UK Court Rules Duty to Safeguard Personal Data Extends to Hacked Pseudonymised Data in DSG Retail Ltd v The Information Commissioner

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned.

The central question raised by the ICO’s appeal was the issue of whether the law requires controllers to protect personal data from unauthorised access, regardless of whether the relevant data subjects could be identified from data exfiltrated by unauthorised bad actors.

The CA supported the ICO’s grounds for appeal, holding that pseudonymised data processed by a controller under the Data Protection Act 1998 (DPA 1998) remains personal data from the controller’s perspective, even where the individuals to whom the personal data relates would not be identifiable by a third party, provided that the controller retains the means to identify the individuals concerned.  

This judgment overturned the UT’s earlier ruling in favour of DSG Retail Limited (DSG) and confirmed the nature and extent of the security duty in respect of pseudonymised personal data. Although this case relates to the DPA 1998, which predates UK GDPR, the ruling is relevant to the current UK data protection regime. It underlines the importance of understanding pseudonymisation and the risks of re-identification in respect of personal data, as well as the security duty to which controllers are subject.

Key Facts

• DSG suffered a cyber breach in 2017-2018, exposing a large volume of payment card data, which affected at least 14 million individuals.
• The stolen data was, in many cases, limited to EMV data (the 16-digit PAN numbers and expiry dates of the relevant payment cards), with no names or CVV numbers compromised.
• The definition of “personal data” under the DPA 1998 covers data relating to living individuals who can be identified from that data and other information in the possession of, or likely to come into the possession of, the controller.
• Under the DPA 1998, on the face of it, the EMV data constituted personal data in DSG’s hands, because DSG held corresponding information enabling identification of the relevant individuals.
• In 2020, following an investigation, the ICO held DSG to be in breach of the seventh data protection principle set out in the DPA 1998, which relates to personal data security. The ICO imposed the then-maximum fine of £500,000 under the DPA 1998 upon DSG in respect of this breach.
• DSG appealed the ICO’s decision and the fine to the First-Tier Tribunal, (FTT). DSG argued that the EMV data would not constitute personal data in the hands of the attackers because they lacked sufficient additional information to identify the relevant individuals to whom the data related.
• In July 2022, the FTT reduced the original fine to £250,000. DSG was also granted leave to appeal the FTT’s decision to the UT on various limited grounds.
• In 2024, the UT allowed DSG’s appeal and remitted the case to the FTT to be reconsidered. 
• The ICO believed that the UT had misinterpreted the law in finding that organisations are not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller, but not in the hands of the third party. 
• The ICO appealed to the CA and the appeal was upheld by the CA and remitted to the FTT.

The CA’s Decision

• The CA noted that the definition of personal data within the DPA 1998 included: (a) direct identifiability by anyone; and (b) indirect identifiability by the controller, but there was no direct reference to third party indirect identifiability (e.g., identifiability by hackers), meaning that there was a gap in the definition in this regard.  
• The CA found that the security duty applied to all personal data processed by a data controller and that there is no reason to conclude that such duty falls away, or is qualified, in circumstances where a third party cannot identify the relevant data subjects.
• The CA held that the security duty applies if data constitutes personal data from the controller’s perspective (the data controller’s perspective is determinative). This overturned the UT’s conclusions, which were based on whether data comprises personal data from an attacker’s perspective. The CA found that a hacker’s ability to identify data subjects was irrelevant to the question of whether data constitutes personal data from the controller’s point of view.
• Although the security duty was held to apply to pseudonymised data held by a controller as long as the relevant data subjects remain identifiable to the controller (the application of the security duty not being dependent on whether a hacker can re-identify the individuals who are the subjects of the pseudonymised personal data), the CA confirmed that truly anonymised data, where no individual can be identified from such data, will not constitute personal data, even to the data controller, and therefore falls outside the scope of the security duty.
• In conclusion, the CA found that DSG had a duty to safeguard the relevant personal data from unauthorised processing, regardless of whether the attackers could actually identify the individuals to whom the relevant breached data related.

UK and EU: Pseudonymisation

The CA’s ruling confirms controllers’ obligations in respect of the security duty and the meaning of “personal data” under the DPA 1998, underscoring that a controller's security obligations do not fall away merely because a hacker lacks the means to re-identify the data subjects concerned.  

The CA reaffirmed that the previous EU Data Protection Directive 95/46/EC (Directive) requires a broad interpretation of "personal data" and that, logically, this could not lead to a narrowing of controllers' security obligations. The CA also identified "surprising" consequences that could have followed from the UT's ruling, noting that a controller would not have been obliged to take measures against the risk of deliberate third-party interference with data held by them.

The Information Commissioner’s guidance on pseudonymisation under the UK GDPR notes that, where a recipient does not have the necessary information to identify the individual and re-identification is not reasonably likely, such data may be deemed not to constitute personal data in the hands of a recipient. The CA’s ruling ensures, however, that controllers cannot rely on a third party's inability to re-identify as a basis for avoiding their own security obligations.

The CA’s ruling comes at a time when issues around the definition of personal data and pseudonymised data are also being considered by the EU, as reflected in the EU's Digital Omnibus proposal of November 2025. Interestingly, the Digital Omnibus endorses a more perspective-based approach to the issue of what constitutes personal data. 

The Digital Omnibus proposes certain amendments to the definition of “personal data” in the EU GDPR and departs from the previous absolute approach that, if a controller is able to identify a data subject from data that it holds about that individual, then such data will be deemed to be personal data for every other entity or person, irrespective of whether such other entities or persons can identify the relevant data subject. In its place, the Digital Omnibus suggests the adoption of a relative approach, assessing the classification of data as personal data from the perspective of the entity processing it.

The Digital Omnibus proposal, which reflects the approach taken in certain recent EU case law, provides that pseudonymised personal data would fall outside the scope of EU GDPR where the entity processing such data is unable to re-identify the individuals to whom the data relates, even where the data would constitute personal data in the hands of a third-party recipient with the means to re-identify those individuals (for further details, see Crowell’s previous article on the EU Digital Omnibus). This approach seems broadly consistent with the UK position, though the recent CA ruling makes it clear that where data is personal data in the controller’s hands, security obligations apply in full, regardless of whether an attacker could re-identify the relevant data subjects.

The approach set out in the Digital Omnibus is not without its critics. Most recently, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have expressed concerns that amending the definition of personal data in the ways suggested could narrow the legal concept of personal data in a manner that undermines the security of individuals’ data rights. It remains to be seen, however, what the final version of the Digital Omnibus proposal will look like in practice.

Commentary

The CA’s ruling points towards the emergence of a relative, perspective-based assessment of what constitutes “personal data” in the UK. Multinational controllers should note, however, the important reminder highlighted by this recent judgment that a controller's security obligations are not diminished merely because a hacker lacks the means to re-identify data subjects.

ICO General Counsel Binnie Goh has reinforced this position, stating that the ruling confirms to all organisations that “even if hackers can't identify people individually from stolen datasets, cyber-attacks can and do still cause real harm.” This is a timely reminder, given the ever-increasing volume of publicly accessible data and the evolving sophistication of re-identification techniques — and the inevitability of cyber incidents.

Organisations should ensure that their data security measures extend to all data that constitutes personal data from the controller's perspective, irrespective of whether third parties could re-identify individuals  — and any updates to incident response planning should take account of this consideration. While pseudonymisation remains a valuable risk mitigation tool, it does not relieve controllers of their security obligations. 

Crowell would like to thank Phoebe Kinsman for her contribution to this alert.