.
Technology has made it far easier to locate, assemble and cross-reference disparate data sources. Even information that does not identify someone on its own may do so when combined with other datasets.
The court was clear that organisations cannot dismiss such risks as harmless.
Why this matters beyond one retailer
This ruling is about more than a £500,000 fine from nearly a decade ago.
It clarifies that:
- Organisations must protect all personal data they process
- They cannot avoid liability by arguing that hackers could not immediately identify individuals
- The duty to safeguard data does not disappear simply because stolen data is incomplete.
Had the Upper Tribunal’s reasoning stood, the implications could have been significant. It might have weakened regulatory enforcement in cases involving ransomware or partial datasets. Instead, the Court of Appeal has strengthened the ICO’s hand at a time when cyber-attacks are becoming more frequent and more sophisticated.
The case will now return to the First-tier Tribunal to be reconsidered in light of the Court of Appeal’s judgment. DSG could seek to appeal further, potentially taking the matter to the Supreme Court. For now, however, the ICO’s position has been vindicated.
For consumers, that is good news: it reinforces that companies cannot sidestep responsibility for protecting your data simply because stolen information does not immediately include your name.
