High Court of Justice

Court of appeal clarifies scope of “personal data” in DSG Retail ruling

The Court of Appeal has allowed the Information Commissioner’s appeal, overturning the Upper Tribunal’s decision and remitting the case to the First-tier Tribunal for reconsideration, in the long-running enforcement action against DSG Retail Ltd.

For data protection practitioners, the judgment provides important clarification on how “personal data” is to be assessed under the Data Protection Act 1998 (DPA 1998), with obvious relevance to GDPR-era enforcement.

Background to the penalty

The underlying breach occurred in 2017, when malware was installed on 5,390 point-of-sale tills across DSG’s Currys PC World and Dixons Travel stores. The compromise persisted for approximately nine months.

The incident involved:

  • 5.6 million payment card records (16-digit PANs and expiry dates)
  • Personal data relating to approximately 14 million individuals

In 2020, the Information Commissioner’s Office issued a £500,000 monetary penalty notice (MPN), the statutory maximum under the DPA 1998. The Commissioner characterised the failings as relating to basic security controls.

DSG appealed the MPN. The procedural history is as follows:

  •  The First-tier Tribunal allowed the appeal in part, and reduced the penalty to £250,000
  • The Upper Tribunal allowed a further appeal and ordered the matter to be reconsidered
  • The Court of Appeal has now allowed the Commissioner’s appeal on the point of law and sent the case back to the First-tier Tribunal to be determined in line with its judgment.

The core legal issue

The appeal did not concern the wider personal dataset. Instead, it focused narrowly on whether payment card numbers and expiry dates — absent cardholder names — constituted “personal data” for the purposes of the DPA 1998.

DSG accepted that it could identify data subjects by linking the card data to its internal systems. However, it argued that the correct perspective was that of the malicious actor. If the attacker could not identify individuals from the compromised data alone, then the data should not be treated as personal data in that context.

The Upper Tribunal accepted that reasoning. The Court of Appeal did not.

Lord Justice Warby held that identifiability must be assessed from the perspective of the data controller, not the attacker.

Where the controller is able to identify individuals from the dataset it holds, the data falls within the statutory definition of personal data. The obligation to implement appropriate technical and organisational measures therefore attaches, regardless of whether a third party could immediately identify the individual from the compromised subset.

This is a significant clarification. It rejects any interpretation that would narrow regulatory protection based on the capabilities of a threat actor at a given moment.

The Court also addressed the risk of “jigsaw identification”. Even where a dataset does not directly identify an individual, it may do so when combined with other information reasonably likely to be available.

The judgment acknowledges the increased sophistication of data aggregation and cross-referencing technologies. In practical terms, it would be artificial — and potentially dangerous — to assess identifiability in isolation from the broader data ecosystem.

For practitioners, this reinforces a contextual and realistic approach to identifiability, consistent with broader EU data protection principles (including those reflected in Recital 26 GDPR), even though the case was decided under the DPA 1998.

Enforcement implications

Had the Upper Tribunal’s reasoning stood, it may have constrained enforcement in cases involving:

  • Ransomware exfiltration of partial datasets
  • Tokenised or pseudonymised data
  • Payment card or financial identifiers without names.

The Court of Appeal’s judgment strengthens the regulator’s position in such scenarios. It confirms that organisations cannot rely on the technical limitations of an attacker to dilute their own compliance obligations.

The matter now returns to the First-tier Tribunal for reconsideration in light of the Court of Appeal’s ruling. DSG may seek permission to appeal further, potentially to the Supreme Court.

Practical takeaways for firms

For law firms advising corporate clients, the message is clear:

  • Identifiability remains controller-focused
  • Partial datasets can still constitute personal data
  • Security obligations attach even where the compromised data appears incomplete.

For claimant practitioners, the judgment may also influence arguments around materiality and risk in group litigation arising from cyber incidents.

In short, the Court of Appeal has reaffirmed a broad and purposive interpretation of “personal data”. In an era of increasingly fragmented and aggregated data use, that clarity is likely to resonate well beyond this particular breach.

At Join the Claim, we will continue to track and translate developments like this, supporting both consumers and the firms representing them as collective redress continues to evolve.

Find out how we help law firms build stronger group claims

This information is for general guidance only and does not constitute legal or financial advice.

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

Supermarket workers: You could have multiple equal pay claims
Worked at more than one supermarket? You could have multiple equal pay claims. Find out if you're eligible and how to take action today.
Next equal pay ruling: What it means for supermarket workers
Next store workers won their equal pay claim—could supermarkets be next? Find out how this ruling could impact retail employees and equal pay claims.
Icons of major social media applications are displayed on a smartphone screen with the United Kingdom flag in the background. Discussions are ongoing in the UK regarding strict age verification measures and a potential ban on social media usage for minors under 16.
UK set to ban under-16s from social media in landmark move
The UK government has announced plans to ban under-16s from social media. We explain what has been proposed.
Close-up of a person using a smartphone with the ChatGPT app open.
Are ChatGPT conversations appearing in Google search results? Here’s what we know.
Reports claim ChatGPT conversations are appearing in Google search results. We examine what's really happening.
Woman holding iPhone with logo of application Booking.com on the screen, using mobile application
Booking.com faces proposed £2 billion consumer claim over hotel prices
A proposed £2 billion claim alleges Booking.com's pricing practices inflated hotel costs for millions of UK travellers. Here's what we know so far.
Warning to supermarket store workers: If you want equal pay compensation, you’ll need to claim it!
Many UK supermarket workers are confused about equal pay claims. Learn why backpay isn’t automatic and what opt-in group actions really mean.
Close-up of the NHS - National Health Service logo on the exterior of St. Thomas Hospital in London, UK
What is the NHS Single Patient Record, and why is it being debated?
Plans for a NHS Single Patient Record moved a step closer last week. But there are important questions about privacy & data security.
Teenagers with smartphones on social media near white wall indoors
Social media is facing growing scrutiny. Here’s why.
Explore the growing debate around social media safety, online harms, platform accountability, child safety, addictive features and digital rights.
An expert hacker is decrypting data while hiding their face
Hackers are changing tactics – and it could mean more data breaches
Hackers are increasingly exploiting software vulnerabilities rather than stealing passwords. Here's what that could mean for UK consumers.
Managing the validity of digital document checklists
New data complaint rules are coming in June 2026
New data protection complaint rules take effect on 19 June 2026. Find out what organisations must do and what the changes mean for consumers.
Hand holding a digital ID card with user profile symbol.
Digital ID plans move into next phase — but key questions remain
The government's digital ID plans have entered a new phase with the launch of a 120-member People's Panel. 
Text STUDENT LOAN visible through magnifier, money and stack of books on light table against blackboard
Why plain English matters in financial agreements
A new parliamentary inquiry found thousands of graduates did not properly understand their student loan terms. Here’s why plain English matters in financial products and legal agreements.
Woman is shocked from the rising energy costs and the bill she received for heat and electricity for her household.
UK energy bills to rise again as Iran conflict hits gas prices
UK household energy bills are set to rise by 13% from July 2026 after global gas prices surged during the Iran conflict. Here’s what it could mean for households.
Black British passport on UK Union Jack flag close up
UK visa portal data leak exposes passports and personal documents 
Thousands of passport scans and personal documents were reportedly exposed online after a third-party UK Visa Portal website left files publicly accessible.
boy scrolling through social media on his mobile phone
Is social media the next “big tobacco”?
The UK government is considering tougher social media restrictions for children. Could this lead to large-scale legal claims against tech platforms?
View all news

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims