A recent Court of Appeal decision shows the growing robustness of data protection law
The ramifications of data breaches used to have relatively little consequences for companies. In particular, the risk of facing a class action lawsuit would seem small. But such presumptions are fast-losing their validity, if they had any to begin with. Morrisons has experienced this in recent litigation against it for a data breach affecting thousands of its employees. The significance of this case is hardly disputable. Many UK companies will be keeping a keen eye on the events which take place to see where they may stand in a world in which data protection has now become such a high priority. In essence, the Morrisons case encapsulates the higher standards imposed on employers combined with the emboldening enforcement of individual rights.
The case concerns a certain Mr Skelton, a senior IT internal auditor who worked at Morrisons Supermarkets plc. Before the incident which gave rise to the legal proceedings, Skelton had received a disciplinary action from the company for using its postal services for his own personal use. Annoyed at the warning, Skelton sought revenge. He managed to acquire a copy of the payroll data requested by the company’s external auditor, KPMG, in order to conduct an annual audit.
After copying the data onto a USB memory stick, Skelton then posted the data onto a file-sharing website from his home computer. As such, information concerning nearly 100,000 employees at the company, including bank details, were disclosed online. Afterwards, Skelton informed the local newspapers of the mass data leak, claiming to be one of the affected employees. The story was never published, but the newspapers did make Morrisons aware of the incident. The company then alerted the police and ensured that the data was taken off the site.
Skelton was arrested and charged with various offences, including that under section 55 of the Data Protection Act 1998 (DPA), which prohibits persons from disclosing personal data without the consent of the data controller. However, a large group of employees, 5,518 to be exact, brought a separate action against Morrisons for damages.
Their claim was twofold. Their first argument was that the company was primarily liable for the incident, in breach of section 4(4) of the 1998 Act. If not primarily liable however, they sought to argue that Morrisons was vicariously liable for the wrongful conduct of Skelton. The High Court rejected the first claim but accepted the second, holding that the DPA did not prevent the claimants from bringing an action based on vicarious liability.
Morrisons then appealed this decision to the Court of Appeal, which gave its judgment in October of this year. The defendant company presented three grounds of appeal. First, that the DPA did in fact exclude the application of vicarious liability. Second, that the Act additionally prohibited causes of action for misuse of private information and breach of confidence, and that vicarious liability for such breaches was also prohibited. Third, even if the Act did permit the application of vicariously liability, the requisite elements of such had not been satisfied.
The Court of Appeal dismissed all three grounds, thus holding that Morrisons was vicariously liable for the conduct of Skelton. On the first and second grounds of appeal, the Court found that the Act did not exclude, impliedly or expressly, the application of vicarious liability or the causes of action cited by the defendant.
It came to this conclusion for three reasons. First of all, if Parliament had intended to prohibit such causes of action under the Act, it would have done so expressly.¹ Second of all, that Morrisons claimed that the Act did not impliedly exclude the tort of misuse of private information and the cause of action for breach of confidence, but did exclude vicarious liability for such, was ‘a difficult line to tread’.² This, in the Court’s view, would be inconsistent with one of the principal aims of the Act: ‘the protection of privacy and the provision of an effective remedy for its infringement (including by an employee of limited means), rather than their curtailment’.³
Third of all, the Court found that the Act did not touch upon the liability of an employer, who was not the data controller, for breaches of the statute by an employee who was the data controller. The Court noted that it was Skelton, not Morrisons, who was the data controller; he was entrusted to pass over the payroll information for the HR department to KPMG. Thus, it was that role which he took on that made him a data controller for the purposes of the Act. Accordingly, as an employee data controller, the Act itself did not say anything ‘about the liability of someone else for wrongful processing by the data controller’.⁴ It was therefore evident that Parliament had ‘not entered that field at all’. ⁵
On third ground of appeal submitted by Morrisons, the Court held that the requisite elements for finding the company vicariously liable for Shelton’s misconduct were satisfied. Such liability consists of two parts, as stipulated in Mohamud v Wm Morrison Supermarkets plc (2016). It first needs to be established what ‘fields of activities’ has been entrusted by the employer to the employee.⁶ Once those fields of activities have been identified, it then needs to be determined whether there was a sufficient connection between the position of the employee and his wrongful conduct so as ‘to make it right for the employer to be held liable’.⁷
The Court reckoned that it was clear that Skelton was entrusted to deal with the payroll data in question, and thus the first part was satisfied. The more controversial debate was whether there was a sufficient connection between the position of Skelton and his wrongful conduct. Morrisons argued that since Skelton uploaded the personal data at his own home using his own computer, the close connection was not there.
