The Upper Tribunal (UT) appeal [DSG Retail Limited -v- ICO; see references] is important even though it relates to the DPA1998; the judgement has the potential to undermine the data breach reporting requirements of the UK_GDPR/DPA2018. This blog explains why this is the case, why legislative changes might prove to be necessary and, for good measure, provides details of two errors in the UT’s analysis.
The appeal concerns the meaning of “personal data” in the context of the security obligations of the DPA1998. In summary, the ICO’s position was as follows: DSG Retail had poor security and it reported the loss of 5.6 million credit card numbers and expiry dates. As a result the ICO levied a large Monetary Penalty Notice, originally £500K but later reduced to £250K.
DSG’s successful counter argument was as follows: although the data lost by DSG Retail were personal data, the data were not personal data in the hands of the hackers. This was because data subjects could not be identified using “reasonable means” (the test described in Recital 26 of both Directive 95/46/EC and UK_GDPR).
Because there were no personal data in the hands of the hackers, there could be no “substantial damage or distress” caused by the data breach (the threshold for a Monetary Penalty Notice under the DPA1998). So it followed, that there should be no fine at all.
To cut to the chase, this latter view was preferred.
Why an impact on the UK_GDPR?
First, the UT stressed that the parties to this appeal accepted (i.e. the ICO accepted) “… that the relevant provisions of the ‘new’ regime under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) are materially the same”.
Second UT concluded that if there were to be a hacking incident involving a controller’s personal data and if the data exposed were not personal data in the hands of the hacker, then there would be unlikely to be a risk to data subjects.
It follows that in UK_GDPR terms, a personal data breach involving millions of credit card details (as per DSG Retail) would not even be reportable under the UK_GDPR terms as a personal data breach, as that breach “is unlikely to result in a risk to the rights and freedoms of natural persons” (the threshold in A.33(2)) assuming the hackers do not know who has what credit card.
Yes, there has been a personal data breach on the part of the controller, but there is no risk to data subjects as the hackers are unable to reidentify data subjects using reasonable means (see Recital 26, UK_GDPR).
It then follows that such a personal data breach is not reportable to the ICO and it also follows that the ICO will become ignorant of these serious types of mega breaches of security.
This is a consequence of the UT conclusion: “As the risk to be guarded against is the risk of data processing by third parties, the question of whether personal data is involved is to be judged from the perspective of the data that the third parties can access (rather than the entirety of the data held by the data controller)” (my emphasis of para 123).
Of course it could be claimed that the controller has breached other security provisions (e.g. the requirements in A.32). But if the ICO is unaware of this kind of non-reportable security breach, it is difficult to see how these provisions are enforced.
This explains why a change in the law might be needed (e.g. for the controller to report to the ICO, large personal data breaches involving millions of records irrespective of the risks to data subjects).
The history relates to FOI
Readers steeped in freedom of information legislation (FOI) should recognise the dilemma of whether a third party requestor holds personal data or not. It arises, for example, when a FOI requestor asks for statistical data which are derived from personal data; for instance, “how many late abortions were there in the North of England last year”.
Now quite clearly in the hands of the NHS, the information is personal data as they know the identity of the patients having late abortions. However, in the hands of the FOI requestor, the number of late abortions does not lead to the identification of these patients (using the “reasonable means” available to the requestor).
It then follows that a public authority (e.g. a NHS body) that received this type of FOI question would not be able to apply the FOI exemption associated with the protection of personal data, because in the hands of the requestor, the requested statistics do not lead to the identity of any data subject.
This is different to the FOI request of the form: “how many pupils, attending St. Mary’s School in Putney, were excluded last term?”. In this case, the highlighting of the particular school, means it’s quite simple to go to the school in the morning and ask the Mums in the playground: “who has been excluded?”.
With this latter type of FOI request, the exemption to protect personal data does apply because in the hands of the requestor, the statistics can lead to the identification of data subjects using “reasonable means”.
As an aside, anyone who wants to explore the current case-law on this dilemma (which gave rise to the ICO’s idea of a “motivated intruder” test) this UT judgement is highly recommended.
So did the UT get it wrong (error 1?)
The first problem is that the UT, to arrive at its conclusions, over-relied on the “motivated intruder” test as formulated by the ICO. This test permeates the UT’s discussions of “personal data”.
