Background

The litigation arose out of a data breach that occurred when Andrew Skelton, a disgruntled employee whose job involved handling payroll data in Morrisons’ IT Audit department, posted the payroll data of 100,000 Morrisons employees online. Morrison was investigated by the UK’s Information Commissioner’s Office (the “ICO”) and the ICO made no adverse regulatory finding against Morrisons in connection with the personal data breach. Nonetheless 5,500 of the employees who had their personal data exposed elected to file a claim against Morrisons under a Group Litigation Order (“GLO”), seeking to establish that the supermarket had a primary liability for failure to prevent the breach from occurring, as well as a secondary liability for the actions of its employee. The High Court found that Morrisons was not liable under the Data Protection Act 1998 and had no primary liability as the data controller. Instead, despite having received no adverse regulatory finding from the ICO, Morrisons was found to be liable for Skelton’s actions under the common law principle of vicarious liability, by which employers may be liable for the actions of their employees. Morrisons was therefore required to compensate the victims of the data breach. This decision was considered by many to be controversial and out of kilter with both the ICO’s findings and established English law principles because the wrongdoing was conducted out of working hours, in Skelton’s own home and using his own equipment. However, the High Court decision was subsequently upheld by the Court of Appeal leaving Morrisons to appeal to the Supreme Court.

The Supreme Court’s decision

The Supreme Court ruled that, on these particular facts, Morrisons could not be held vicariously liable for the actions of a rogue employee who was actively trying to damage his employer. The court held that the High Court and the Court of Appeal had misunderstood the principles governing vicarious liability and that Skelton was clearly “pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase”.

However, and perhaps of greater significance, was the second limb of the argument advanced by Morrisons in respect of the relationship between vicarious liability and the Data Protection Act 1998. Morrisons argued that Data Protection Act 1998 (the “Act”) prevented the doctrine of vicarious liability from claims arising under the Act. The court expressed the view that there is nothing in the Data Protection Act 1998 (and by extension the Data Protection 2018) that generally precludes a data controller being vicariously liable for the actions of an employee who is also considered a data controller.

Lord Reed (giving the only judgment with all other judges agreeing) stated that:

“since the [Data Protection Act 1998] neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment”.

Practical implications

Although this ruling is extremely beneficial to Morrisons, it is very important to understand the unique facts of this case, and organisations that have suffered personal data breaches should be cautious of taking any real comfort in the decision. Morrisons had been subject to an investigation by the ICO, which concluded that Morrison should not face any regulatory sanction. In many personal data breaches this will not be the case and the ICO or another data protection regulatory authority may have concluded that there had been some failure of security controls, technical and organisational measures or training on the part of the company leading to a negative regulatory finding and liability on the part of the data controller. Had this been the case here, the arguments over vicarious liability would not have been required and data subjects would have had a direct right of action against Morrisons. As such, cases where organisation can rely on the decision in the Morrisons case to challenge a group or class action are likely to be rare.

This decision is also unusual as the ruling leaves the 100,000 Morrisons’ employees with no redress (any attempts to sue Skelton himself would be fruitless) a fact that was front of mind at the High Court and Court of Appeal stages. The courts will be unwilling, in most situations, to allow for this unsatisfactory outcome. Disclosures of personal data by rogue employees are rare but, unless organisations can demonstrate they took all reasonable steps to prevent them, they will be held primarily liable. This highlights the importance of making strong and robust challenges during the regulatory investigation stage of any personal data breach.

Finally, it is clear from this case that large-scale, multi-claimant actions in the wake of personal data breaches are here to stay and that claimants will continue to try creative legal arguments to establish liability that may resonate with the courts. This case reaffirms the fact that GLOs are suitable vehicles for privacy- and data breach-related cases. In situations where a representative action (such as that used in Google v Lloyd) are either inappropriate or the requirements of CPR 19.6[1] cannot be demonstrated, this provides claimants and lawyers with another potential route to court. Given the magnitude of the potential damages at stake, it should be assumed that any regulatory investigation concerning a personal data breach (even where there is no finding of fault against the company) will likely result in group actions seeking financial redress and unfortunately, this case while helpful to Morrisons, will not assist companies facing direct claims as opposed to claims based on vicarious liability.

[1] The Civil Procedure Rules (“CPR”) are the rules that govern civil claims in the courts of England and Wales.