On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)

Background

  • Between 2017 and 2018, DSG Retail Limited (“DSG”) experienced a sustained cyber‑attack targeting point‑of‑sale systems across its retail network. Over a nine‑month period, attackers deployed malware to scrape transaction‑level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected. A small subset of records included full card details and cardholder names. However, the majority consisted only of the 16-digit payment card numbers (“PAN”) and expiry dates (together referred to as “EMV data”), and the attackers did not obtain directly identifying information about cardholders, such as their names.
  • The Information Commissioner’s Office (“ICO”) found DSG to be in breach of its data security duty and issued a monetary penalty notice of £500,000.
  • The First‑tier Tribunal (“FtT”) upheld the ICO’s finding that DSG breached the data security principle under the DPA 1998, although it reduced the penalty by half. DSG appealed.
  • The Upper Tribunal (“UT”) set aside the FtT’s decision. The UT held that the data security principle under the DPA 1998 applies to only to “personal data”, but the data in question, EMV data, did not constitute “personal data” from the attackers’ perspective because the attackers could not link that EMV data to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data. The ICO appealed.

Decision of the Court of Appeal

The Court of Appeal found that the FtT reached the right conclusion, and overturned the UT’s ruling. Specifically, the Court held that the controller is required to comply with the data security principle under the DPA 1998 with respect to data that is “personal” from the perspective of the data controller – regardless of whether the data might not be personal “in the hands of” or “from the perspective” of any other person.

Some key takeaways from the decision include:

Key Takeaway 1: Whose perspective applies when assessing whether data is “identifiable” turns on (1) the legal relationship between the relevant parties and (2) the sequence of events.

The Court of Appeal observed that the security duty arises from “the legal relationship between the data subject and the data controller.” The Court also noted that temporally, the duty first arises when the data controller is processing data that is “personal data” from the controller’s point of view.

In making these points, the Court relied on the CJEU’s analysis of the transparency obligation in SRB v EDPS. Specifically, the Court drew an analogy between the transparency duty and the security duty, noting that both duties are owed by the controller to the data subject, and both duties apply before any disclosure to third parties. This led the Court to find that, in the context of the data security duty, the perspective of the controller should apply when determining the identifiability of personal data – and not the perspective of the attackers.

The Court also distinguished the context of the DSG cyber attack from that of a deliberate disclosure of anonymized data in response to a freedom of information request, which was the case in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, [2008] 1WLR 1550 (“CSA”). The Court pointed out that CSA dealt with a dataset that had been “rendered anonymous” before its disclosure to the public. The CSA case therefore concerned the deliberate disclosure of a “newly created sub-set of information” for the purposes of responding to a freedom of information request, which was different from the DSG cyber attack.

Key Takeaway 2: Legislative intent and the consequences of a particular interpretation are additional factors to consider.

The Court considered it implausible that—absent an explicit statement—the legislature intended to narrow the scope of the data security duty so that a controller would have no obligation to protect some parts of the data provided by the data subject. The Court also found that the fundamental right to privacy (which the data security duty was meant to protect) does not depend on the data being identifiable by a third-party attacker.

The Court also highlighted the potential consequences of a contrary reading—specifically, it noted that there would be no obligation for the data controller to protect data when a third party would be unable to identify the data subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the data subjects, can still be harmful. Moreover, the Court found it impractical to put controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could re-identify individuals via “jigsaw” techniques.

The case will now return to the FtT to apply the Court’s legal interpretation to the facts of the DSG cyber attack.

***

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the UK, EU and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Read more about Sam Jungyun ChoiSam Jungyun's Linkedin Profile
Show more Show less
Photo of Jadzia Pierce Jadzia Pierce

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior…

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior to rejoining Covington in 2026, Jadzia served as Global Data Protection Officer at Microsoft, where she oversaw and advised on the company’s GDPR/UK GDPR program and acted as a primary point of contact for supervisory authorities on matters including AI, children’s data, advertising, and data subject rights.

Jadzia previously was Director of Microsoft’s Global Privacy Policy function and served as Associate General Counsel for Cybersecurity at McKinsey & Company. She began her career at Covington, advising Fortune 100 companies on privacy, cybersecurity, incident preparedness and response, investigations, and data driven transactions.

At Covington, Jadzia helps clients operationalize defensible, scalable approaches to AI enabled products and services, aligning privacy and security obligations with rapidly evolving regulatory frameworks across jurisdictions—with a particular focus on anticipating enforcement trends and navigating inter regulator dynamics.

Read more about Jadzia Pierce
Show more Show less
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul Maynard
Show more Show less