On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower courts (the High Court and Court of Appeal) and provides guidance for employers on when they may be held vicariously liable for data breaches and other violations of the GDPR involving employees, who act as independent controllers in their own right.

Facts

Mr Skelton, a senior auditor employed by Morrisons, was entrusted, during his employment, with providing payroll data of Morrisons employees to KPMG, which was performing an audit.  After supplying the relevant data to KPMG, Mr Skelton, in a deliberate attempt to harm his employer, copied the payroll records of approximately 100,000 Morrisons employees onto a USB stick.  He subsequently uploaded the contents of the USB stick to a public file-sharing website before posting the link to the data file on other websites, thus triggering a personal data breach.

A group of existing and former Morrisons employees impacted by the breach later filed a series of claims against Morrisons, alleging breach of section 4(4) of the Data Protection Act 1998 (“DPA 1998”), misuse of private information, and breach of confidence.  (Note that Mr Skelton was also separately prosecuted and found to have breached the DPA 1998 as a data controller of the personal data that he stole from Morrisons.)  The claims were brought on the basis that Morrisons should be held vicariously liable for the acts committed by Mr Skelton.  They were grouped together into a Group Litigation Order, so that they were case managed collectively, and tried based on test cases.

Decision of the lower courts

As we previously reported, the High Court found that although Morrisons could not be held primarily liable, as it was not directly responsible for the breach, the supermarket was vicariously liable for Mr Skelton’s wrongdoing.  The judge held that there was “sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice…’.”  The High Court rejected Morrisons’ argument that the DPA 1998 excluded the possibility of a finding of vicarious liability.

Morrisons appealed the decision to the Court of Appeal, but the appeal was dismissed.  The Court of Appeal found that the data breach committed by Mr Skelton occurred “within the field of activities assigned to him by Morrisons” and that his activities constituted “a seamless and continuous sequence” or “unbroken chain of events.”  In reaching their conclusions, the High Court and Court of Appeal relied heavily on an interpretation of the rules for vicarious liability set out in an earlier decision of the UK Supreme Court, Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11 (“Mohamud”).

Decision of the UK Supreme Court

The Supreme Court confirmed, in clear terms, that the lower courts’ judgments were wrong.  The Court focused on two questions: (1) Was Morrisons vicariously liable for Skelton’s conduct?  And (2) if so, does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

  • Was Morrisons vicariously liable for Skelton’s conduct?

The UK Supreme Court disagreed with the lower courts’ interpretation of the test for establishing vicarious liability, per the decision in Mohamud.  The Court, instead, looked to an older House of Lords judgment, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48 (“Dubai Aluminium”), in order to consider the test “afresh”.

Under Dubai Aluminium, when assessing whether vicarious liability arises out of an employment relationship, a court must decide “whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.”  The Court deemed this to be an “authoritative” statement of the law, as subsequently applied in Mohamud.

The Supreme Court went on to note, contrary to the opinion of the lower courts, that the employee’s motives are highly material when assessing whether the wrongful conduct undertaken by the employee is “closely connected” to the activities that he or she was authorized to do by the employer.  Specifically, a distinction must be drawn between (1) an employee who is engaged, however misguidedly, in furthering his or her employer’s business; and (2) an employee who is engaged solely in pursuing his or her own personal interests (i.e., acting “in the course of an independent venture of his own” or “going on a frolic of his own”).

On the facts at hand, the Court found that Morrisons should not be held vicariously liable for Mr Skelton’s breaches of data protection law.  This was on the basis that it was “abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta…”  Applying the test in Dubai Aluminium, the Court concluded that “Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”

  • Does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

Although the Supreme Court was not required to decide this point, it nonetheless expressed its view that the DPA 1998 does not exclude the imposition of vicarious liability on an employer for torts committed by an employee – regardless of whether the tort concerns a breach of the DPA 1998, misuse of private information and / or breach of confidence.  In expressing this view, the Supreme Court indicated that an employer could be found strictly vicariously liable for an employee’s conduct, even if the employer was not itself at fault.

