Security obligations under GDPR still apply, even if data is anonymous in the hands of an attacker

The court held that where a controller processes personal data, the controller can't use the fact that data is anonymous in the hands of a third party, which — unlawfully — accessed the data, to argue that the controller had no obligation to take appropriate measures to keep the data secure in the first place. If the data is personal from the perspective of the controller, then the security principle applies to the controller. The court did not make any finding as to the actual security measures that would be necessary in such a situation.

The Court of Appeal canvassed relevant U.K. and EU case law in the area, noting that the concept of "personal data" is inherently broad and that cases must shape and mold it to suit particular contexts. This is a useful reminder. Decisions on the meaning of personal data respond to the particular set of facts. It can sometimes be difficult to apply conclusions to other scenarios, and more cases in this area seem inevitable.

Background

In 2017–18, DSG Retail Limited was the subject of a cyberattack. Over approximately nine months, attackers scraped data from the retailer's point of sale devices. The 16-digit permanent account number and expiration date of 5.6 million card transactions were exfiltrated. For these specific cards, cardholder names were not obtained. The U.K. Information Commissioner imposed a fine of 500,000 GBP on DSG Retail Limited, the statutory maximum under the U.K. Data Protection Act 1998.

DSG Retail Limited appealed. It persuaded the Upper Tribunal there was an error of law on the basis that the risks to be protected against should depend on whether the data is personal in the hands of the attacker. The Upper Tribunal accepted that if the data were anonymous in the hands of the attacker, then there could be no unauthorized or unlawful processing of personal data by the attacker — and, therefore, no risk of unlawful personal data processing for the controller to seek to mitigate.

Upper Tribunal decision would have created a gap with no obligation to protect against ransomware

The Court of Appeal was concerned this logic would create significant gaps. In particular, it would mean there would be no need to protect against ransomware in circumstances where the attacker cannot identify data subjects.

Given these significant risks, it is not surprising that the Court of Appeal overturned the Upper Tribunal decision. The Court of Appeal concluded that a broader approach was consistent with a literal reading of, and the purpose of, the legislation. The Court of Appeal referenced the CJEU's SRB decision, noting that its approach was consistent with the principle expressed there.

GDPR obligations likely wider than ratio of the decision

The cyberattack predated the U.K. General Data Protection Regulation. Under the DPA 1998, personal data meant "data which relate to a living individual who can be identified — a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller."

The Court of Appeal noted that this is narrower than the equivalent definition in the Data Protection Directive and the GDPR. Under the DPA 1998, limb (i) covers situations where data subjects can be identified — by anybody — from the data itself, and limb (ii) covers situations where the data subject can be indirectly identified — by information available to the controller only. By contrast, Recital 26 of both the directive and GDPR requires consideration of identification by the controller "or by any other person."

The court's conclusion is specific to the narrower definition in the DPA 1998; if the data is personal from the perspective of the controller, then the controller is obligated to comply with the security principle and it is unnecessary to consider the further question of whether the data may be personal for anyone else.

However, the court did go on to note that, as the directive broadens the scope of identifiable data, the most obvious consequence of this would be that the security principle should also be read more expansively and that an "available conclusion would be that the risks against which a data controller is required to guard include ... also the risk of unauthorised or unlawful processing of data ... by a third party to whom the individual is indirectly identifiable, even if the individual is not identifiable to the data controller."

As the concept of personal data under the directive and GDPR is the same, this suggestion would be applicable to the GDPR. The court pointed to the CJEU's decision in the Scania ruling to support this approach.

UK case law links to freedom of information, so limited relevance

The leading U.K. case on anonymization is the House of Lords' decision in Common Services Agency v. Scottish Information Commissioner. The Court of Appeal concluded this was of no particular assistance to the issues here — as CSA was concerned with the status of information once disclosed to the public pursuant to a freedom of information request.

That case law perhaps suggests a more permissive approach than current ICO guidance

As Lord Justice Mark Warby noted, CSA is known for being an impenetrable judgment. He stated that the principal speech in CSA concluded data would only be indirectly identifiable "if an individual was indirectly identifiable to someone from the data 'taken together' with 'other information.' As he put it, 'each of these two components must have a contribution to make to the result.' If the data were 'put into a form from which' no individual could be identified 'even with the assistance of other information from which they were derived' they would not be personal data. It would not matter even if the 'other information' itself identified the individual(s). In that situation, 'it will be the other information only, and not anything else in 'those data' that would lead him to the result."

Warby goes on to conclude that the essential grounds of this decision are that if "a data controller deliberately processed an existing set of personal data so as to create and then disclose a separate and independent sub-set of those data which was truly anonymised, in the sense that it contained nothing that identified or was capable of contributing to the identification by anyone of any individual to whom the data related, then the resulting sub-set would not be 'personal data' even to the data controller and its disclosure would not involve the processing of 'personal data.' The decision was framed as giving effect to the language and purposes of the proviso to Recital 26."

The ICO's Anonymisation Guidance states that, in the situation described above, the data would only be anonymous in the hands of the controller if the controller destroys the source data. In light of Warby's comments, this guidance seems unnecessarily restrictive. The ICO should reassess this.

Ruth Boardman is partner and co-head of the International Privacy and Data Protection Group at Bird & Bird.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page