UK Court of Appeal Clarifies Data Security Obligations for Data Controllers

On February 19, 2026, the UK Court of Appeal issued a ruling in the case DSG Retail Limited v The Information Commissioner ([2026] EWCA Civ 140). The decision clarified that a data controller’s obligation to ensure data security under UK law applies to all personal data for which it acts as a controller. The case involved legal analysis by Sam Jungyun Choi, Jadzia Pierce, and Paul Maynard of Covington and Burling, who reported on the judgment. The ruling pertains to the interpretation of personal data within the context of data security obligations. No specific technical details, breach impacts, or CVE identifiers were mentioned in the summary.