Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
27 Feb 2026
5 minutes read

The Court of Appeal’s decision in DSG: implications for data breach liability and regulatory action

Introduction

The Court of Appeal provided important judicial clarification last week on the obligations of  controllers of personal data in its judgment in DSG Retail Ltd v The Information Commissioner.

Although the case considered the Data Protection Act 1998 (“DPA 1998”) as the applicable legislation to the facts of a cyber attack which occurred some time ago (see below), the decision will have application to the current Data Protection Act 2018 / UK General Data Protection Regulation.

In summary, information can still be personal data which a data controller must secure, even if a third party cannot identify a living individual from it. This has important implications for organisations’ responses to personal data being hacked, or otherwise unlawfully accessed.

The facts of the case

DSG Retail Ltd (“DSG”), the owner and operator of businesses including Dixons and Currys PC World and Carphone Warehouse, suffered a significant cyberattack in 2017-2018 exposing the personal data of a substantial number of its customers, including more than 5.6 million payment cards.  However, a significant proportion of that large number of payment cards exposed were protected by “chip and pin”/ “EMV”, which meant that the extent of information available to the cyber attackers was limited to the 16 digit card number (“PAN”) and EMV, rather than cardholders’ names, or other information which would enable them to identify the relevant cardholders.  

ICO investigation and fine

After investigating the cyber attack, the Information Commissioner found that DSG had breached the seventh data protection principle under the DPA 1998 (“DPP7”), which requires controllers to take appropriate technical and organisational measures (“ATOMs”) against unauthorised or unlawful processing of personal data.

The ICO imposed a substantial fine in the maximum £500,000 permitted under the DPA 1998; the maximum possible under the 2018 legislation would have far exceeded that figure.

First-tier Tribunal decision

DSG appealed the decision, contesting both the ICO’s findings and the legal basis for regulatory action.  The First-tier Tribunal initially upheld the ICO’s decision, though it did reduce the penalty.

Upper Tribunal decision

DSG appealed again to the Upper Tribunal, which reversed the findings of the FtT on the issue and concluded (as summarised at para 6 of the Court of Appeal’s decision) that “third-party acquisition of data was not “unauthorised or unlawful processing of personal data” against which ATOMs had to be taken, if the data themselves did not identify the individuals to whom they related and the third party had no other means of identifying those individuals”.

The Court of Appeal’s decision

The ICO appealed the UT’s decision on a single ground that the UT had erred in law by holding that a data controller is not required to take ATOMs against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller, but not in the hands of the third party.

The Court of Appeal’s judgment provides a comprehensive summary of the underlying legislation and relevant authorities in reaching the Court’s decision that DPP7 does require a data controller to take ATOMs against processing by a third party of data that relate to an individual who is identifiable to the controller, but not the third party.  

The implications for that decision effectively look to guard against the risks identified by the ICO in its appeal that (see para 33 of the Court of Appeal’s decision) “On the UT’s approach a data controller would, for instance, have no duty to protect against malicious third-party action to destroy or alter personal data held by the data controller, where the third party could not identify the data subjects. The Commissioner would have no basis for taking regulatory action against such a data controller. Finally, it was submitted that the case law cited by the UT does not, on a proper analysis, support its approach.”

The case will now return to the FtT for the financial penalty which DSG must pay to be finally determined, in accordance with the principles set by the Court of Appeal in its judgment.

What does the decision mean for controllers of personal data?

  • Data controllers must implement ATOMs to protect personal data – both historically under the DPA 2018 and also to comply with the security obligations under the UK GDPR / DPA 2018.
  • Complying with ATOMS is not a static obligation; it requires ongoing assessment and adaptation as threats evolve.
  • The adage “fail to prepare, prepare to fail” could not be more relevant in the context of modern cyber and wider data vulnerabilities: indeed, the Court noted carefully in its judgment the prevalence of deliberate third-party interference with data and that considered “…it self-evident that such activities are capable of causing significant material and non-material harm to data subjects”.
  • Although responding to any third party interference necessarily is a fluid (and often fast moving) process, any failure to keep pace with industry standards and known vulnerabilities can lead to regulatory action and/or civil liability (eg damages claims by affected data subjects), even if an attack is perpetrated by a malicious third party.
  • Knowing the personal data you hold as a controller generally, and in the instance of a breach what might have been subject to unauthorised or unlawful access, is critical in discharging your duties to implement ATOMs.
  • Good data governance mechanisms such as:
  • regularly reviewing and updating security policies, incident response plans and cybersecurity defences;
  • documenting risk assessments and remedial actions taken; and
  • ensuring staff training is up to date and tailored to current threats;

are imperatives in managing those risks, rather than “nice-to-dos”. By focusing on proactive security, engaging with industry standards, and preparing for both regulatory and litigation risks, organisations can better protect themselves and their customers in an increasingly hostile digital environment.

We have significant experience in advising organisations in effective preparations for responding to data breaches. Please do not hesitate to contact us if we can assist.

 

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.