In a significant decision, the Supreme Court unanimously held that Morrisons, the U.K. supermarket chain, was not vicariously liable for an employee’s significant data breach, reversing the Court of Appeal’s previous decision. The Supreme Court decision brings an end to the much-discussed saga of the Morrisons data breach and is welcome news for employer data controllers.

Factual Background

In 2013, a Morrisons employee and senior internal auditor, Mr. Skelton, secretly copied a payroll file containing the personal data of some 100,000 employees, which he uploaded to an online file-sharing website and shared with three newspapers. Mr. Skelton had been given access to this data by Morrisons for the purposes of providing the data to external auditors for statutory auditing purposes. Mr. Skelton’s disclosures were motivated by a personal vendetta against Morrisons after he was subjected to a disciplinary process.

Mr. Skelton was prosecuted and sentenced to eight years in prison for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998).

Upon discovering the misuse, Morrisons took immediate steps to protect the affected employees from potential loss (spending over £2 million). However, many of the affected employees brought a data protection class action against Morrisons on the basis that a) Morrisons was directly liable under the DPA 1998 for Mr. Skelton’s disclosure of the data; or in the alternative, b) Morrisons was liable under common law principles of vicarious liability.

Lower Court Judgments

The High Court dismissed the claim for primary liability but upheld the claim for vicarious liability on the basis that Mr. Skelton’s actions had taken place during the course of employment. It also dismissed Morrisons’ argument that vicarious liability did not apply to the DPA 1998. The Court of Appeal subsequently dismissed Morrisons’ appeal against those findings. For more information, please read our previous article on the High Court decision.

Supreme Court Ruling — Employment Law

The Court held that Morrisons was not vicariously liable for the actions of Mr. Skelton. The crux of this ruling is that Mr. Skelton was not acting in the ordinary course of his employment when he covertly copied and subsequently disseminated the payroll information, and so Morrisons could not be said to be vicariously liable.

For a finding of vicarious liability to be found in this instance, Mr. Skelton’s conduct would need to be “fairly and properly” regarded as done in the “ordinary course” of his employment and be “closely connected” to acts he was authorised to do by Morrisons as part of his role. The Supreme Court found that the lower courts’ interpretation of the “field of activities” that Mr. Skelton was authorised by Morrisons to carry out was too wide. The Supreme Court held that Mr. Skelton’s online disclosure of the payroll data for his own nefarious purposes could not be equated with the authorised act of disclosing the payroll data to the external auditors. Additionally, the Supreme Court found that the importance placed by both lower courts on the unbroken temporal or causal chain of events between the various events in question was incorrect. The Supreme Court instead held that “although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to [external auditors] KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.”

In relation to Mr. Skelton’s motivations, the Supreme Court held that the lower courts’ findings that Mr. Skelton’s motive in the circumstances was irrelevant were incorrect. The Supreme Court held that whether Mr. Skelton was acting on his employer’s business or for purely personal reasons was in fact “highly material”.

This is a decision that will be welcomed by employer data controllers, as it reiterates the narrow scope in which vicarious liability will continue to operate and that employers will not automatically be responsible for the actions of rogue employees.

Supreme Court Ruling — Data Protection Law

Whilst the question of whether Morrisons was directly liable under the DPA 1998 was not subject to the appeal, the Supreme Court considered Morrisons’ argument that the provisions of the DPA 1998, in principle, exclude vicarious liability altogether.

Morrisons argued that, as a controller who itself had taken sufficient steps to protect the personal data of its employees, it could not be held directly liable under the DPA 1998 for actions that were taken by Mr. Skelton who, despite being an employee of Morrisons generally entrusted with the personal data, had become an independent controller. As Morrisons’ argument went, under such circumstances, imposing vicarious liability under common law would impose no-fault, strict liability on the employer, which contradicted that statutory provision of the DPA 1998 that controllers could only be liable where they failed to comply with their own obligations under the DPA 1998.

The Supreme Court rejected this argument, stressing that the statutory rules did not expressly exclude vicarious liability under common law for employers who are data controllers, not least since the DPA 1998 is “silent about the position of a data controller’s employer.” Therefore, at least in principle, the Supreme Court held that the concepts were not mutually exclusive. Potential statutory liabilities imposed on a data controller under the DPA 1998 are not inconsistent with the same employer data controller also being vicariously liable (on a no-fault basis) under common law.

As the Data Protection Act 2018 and General Data Protection Regulation (GDPR) are both largely based on the same principles as included in the DPA 1998, it seems that this judgment will be relevant going forward in data protection breaches committed by employees. Whilst leaving the door for vicarious liability open, the Supreme Court also provided some reassurance that normal principles of vicarious liability will narrow the application in the data protection context. In order to establish vicarious liability, what will be required is that the employee, at the point of the unlawful processing, is acting or purporting to act in relation to their employer’s business or is otherwise acting on the authority given to them by their employer.