Last Update: 04/05/2026 at 2:50 PM EST
Courts Clarify Personal Data Scope
Coverage from Inside Privacy, National Law Review, and others
Articles
3
Latest Article
03/18
Active Days
28
Executive Summary
UK and EU privacy rulings refine when data counts as personal, shaping security duties, disclosure rules, and rectification rights
- UK Court of Appeal held controller perspective governs whether data is personal for security duties
- DSG Retail breach involved malware scraping card data from point-of-sale systems over nine months
- ICO had fined DSG 500000 pounds after more than 5.6 million payment cards were affected
- Court rejected the view that attacker perspective limits the data security duty under DPA 1998
- EDPB and EDPS warned the Digital Omnibus could narrow the GDPR scope for personal data
- EU opinion backed a contextual recipient-based test for identifiability and pseudonymized data
- Scottish appeal court treated school risk assessment data as mixed personal data and upheld compensation
Quick Facts
- What: They clarified how personal data scope is assessed
- Where: United Kingdom and European Union
- Why: To define privacy duties security obligations and rectification rights
- Who: UK and EU courts regulators and controllers
- When: February 2026 decisions and opinions
Coverage Timeline: 28 Days
Featured Article
UK Court of Appeal on February 19 2026 confirms controller perspective governs identifiability in data security duties following the DSG Retail breach.
Additional Articles
⭐⭐⭐⭐⭐
EDPB and EDPS issue joint opinion on Digital Omnibus on February 10 2026 in the EU addressing personal data scope under GDPR.
⭐⭐⭐
The Sheriff Appeal Court in Scotland rejected a public authority argument that school risk assessment ratings were not the parent data subject, upholding UK GDPR compensation after delayed rectification.