The judgement approvingly quotes the ICO’s motivated intruder” test:
“… assumes that the ‘motivated intruder’ is reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward.
The ‘motivated intruder’ is not assumed to have any specialist knowledge such as computer hacking skills, or to have access to specialist equipment or to resort to criminality such as burglary, to gain access to data that is kept securely.” (my emphasis of para 14 of Judgement).
Now please answer the following YES/NO question: do you expect a hacker, who has used unlawful means to exfiltrate DSG’s data, to only use lawful means as a motivated intruder to complete the identification of data subjects?
Or do you think it reasonable to assume that our motivated intruder would also rely on unlawful means (e.g. to complete identification of data subjects by searching the dark web to see if anyone had, for example, lists of credit card numbers linked to credit card holders). If you agree that this is a reasonable assumption, then the motivated intruder justification, as used by the UT, falls.
Another way of looking at it as follows: what is the point of gaining unlawful access to credit card numbers and expiry dates, if someone does not try and link the credit cards with the data subjects?
This is not the UT’s conclusion. It stated that the lower Tribunal (FTT) failed to consider:
“…the risks that shortcomings in security gave rise to, not simply by reference to what actually happened in the attack. This will involve consideration of what a motivated attacker could and could not have obtained data-wise from the DSG estate as a result of the [security] shortcomings. The FTT's decision has not addressed this”. (My emphasis of para 127).
So did the UT get it wrong (error 2?)
You will note that UT reasoning in para 127 (quoted immediately above) -relies on identification details to transform the hacked data into personal data, coming from other DSG Retail’s other personal data holdings and not from other sources (e.g. the dark web). This assumption dominates the UT’s judgement.
For instance, the UT state that the lower Tribunal did not consider:
whether the data exfiltrated by the hacking attack “could be linked by a motivated attacker to other data put at risk by DSG that would identify the cardholders in question” (para 173(ii)), or
whether “a motivated attacker could and could not have obtained data-wise from the DSG estate as a result of [security] shortcomings”. (para 127).
The UT’s standpoint is generalised as follows:
“If a third party can only obtain anonymous data and the key to any pseudonymised material remains behind a [secure] wall [under DSG control] then then, accessing that vanilla data would not amount to an “unauthorised or unlawful processing of personal data”. (para 114). (The term “vanilla data” is used by the UT to describe anonymous data)
Hence the UT’s conclusion:
“Accordingly, the FTT’s decision involved a material error of law in deciding that there had been a contravention of the DPA 1998 ….without determining whether that data would be personal data in the hands of third parties who could access all the data put at risk by DSG’s failings”.
Concluding comment
Fortunately, the UT did not overturn the case entirely as it focused on resolving the “issue of construction” and “a question of law of special difficulty”. Consequently, it referred the substantive issues back to a newly convened First Tier Tribunal that would use the UT’s case-law determinations as its starting point.
In summary, a fresh Tribunal view of the facts, fettered by the UT’s (dodgy) reasoning.
So will the ICO fight a second case at the FTT using the points raised in this blog which were not considered at the UT?
Given that these legal proceedings relate to the DPA1998 and were commenced by the previous Commissioner, I would not be surprised if the current Commissioner threw in the towel and withdrew the Monetary Penalty Notice. Afterall, the UT’s judgement will be difficult to set aside.
However, if “towel chucking” is the order of the day, then this judgement because of the similarities of the personal data position in the DPA1998 and in the UK_GDPR (as agreed by the ICO – see above), has the potential to undermine data breach reporting under the UK_GDPR in the circumstances of a non-reportable mega personal data breach of the kind experienced by DSG Retail.
Fortunately, the Government has just published new data protection related legislation: "The Data (Use and Access) Bill (see references). What better place to amend the law to ensure that the UT’s view does not prevail.
References
The Upper Tribunal case: DSG Retail Limited -v- Information Commissioner [2024] UKUT 287 (AAC)
The text of the Data (Use and Access) Bill can be found on: https://bills.parliament.uk/bills/3825/publications
Winter Data Protection Courses
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London on Monday, 18 Nov to Friday, 22 Nov and Monday, 20 Jan to Friday, 24 Jan 20 Sept (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (December 8-10: Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education.
More details on the Amberhawk website: www.amberhawk.com or email [email protected].