On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower courts (the High Court and Court of Appeal) and provides guidance for employers on when they may be held vicariously liable for data breaches and other violations of the GDPR involving employees, who act as independent controllers in their own right.

Facts

Mr Skelton, a senior auditor employed by Morrisons, was entrusted, during his employment, with providing payroll data of Morrisons employees to KPMG, which was performing an audit.  After supplying the relevant data to KPMG, Mr Skelton, in a deliberate attempt to harm his employer, copied the payroll records of approximately 100,000 Morrisons employees onto a USB stick.  He subsequently uploaded the contents of the USB stick to a public file-sharing website before posting the link to the data file on other websites, thus triggering a personal data breach.

A group of existing and former Morrisons employees impacted by the breach later filed a series of claims against Morrisons, alleging breach of section 4(4) of the Data Protection Act 1998 (“DPA 1998”), misuse of private information, and breach of confidence.  (Note that Mr Skelton was also separately prosecuted and found to have breached the DPA 1998 as a data controller of the personal data that he stole from Morrisons.)  The claims were brought on the basis that Morrisons should be held vicariously liable for the acts committed by Mr Skelton.  They were grouped together into a Group Litigation Order, so that they were case managed collectively, and tried based on test cases.

Decision of the lower courts

As we previously reported, the High Court found that although Morrisons could not be held primarily liable, as it was not directly responsible for the breach, the supermarket was vicariously liable for Mr Skelton’s wrongdoing.  The judge held that there was “sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice…’.”  The High Court rejected Morrisons’ argument that the DPA 1998 excluded the possibility of a finding of vicarious liability.

Morrisons appealed the decision to the Court of Appeal, but the appeal was dismissed.  The Court of Appeal found that the data breach committed by Mr Skelton occurred “within the field of activities assigned to him by Morrisons” and that his activities constituted “a seamless and continuous sequence” or “unbroken chain of events.”  In reaching their conclusions, the High Court and Court of Appeal relied heavily on an interpretation of the rules for vicarious liability set out in an earlier decision of the UK Supreme Court, Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11 (“Mohamud”).

Decision of the UK Supreme Court

The Supreme Court confirmed, in clear terms, that the lower courts’ judgments were wrong.  The Court focused on two questions: (1) Was Morrisons vicariously liable for Skelton’s conduct?  And (2) if so, does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

  • Was Morrisons vicariously liable for Skelton’s conduct?

The UK Supreme Court disagreed with the lower courts’ interpretation of the test for establishing vicarious liability, per the decision in Mohamud.  The Court, instead, looked to an older House of Lords judgment, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48 (“Dubai Aluminium”), in order to consider the test “afresh”.

Under Dubai Aluminium, when assessing whether vicarious liability arises out of an employment relationship, a court must decide “whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.”  The Court deemed this to be an “authoritative” statement of the law, as subsequently applied in Mohamud.

The Supreme Court went on to note, contrary to the opinion of the lower courts, that the employee’s motives are highly material when assessing whether the wrongful conduct undertaken by the employee is “closely connected” to the activities that he or she was authorized to do by the employer.  Specifically, a distinction must be drawn between (1) an employee who is engaged, however misguidedly, in furthering his or her employer’s business; and (2) an employee who is engaged solely in pursuing his or her own personal interests (i.e., acting “in the course of an independent venture of his own” or “going on a frolic of his own”).

On the facts at hand, the Court found that Morrisons should not be held vicariously liable for Mr Skelton’s breaches of data protection law.  This was on the basis that it was “abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta…”  Applying the test in Dubai Aluminium, the Court concluded that “Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”

  • Does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

Although the Supreme Court was not required to decide this point, it nonetheless expressed its view that the DPA 1998 does not exclude the imposition of vicarious liability on an employer for torts committed by an employee – regardless of whether the tort concerns a breach of the DPA 1998, misuse of private information and / or breach of confidence.  In expressing this view, the Supreme Court indicated that an employer could be found strictly vicariously liable for an employee’s conduct, even if the employer was not itself at fault.

Significance

Overall, this case will give some comfort to employers.  The Supreme Court stated clearly that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer.

On the other hand, it seems that an employer can continue to be held vicariously liable for the wrongful conduct of an employee, where (1) the employee acts as an independent controller, and (2) the unlawful conduct is “closely connected” with acts that the employee in question is authorized to undertake.  An example of this could be where an employee accidentally triggers a data breach while performing duties for his / her employer – incidents that are not uncommon for businesses across all industries.

The significance of this case should also be considered alongside the Court of Appeal’s judgment in another data protection-related claim, Richard Lloyd v Google LLC [2019] EWCA Civ 1599 (“Lloyd”) (see our summary of that decision here).  In that case – currently on appeal to the UK Supreme Court – the claimants were granted permission to serve a ‘representative action’ – which amounts to an “opt out” class action – on Google in the U.S.  Under the representative action regime, individuals who meet the eligibility criteria are automatically brought into the class of claimants unless they actively opt out.  There are no limits on how large the class can be.  As such, the pool of claimants may be very large for cases concerning allegations of widespread damage to individuals, all included in the class on the basis that they have suffered the same damage –  namely a loss of control of their data.  Conversely, the Morrisons case was brought using a Group Litigation Order – effectively a form of “opt in” group action.  As a result, the number of claimants in this case was considerably less than the number of employees impacted by the data breach and so the damages claim was more contained for the Defendant.

