Security obligations under GDPR still apply, even if data is anonymous in the hands of an attacker

On 19 Feb., the U.K. Court of Appeal handed down its decision in DSG Retail Limited v. The Information Commissioner.

The court held that where a controller processes personal data, the controller can't use the fact that data is anonymous in the hands of a third party, which — unlawfully — accessed the data, to argue that the controller had no obligation to take appropriate measures to keep the data secure in the first place. If the data is personal from the perspective of the controller, then the security principle applies to the controller. The court did not make any finding as to the actual security measures that would be necessary in such a situation. 

The Court of Appeal canvassed relevant U.K. and EU case law in the area, noting that the concept of "personal data" is inherently broad and that cases must shape and mold it to suit particular contexts. This is a useful reminder. Decisions on the meaning of personal data respond to the particular set of facts. It can sometimes be difficult to apply conclusions to other scenarios, and more cases in this area seem inevitable.

Background

In 2017–18, DSG Retail Limited was the subject of a cyberattack. Over approximately nine months, attackers scraped data from the retailer's point of sale devices. The 16-digit permanent account number and expiration date of 5.6 million card transactions were exfiltrated. For these specific cards, cardholder names were not obtained. The U.K. Information Commissioner imposed a fine of 500,000 GBP on DSG Retail Limited, the statutory maximum under the U.K. Data Protection Act 1998.