An enforcement notice issued by the ICO against M&S in January was dropped last week after the retailer met its demands to encrypt all of its laptops.
The notice followed the theft of a contractor’s laptop containing pension details of 26,000 employees in April last year.
Failure to comply with an enforcement order is a criminal offence punishable by an unlimited fine if taken to Crown Court.
M&S’s victory came as the ICO moves closer to being able to impose substantial fines on those they deem to have committed serious breaches of the Data Protection Act “deliberately or recklessly”.
In May, the Criminal Justice and Immigration Act received Royal Assent, creating sanction options for the privacy watchdog, which cannot be imposed retrospectively.
M&S’s appeal, which was lodged in February, was due to be heard in September.
In a letter from M&S IT director Darrell Stein to the ICO on July 8, M&S said it had completed the encryption process.
An M&S spokeswoman said: “We firmly believe this was the right decision, particularly given that following the theft we voluntarily commenced the encryption process in October 2007, several months before the enforcement notice was issued.”
M&S added that no employees had reported problems resulting from the loss of data contained in the laptop.
M&S was advised by IT and technology consultancy Morse, IT infrastructure service provider Computacenter and lawyers Field Fisher Waterhouse.