On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower courts (the High Court and Court of Appeal) and provides guidance for employers on when they may be held vicariously liable for data breaches and other violations of the GDPR involving employees, who act as independent controllers in their own right.

Facts

Mr Skelton, a senior auditor employed by Morrisons, was entrusted, during his employment, with providing payroll data of Morrisons employees to KPMG, which was performing an audit.  After supplying the relevant data to KPMG, Mr Skelton, in a deliberate attempt to harm his employer, copied the payroll records of approximately 100,000 Morrisons employees onto a USB stick.  He subsequently uploaded the contents of the USB stick to a public file-sharing website before posting the link to the data file on other websites, thus triggering a personal data breach.

A group of existing and former Morrisons employees impacted by the breach later filed a series of claims against Morrisons, alleging breach of section 4(4) of the Data Protection Act 1998 (“DPA 1998”), misuse of private information, and breach of confidence.  (Note that Mr Skelton was also separately prosecuted and found to have breached the DPA 1998 as a data controller of the personal data that he stole from Morrisons.)  The claims were brought on the basis that Morrisons should be held vicariously liable for the acts committed by Mr Skelton.  They were grouped together into a Group Litigation Order, so that they were case managed collectively, and tried based on test cases.

Decision of the lower courts

As we previously reported, the High Court found that although Morrisons could not be held primarily liable, as it was not directly responsible for the breach, the supermarket was vicariously liable for Mr Skelton’s wrongdoing.  The judge held that there was “sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice…’.”  The High Court rejected Morrisons’ argument that the DPA 1998 excluded the possibility of a finding of vicarious liability.

Morrisons appealed the decision to the Court of Appeal, but the appeal was dismissed.  The Court of Appeal found that the data breach committed by Mr Skelton occurred “within the field of activities assigned to him by Morrisons” and that his activities constituted “a seamless and continuous sequence” or “unbroken chain of events.”  In reaching their conclusions, the High Court and Court of Appeal relied heavily on an interpretation of the rules for vicarious liability set out in an earlier decision of the UK Supreme Court, Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11 (“Mohamud”).

Decision of the UK Supreme Court

The Supreme Court confirmed, in clear terms, that the lower courts’ judgments were wrong.  The Court focused on two questions: (1) Was Morrisons vicariously liable for Skelton’s conduct?  And (2) if so, does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

  • Was Morrisons vicariously liable for Skelton’s conduct?

The UK Supreme Court disagreed with the lower courts’ interpretation of the test for establishing vicarious liability, per the decision in Mohamud.  The Court, instead, looked to an older House of Lords judgment, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48 (“Dubai Aluminium”), in order to consider the test “afresh”.

Under Dubai Aluminium, when assessing whether vicarious liability arises out of an employment relationship, a court must decide “whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.”  The Court deemed this to be an “authoritative” statement of the law, as subsequently applied in Mohamud.

The Supreme Court went on to note, contrary to the opinion of the lower courts, that the employee’s motives are highly material when assessing whether the wrongful conduct undertaken by the employee is “closely connected” to the activities that he or she was authorized to do by the employer.  Specifically, a distinction must be drawn between (1) an employee who is engaged, however misguidedly, in furthering his or her employer’s business; and (2) an employee who is engaged solely in pursuing his or her own personal interests (i.e., acting “in the course of an independent venture of his own” or “going on a frolic of his own”).

On the facts at hand, the Court found that Morrisons should not be held vicariously liable for Mr Skelton’s breaches of data protection law.  This was on the basis that it was “abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta…”  Applying the test in Dubai Aluminium, the Court concluded that “Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”

  • Does the DPA 1998 exclude the imposition of vicarious liability for torts committed by an employee data controller?

Although the Supreme Court was not required to decide this point, it nonetheless expressed its view that the DPA 1998 does not exclude the imposition of vicarious liability on an employer for torts committed by an employee – regardless of whether the tort concerns a breach of the DPA 1998, misuse of private information and / or breach of confidence.  In expressing this view, the Supreme Court indicated that an employer could be found strictly vicariously liable for an employee’s conduct, even if the employer was not itself at fault.

Significance

Overall, this case will give some comfort to employers.  The Supreme Court stated clearly that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer.

On the other hand, it seems that an employer can continue to be held vicariously liable for the wrongful conduct of an employee, where (1) the employee acts as an independent controller, and (2) the unlawful conduct is “closely connected” with acts that the employee in question is authorized to undertake.  An example of this could be where an employee accidentally triggers a data breach while performing duties for his / her employer – incidents that are not uncommon for businesses across all industries.

The significance of this case should also be considered alongside the Court of Appeal’s judgment in another data protection-related claim, Richard Lloyd v Google LLC [2019] EWCA Civ 1599 (“Lloyd”) (see our summary of that decision here).  In that case – currently on appeal to the UK Supreme Court – the claimants were granted permission to serve a ‘representative action’ – which amounts to an “opt out” class action – on Google in the U.S.  Under the representative action regime, individuals who meet the eligibility criteria are automatically brought into the class of claimants unless they actively opt out.  There are no limits on how large the class can be.  As such, the pool of claimants may be very large for cases concerning allegations of widespread damage to individuals, all included in the class on the basis that they have suffered the same damage –  namely a loss of control of their data.  Conversely, the Morrisons case was brought using a Group Litigation Order – effectively a form of “opt in” group action.  As a result, the number of claimants in this case was considerably less than the number of employees impacted by the data breach and so the damages claim was more contained for the Defendant.

After the ruling in Lloyd (and if the decision is upheld on appeal), organizations should be mindful that, going forward, “opt out” class actions may become the new normal in data breach claims.  This could represent a significant risk, in particular, for businesses that process large amounts of personal data (whether of employees, customers or others) that could be exposed in a data breach caused by an employee’s action taken unintentionally and in furtherance of their employment.  To assist in mitigating the effect of such claims, businesses should therefore consider checking that they are adequately covered by insurance policies – in particular, general liability and/or cyber risk insurance policies.