After the ruling in Lloyd (and if the decision is upheld on appeal), organizations should be mindful that, going forward, “opt out” class actions may become the new normal in data breach claims.  This could represent a significant risk, in particular, for businesses that process large amounts of personal data (whether of employees, customers or others) that could be exposed in a data breach caused by an employee’s action taken unintentionally and in furtherance of their employment.  To assist in mitigating the effect of such claims, businesses should therefore consider checking that they are adequately covered by insurance policies – in particular, general liability and/or cyber risk insurance policies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Louise Freeman Louise Freeman

Louise Freeman represents parties in complex commercial disputes and class actions, and co-chairs the firm’s Commercial Litigation and EMEA Dispute Resolution Practice Groups.

Described by Legal 500 as “one of London’s most effective partners,” Louise helps clients to navigate challenging situations in a…

Louise Freeman represents parties in complex commercial disputes and class actions, and co-chairs the firm’s Commercial Litigation and EMEA Dispute Resolution Practice Groups.

Described by Legal 500 as “one of London’s most effective partners,” Louise helps clients to navigate challenging situations in a range of industries, including technology, life sciences and financial markets. Most of her cases involve multiple parties and jurisdictions, where her strategic, dynamic advice is invaluable. Chambers notes “Louise is tactically and strategically brilliant and has phenomenal management skills on complex litigation,” she is “a class act.”

Louise also represents parties in significant competition law claims, including a number of the leading cases in England.

Louise is a “recognised name for complex class actions” (Legal 500), defending clients targeted in proposed opt-out and opt-in claims, as well as advising clients on multi-jurisdictional class action risks.

Photo of Richard Mattick Richard Mattick

Richard Mattick advises and represents clients in connection with the resolution of disputes in a variety of fields, with particular emphasis on insurance and contractual disputes, as well as acting for clients in relation to export controls matters. Chambers Global (2021) notes “he…

Richard Mattick advises and represents clients in connection with the resolution of disputes in a variety of fields, with particular emphasis on insurance and contractual disputes, as well as acting for clients in relation to export controls matters. Chambers Global (2021) notes “he is highly responsive, has a deep understanding of the UK insurance business and is always pleasant to work with.” In addition, clients describe Richard as a ”detailed and thoughtful lawyer.” Another said: “He’s really knowledgeable regarding insurance law and has a lot of experience” (Chambers UK 2021).

Richard has extensive experience of acting for policyholders in English Court proceedings and London arbitrations in the insurance coverage field, including handling the first two successful challenges to solvent schemes of arrangement. He also advises extensively on insurance issues, including advising on policy wordings, where he uses his extensive experience of litigating wordings.

He has handled significant litigation on a number of topics before the English courts, including contractual disputes and product liability cases, proceedings involving complex jurisdictional issues, intellectual property actions and proceedings against directors and shareholders. He has also handled administrative law proceedings in respect of regulatory issues.

Richard has represented clients in international arbitrations in London and elsewhere involving a variety of issues and in alternative dispute resolution procedures, where his accreditation as a mediator by CEDR has given him an additional insight into the process. He has also been active in international corporate investigations.

He is a Solicitor-Advocate (Higher Court Civil Proceedings) and a CEDR-Accredited Mediator. He speaks fluent French, Portuguese and German, having been educated for 9 years at a French school in Portugal, and having read German alongside French at university before switching to Law. Richard has a Diploma in Translation (“DipTrans”) from the Chartered Institute of Linguists, obtained in 2017.

Photo of Fredericka Argent Fredericka Argent

Fredericka Argent is a special counsel in Covington’s technology regulatory group in London. She advises leading multinationals on some of their most complex regulatory, policy and compliance-related issues, including data protection, copyright and the moderation of online content.

Fredericka regularly provides strategic advice…

Fredericka Argent is a special counsel in Covington’s technology regulatory group in London. She advises leading multinationals on some of their most complex regulatory, policy and compliance-related issues, including data protection, copyright and the moderation of online content.

Fredericka regularly provides strategic advice to companies on complying with data protection laws in the UK and Europe, as well as defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. She advises global technology and software companies on EU copyright and database rights rules, including the implications of legislative developments on their business. She also counsels clients on a range of policy initiatives and legislation that affect the technology sector, such as the moderation of harmful or illegal content online, rules affecting the audiovisual media sector and EU accessibility laws.

Fredericka represents right owners in the publishing, software and life sciences industries on online IP enforcement matters, and helps coordinate an in-house internet investigations team who conduct global monitoring, reporting, notice and takedown programs to combat Internet piracy.