Significance

Overall, this case will give some comfort to employers.  The Supreme Court stated clearly that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer.

On the other hand, it seems that an employer can continue to be held vicariously liable for the wrongful conduct of an employee, where (1) the employee acts as an independent controller, and (2) the unlawful conduct is “closely connected” with acts that the employee in question is authorized to undertake.  An example of this could be where an employee accidentally triggers a data breach while performing duties for his / her employer – incidents that are not uncommon for businesses across all industries.

The significance of this case should also be considered alongside the Court of Appeal’s judgment in another data protection-related claim, Richard Lloyd v Google LLC [2019] EWCA Civ 1599 (“Lloyd”) (see our summary of that decision here).  In that case – currently on appeal to the UK Supreme Court – the claimants were granted permission to serve a ‘representative action’ – which amounts to an “opt out” class action – on Google in the U.S.  Under the representative action regime, individuals who meet the eligibility criteria are automatically brought into the class of claimants unless they actively opt out.  There are no limits on how large the class can be.  As such, the pool of claimants may be very large for cases concerning allegations of widespread damage to individuals, all included in the class on the basis that they have suffered the same damage –  namely a loss of control of their data.  Conversely, the Morrisons case was brought using a Group Litigation Order – effectively a form of “opt in” group action.  As a result, the number of claimants in this case was considerably less than the number of employees impacted by the data breach and so the damages claim was more contained for the Defendant.

After the ruling in Lloyd (and if the decision is upheld on appeal), organizations should be mindful that, going forward, “opt out” class actions may become the new normal in data breach claims.  This could represent a significant risk, in particular, for businesses that process large amounts of personal data (whether of employees, customers or others) that could be exposed in a data breach caused by an employee’s action taken unintentionally and in furtherance of their employment.  To assist in mitigating the effect of such claims, businesses should therefore consider checking that they are adequately covered by insurance policies – in particular, general liability and/or cyber risk insurance policies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Louise Freeman Louise Freeman

Louise Freeman represents parties in complex commercial disputes, and co-chairs the firm’s Commercial Litigation and European Dispute Resolution Practice Groups.

Described by Legal 500 as “one of London’s most effective partners” and by Chambers as “a class act,” Louise helps clients to navigate…

Louise Freeman represents parties in complex commercial disputes, and co-chairs the firm’s Commercial Litigation and European Dispute Resolution Practice Groups.

Described by Legal 500 as “one of London’s most effective partners” and by Chambers as “a class act,” Louise helps clients to navigate challenging situations in a range of industries, including life sciences, technology and financial markets. Most of her cases involve multiple parties and jurisdictions, where her strategic, dynamic advice is invaluable.

Louise also represents parties in significant competition litigation proceedings, including a number of the leading cases in England.

Louise is a key member of our market-leading Privacy and Data Security Litigation team, which advises a broad range of international clients on data privacy-related litigation. She has recently represented a client in an intervention in an appeal in the leading UK case making new law in relation to both data privacy claims and class actions.

Photo of Fredericka Argent Fredericka Argent

Fredericka Argent advises emerging and leading companies on intellectual property and data protection issues, including copyright, trademarks, e-commerce and piracy.  She has experience advising companies in the technology, pharmaceutical, luxury brands and media sectors.  Her practice encompasses regulatory compliance and advisory work. She…

Fredericka Argent advises emerging and leading companies on intellectual property and data protection issues, including copyright, trademarks, e-commerce and piracy.  She has experience advising companies in the technology, pharmaceutical, luxury brands and media sectors.  Her practice encompasses regulatory compliance and advisory work. She regularly provides strategic advice to global companies on complying with data protection laws in Europe.  Ms. Argent has experience conducting IP enforcement.  She represents right owners, including in the publishing and fashion industries, and helps coordinate an in-house internet investigations team who conduct global monitoring, reporting, notice and takedown programs to combat Internet piracy.