TITLE: United Kingdom's Information Commissioner's Office Wins Court of Appeal Case Against DSG Retail on Data Security Obligations BODY: On February 19, 2026, the Information Commissioner's Office (ICO), the United Kingdom's independent regulator for information rights, welcomed the Court of Appeal's (CoA) ruling in its appeal against DSG Retail Limited (DSG). The CoA judgment reinstated the ICO's interpretation of organisations' legal responsibility to keep personal data secure. In 2020, the ICO fined DSG £500,000 following a cyber attack that affected the personal data of at least 14 million people. DSG subsequently appealed the decision to the First-tier Tribunal (FTT) and Upper Tribunal (UT). The ICO appealed to the CoA in 2024 to seek clarification on a critical point of data protection law. The CoA judgment confirms that DSG was required to implement appropriate security measures to protect personal data from unauthorised access, regardless of whether individuals could be identified from the data exfiltrated by hackers. This ruling clarifies that organisations must protect all personal data they process, even if hackers cannot identify people individually from stolen datasets, as cyber attacks can still cause real harm. Binnie Goh, ICO General Counsel, stated the judgment strengthens the ICO's ability to take robust enforcement action and sends a clear message to organisations about their protective duty to safeguard personal data. Although rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA provides important guidance for similar requirements under the current data protection regime, including the United Kingdom General Data Protection Regulation (UK GDPR). The case will return to the FTT at a later date to apply this interpretation to the specific facts of the DSG cyber attack.

ICO wins Court of Appeal case in DSG Retail ruling | ICO

Pipeline Progress

🔄 Pipeline Journey