The ICO Called It a "Significant Victory". Try Telling That to 14 Million People Who Got Nothing.
The Court of Appeal judgment landed on 19 February 2026. Within hours, the ICO's General Counsel, Binnie Goh, issued a statement calling it "a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry."
She is not wrong about the legal significance. Lord Justice Warby's ruling in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 closes a genuinely dangerous argument that had been gaining traction in the tribunal system. The "attacker perspective" theory, the idea that card data stolen by hackers was not "personal data" because the hackers themselves could not immediately identify individuals from numbers alone, had already convinced the Upper Tribunal in 2024. Warby's judgment definitively shuts that route.
That matters. It matters for ransomware enforcement, for supply chain breach cases, for any data protection action involving partial or fragmented stolen data. The ruling sets important precedent and the ICO is right to welcome it.
And yet.
Fourteen million people had their data exposed when malware sat undetected on 5,390 payment terminals for nine months. Today, most of them have no realistic compensation route and never will.
That is not what a functioning victim-centred enforcement system looks like.
What "Victory" Actually Means Here
Let me be precise about what the February 2026 ruling achieves and what it does not.
The Court of Appeal has confirmed that DSG's failure to protect its card data constituted a breach of its data protection duties. The fine of £500,000, the maximum available under the old Data Protection Act 1998, has been reinstated in principle, though the case returns to the First-tier Tribunal for further consideration of the quantum.
That fine, divided across 14 million victims, works out at approximately three and a half pence per person.
DSG has been fighting this since 2020. The legal process across First-tier Tribunal, Upper Tribunal, and Court of Appeal will have cost both sides sums that almost certainly exceed the fine itself, several times over. Public money from the ICO's budget. Private shareholder money from DSG. Six years of lawyers, barristers, and judges, all to determine whether a household-name retailer had to pay a fine that represents a rounding error on its legal budget.
Meanwhile, individual claimants exhausted their limitation periods.
The disclosure happened in June 2018. The standard limitation period under the Limitation Act 1980 for a breach of statutory duty is six years, running from when the breach occurred and damage was suffered. For the majority of victims who became aware of the breach in 2018, that clock expired around June 2024. Some legal teams argued the clock should run from the ICO's January 2020 fine notice, which would give until January 2026. By February 2026, when the Court of Appeal confirmed DSG's liability, most practical routes to fresh claims had closed.
The system validated the victims' grievance and then denied them remedy. At the same time.
The Behavioural Economics of Slow Enforcement
I study how organisations make decisions about risk. The DSG case is a masterclass in how enforcement design shapes corporate behaviour in ways that regulators do not always intend.
When enforcement is slow, capped, and judicially reviewable at every step, organisations run a cost-benefit analysis. The question is not, "have we breached our legal duties?" The question becomes: "is the expected cost of getting caught and losing greater than the cost of compliance, discounted by the probability of successful appeal and the time value of delayed payment?"
Under the Data Protection Act 1998, with a maximum fine of £500,000 and an appeal process that stretches across multiple tribunals and potentially the Court of Appeal, that calculation frequently favoured contest over compliance. A large retailer's annual legal budget dwarfs half a million pounds. The financial case for fighting a DPA 1998 fine was often compelling from a purely commercial standpoint.
This is not cynicism. It is observed behaviour. DSG fought a £500,000 fine for six years. That is not the behaviour of an organisation deterred by the enforcement regime. That is the behaviour of an organisation that correctly identified the enforcement regime as negotiable.
The lesson is uncomfortable but important: if you want organisations to invest in security, the consequences of failure need to be faster, larger, and less avoidable than they were under the old system.
Does UK GDPR Change This?
In theory, significantly. In practice, it is more complicated.
Under UK GDPR and the Data Protection Act 2018, the ICO can now impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. For a company the size of Currys, a 4% global turnover fine for a breach affecting 14 million people would be a genuinely material sum. The deterrent arithmetic changes substantially.
The ICO has also shown an increased appetite for significant enforcement action in recent years, with fines against major organisations running into the millions.
But several structural issues remain. The investigation process is still slow. The appeals infrastructure is unchanged: First-tier Tribunal, Upper Tribunal, Court of Appeal, and theoretically the Supreme Court. A determined and well-funded defendant can still extend the process for years. The cultural pattern of "appeal everything as a default" has not evaporated simply because the fine ceilings went up.
The Data (Use and Access) Act 2025 introduced further changes to the UK's data protection landscape that will continue to evolve. The ICO is developing its enforcement approach under the new regime. Whether the enforcement culture becomes meaningfully faster and more predictable remains an open empirical question.
