Is the definition of “personal data” having an identity crisis?

At its core, data protection law is concerned with the protection of personal data. As a result, the boundaries for what is and isn’t personal data are fundamental to determining when legal obligations apply.  

The definition of “personal data” has been subject to recent scrutiny in both the EU and the UK. The results will have a lasting impact on how data protection laws apply across increasingly complex information ecosystems. In this article, we explore some of the recent case law and commentary on this topic in both the UK and the EU.

What’s happening in the UK? 

Last week, the Court of Appeal issued their decision in DSG v ICO. This decision is the latest development in a long-running debate regarding whether certain data held by DSG constituted “personal data” and therefore triggered security obligations in the event of a cyber attack. 

In 2017-2018, DSG (a retailer trading under brands including Currys and PC World) was hit by a cyber-attack. The attackers installed malicious software on point-of-sale terminals and, over a period of 9 months, stole the details of over 5.6 million payment cards. Most of the cards were protected by chip-and-pin and in those cases, the attackers only obtained the 16-digit card number and the expiry date; but they did not obtain cardholder names or any other information which could identify cardholders. DSG, however, did hold information which could be used to identify cardholders from their payment card data.

As the cyber-attack took place before the GDPR and Data Protection Act 2018 came into force, the ICO investigated DSG under the Data Protection Act 1998. They determined that the payment card data was “personal data” and that DSG had failed to apply appropriate security measures to protect this data, they issued a fine of £500,000 against DSG (the maximum fine available at that time). DSG appealed their fine, arguing that as the 16-digit card number and expiry date were not “personal data” in the hands of the attackers, DSG was not under a statutory duty to protect the security of the data and should not have been fined. 

The case escalated to the Court of Appeal, who last week ruled in favour of the ICO and clarified that, because the payment card data was personal data in the hands of DSG, they were subject to data protection laws including security obligations in respect of that data. The court considered the overall purpose of data protection laws, and highlighted the “surprising” consequence of DSG’s argument which would absolve controllers of responsibility for cyber attacks depending on the resources available to an attacker to re-identify individuals from compromised datasets. The case has now been sent back to the First-tier information Tribunal to apply this principle to the facts of DSG’s cyber attack.

To an extent, the issues raised in this case were subsequently addressed by the revised definition of “personal data” when the GDPR came into force, as this introduced the concept of “indirect” identification and clarified that “pseudonymous data” should be treated as personal data.

However, some of these concepts are now subject to change in Europe, potentially resulting in further divergence between UK and EU data protection laws.

What’s happening in the EU?

In September 2025, the European Court of Justice issued their ruling in EDPS v SRB which, similarly to the DSG case in the UK, evaluated when data should be treated as “personal data”.

The SRB is the EU’s Single Resolution Board, which is a central authority for supporting failing banks and financial institutions in the EU. In the course of running a consultation concerning a Spanish Bank, the SRB shared consultation responses from creditors and shareholders of the bank with Deloitte. The SRB took steps to replace any individual names with alpha-numeric codes, so that individuals would not be directly identifiable to Deloitte. When some of the creditors and shareholders discovered their consultation responses had been shared with Deloitte, they raised complaints with the European Data Protection Supervisor (EDPS) arguing that the SRB had failed to inform them that their data would be shared. SRB maintained the position that because they had pseudonymised the data, they had not shared “personal data” with Deloitte and had therefore not breached their transparency obligations.

The Court of Justice ultimately ruled in favour of the SRB, adopting a relative approach to the definition of “personal data”. They confirmed that one dataset can, in the hands of one party, be treated as “personal data”, but in the hands of another party, that exact same dataset can be anonymous. This depends on the other information and resources available to that party to be able to identify or re-identify individuals from the data.

Not long after the Court of Justice decision, the European Commission published their Digital Omnibus Regulation, including proposals for amendments to the GDPR.  Amongst the proposals is a change to the definition of “personal data” to clarify that information will not automatically be “personal data” just because it may be identifiable to another person.  

However, the Omnibus Regulation is at the start of what is anticipated to be a long judicial process, and already the proposed change to “personal data” has been subject to challenge. On 11 February 2026, the European Data Protection Board and the EDPS issued a joint decision criticizing the proposed changes, arguing they go further than the Court of Justice decision and confuse the status of pseudonymous data. The Omnibus Regulation continues to undergo scrutiny from the European Parliament and the European Council.

What does this mean for businesses and organisations?

These cases demonstrate that while the legal definition of “personal data” is in flux, there is a broad consensus that whether or not data is “personal data” should be assessed from the perspective of the holder of that data (i.e. in the hands of..). In light of this, organisations should consider taking the following steps:

• Understand your data  – critically assess data in the hands of the organisation to understand if that data is personal, pseudonymous, anonymised or non-personal data.  This will help you to map out your responsibilities and identify key risk areas 
  
  
• Security is paramount – if there is any doubt as to whether information is “personal data”, the safest approach is to apply robust security measures that can withstand scrutiny from a regulator in the event of a breach
  
  
• Re-assess anonymisation techniques – if your organisation uses anonymised data,  steps should be taken to assess the effectiveness of the anonymisation and where the information sits on the spectrum of identifiability.  This can also change over time as more data touchpoints are collected, and should be re-assessed regularly.
  
  
• Contracting requirements – where your business is sharing personal data with other parties, whether as processors, separate controllers or joint controllers, you should be clear about anticipated data flows, the status of the parties, the status of the data being shared, and ensure any mandatory contractual protections are captured.

For support with this and other data protection or cyber security queries, please contact our Data Privacy & Cyber Security team.

Related News, Insights & Events