Opinion

When does payment card data qualify as personal data? English court gives new guidance on this question

Published Date
Nov 4 2024
The Upper Tribunal (UT) has overturned a decision by the First-tier Tribunal (FTT), relating to a Monetary Penalty Notice (MPN) that was issued by the Information Commissioner (ICO). 

All of this stemmed from a cyber-attack on the in-store payment systems of an electronics retailer, DSG Retail Limited (DSG), which took place between July 2017 and April 2018. The attackers were able to obtain data which included the unique 16-digit numbers on each credit or debit card (the PAN) and expiry date of over 5 million payment cards.

How did we get here?

Following an investigation, the ICO issued an MPN in January 2020 for “a serious contravention” of the seventh data protection principle (DPP7) in the Data Protection Act 1998 (DPA 1998) which applied because the incident pre-dated the UK GDPR. The ICO imposed a fine of GBP500,000, which was the maximum available penalty. DPP7 was the equivalent of the security principle in the GDPR, providing that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. In the MPN, the ICO (a) concluded that the PAN and expiry dates could have been combined with other data in DSG’s possession to identify the individuals, and was therefore personal data, and (b) identified ten “distinct and fundamental inadequacies in DSG’s security systems” which contravened DPP7. 

DSG successfully appealed the MPN to the FTT, who reduced the fine to GBP250,000. In doing so, the FTT found that the majority of the security inadequacies identified in the ICO did not contravene DPP7 but that DPP7 had been breached because senior managers had been made aware of certain key matters including a critical security vulnerability relating to DSG’s patch management and an issue with DSG’s password policy. DSG then appealed this decision to the UT. 

What did the Upper Tribunal decide?

The key issue in the appeal was whether the PAN and expiry dates qualified as personal data because they could be combined with other information in DSG’s possession to identify the cardholders, or if the correct test was to combine the PAN and expiry dates with information rendered vulnerable to the attacker. The UT found that the second approach was right, requiring the FTT to re-consider the case on that basis. The UT also found that the FTT had erred in law by finding that the contravention of DPP7 was serious, without assessing the applicable standard or how far below it DSG’s conduct had fallen.

What does this mean?

Although the decision relates to the DPA 1998 and the UT made clear that it had not considered the provisions of the UK GDPR, the equivalent principles are similar (or, as the parties put it, “materially the same”). On that basis, the UT’s reasoning should apply in data breaches resulting from cyber-attacks, where PAN and expiry dates are taken and relevant breaches of Articles 5(1)(f) and/or 32 are found to have occurred. In such cases, it should now follow that PAN and expiry dates are not treated as personal data, unless the attacker could have linked that data to other data put at risk by the security breach, in order to identify the cardholders in question.

We understand that the ICO is seeking permissions to appeal the UT's judgment.