What we can say with confidence is that the Court of Appeal ruling makes the law clearer and removes some of the definitional arguments that contributed to DSG's early success in the appeal process. Future enforcement cases should, in principle, resolve more quickly because the basic scope of personal data obligations is now judicially confirmed.
In principle.
The Victim Question That Nobody Is Answering
The aspect of this case that receives least attention is the one I find most troubling: the gap between regulatory vindication and individual remedy.
UK GDPR does allow individuals to claim compensation directly from controllers under Article 82 for material and non-material damage, including distress. The Vidal-Hall decision in 2015 confirmed that distress-only claims are available in English courts. So the architecture for individual compensation exists.
What the DSG litigation revealed is that the practical route to exercising that right is narrow and time-limited. Distress claims without quantifiable financial loss face significant hurdles in English civil procedure. Limitation periods run without regard to the pace of the regulatory process. Specialist claimant firms, which serve as the practical gateway for group actions, apply their own commercial logic to whether cases are economically viable.
Fourteen million people is a very large number in the abstract. In litigation practice, it becomes a population of claimants who individually suffered moderate, diffuse, hard-to-quantify harm, with no clean causation between the breach and specific financial damage. That is a difficult case to bring economically, even under no-win-no-fee arrangements.
The result is a system where the regulator can vindicate the principle and the victim sees none of the consequence.
What Small Business Owners Should Take From This
If you run a small or medium-sized business and you handle other people's data, here is what the DSG saga tells you that is actually useful.
Do not assume the regulatory system will clean up the mess after a breach. It moves slowly, favours well-funded defendants, and delivers very little to the people actually harmed. The meaningful protection you can offer your customers is the work you do before anything goes wrong.
The ICO's accountability principle under UK GDPR requires you to demonstrate that you thought about data protection and took reasonable steps. That documentation requirement is not bureaucratic overhead. It is your evidence base if you ever face an investigation. It also represents something valuable to your customers: demonstrable proof that you took their data seriously.
The Warby test from the Court of Appeal gives you a clear instrument: if you can link the data to a person, it is personal data and you have a protective duty. Apply that test to everything you hold. Map it, protect it, document it. Do not wait for enforcement to tell you what you already know.
How to Turn This Into a Competitive Advantage
The gap between regulatory enforcement and individual victim remedy is a problem. But the business owner who understands it has an advantage.
Your customers cannot rely on the ICO to make them whole after a breach. What they can rely on is your choice not to have the breach in the first place. That reliability, evidenced through transparent data stewardship practices, is a genuine differentiator in markets where data is exchanged.
Publish your data protection commitments in plain English. Not a privacy policy written by lawyers for lawyers, but a clear statement of what you collect, how you protect it, who has access, and what you would do if something went wrong. Make the comparison easy for your customers. Let them see that you are the operator who treats their data as a responsibility, not a resource.
How to Sell This to Your Board
The three questions for your board are these.
If we had a breach today, what would we be able to tell our customers about the steps we had taken to prevent it? Could we demonstrate a data map, an access review policy, and active monitoring? Or would we be issuing a "we are very sorry" email and hoping for the best?
What would a £17.5 million fine do to our business? That is now the realistic upper bound for serious data protection failures under UK GDPR. Not £500,000. Not a negotiable line item. Seventeen point five million pounds. Does our current investment in data security reflect that exposure?
And when we last reviewed our data inventory and access controls, what did we find? If the honest answer is "we haven't," that is your agenda for the next board meeting.
What This Means for Your Business
One: review your data protection documentation against the controller's perspective test confirmed by the Court of Appeal. If you can link data in your systems to real people, it is in scope. No exceptions for partial records.
Two: do not rely on the regulator to protect your customers after the fact. The DSG case ran from 2017 to 2026 and most victims ended up with nothing. Your pre-breach choices are the only protection that actually works.
Three: treat the ICO's accountability principle as an asset, not a burden. The documentation you create in meeting that requirement is also your reputational protection and your competitive differentiator. Use it.
| Source | Article |
|---|---|
| ICO | ICO wins Court of Appeal case in DSG Retail ruling |
| Courts and Tribunals Judiciary | DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 |
| The Register | ICO wins battle in fight to fine tech retailer £500k |
| ICO | Penalties – Information Commissioner's Office |
| ICO | Guide to Accountability and Governance – UK GDPR |
| Cybernews | UK data watchdog wins court battle, £500K fine against DSG retail stands |
| Mayer Brown | UK GDPR and the price of non-compliance: ICO issues new guidance on calculating fines |
| Decision Marketing | ICO appeal 'victory' fuels fresh personal data warning |