The Court thought otherwise. It found that there had been numerous previous cases in which an employer has been held vicariously liable for wrongs committed away from the workplace. Thus, the Court in this case held that by Skelton obtaining a copy of the employee data, taking it home and sending it to a third party, he was acting within the fields of activities delegated to him. Theses acts thus constituted ‘a seamless and continuous sequence or unbroken chain of events’.⁸ The Court was therefore content that the requisite elements of vicarious liability had been satisfied. Accordingly, the Court found Morrisons liable for the data breach committed by Skelton. It remains to be seen whether Morrisons will take this up to the Supreme Court.
Opening the Floodgates
There are two notable takeaways from this case. The first concerns the expectations of company’s in meeting their data protection obligations. The essence of the argument presented my Morrisons was that the DPA was not meant to impose disproportionate burdens on employers. But the Court was clearly not sympathetic to this view: it sided instead with the idea that a company can be liable for data breaches even it had itself taken the necessary measures to comply with the legislation.
Such strict liability, according to the Court’s decision, does not necessarily concern whether the company itself complied with the legislative requirements, but whether it was right to entrust one of its employees with a role which did in fact involve complying with data protection rules. Essentially, Morrisons took on the risk of such an employee not complying with these rules and therefore the consequential liability the company could face in the event that such non-compliance were to materialise.
However, this ruling does nevertheless appear to be particularly harsh. It is the fact that no fault is required on part of the employer to find it vicariously liable for the wrongs committed by one of its employees which makes it very difficult for such employers to limit their potential liability. It is unclear from the ruling whether Morrisons would have been able to avoid liability had it instructed Skelton to act in such a way which did not contravene the DPA, given the nature of his role in the company.
Instead, the Court has seemed to imply that the company should take responsibility for the irresponsible, even if the company itself is the intended victim of such irresponsibility. The array of potential breaches which a company could be held liable for could thus be very broad.
Leading on from this, another notable aspect of the case is the suggestion made by the Court to cope with data breaches caused by rogue, or even negligent, employees; insurance. The Court reckoned that company’s would be wise to ‘insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees’.⁹
There are two things which could be said about this. One is that the cost of such insurance would still likely be quite costly f0r employers, since insurers may take into account the increased frequency of data breaches taking place in general and impose certain policy limits. Also, as pointed out by Miriam Everett and other lawyers at Herbert Smith Freehills LLP, UK cyber insurance is still in its infancy. ‘It therefore remains to be seen how the market will react to this enhanced exposure and whether insurance will be an effective tool to offset the increased risks that organisations now face’.
Furthermore, cases like this, consisting of large class actions, may be facilitated by the GDPR. Article 82 of the Regulation allows individuals to receive compensation for both material and non-material damage, for example stress. Thus, with the many large-scale data breaches taking place in the UK, it will be interesting to see whether the Morrisons case will be one of many in the future.
 Morrison Supermarkets plc v Various Claimants  EWCA Civ 2239, .
 Ibid, .
 Ibid, .
 Mohamud v Wm Morrison Supermarkets plc  UKSC 11, .
 Ibid, .
 Morrison Supermarkets plc v Various Claimants  EWHC 3113 (QB), .
 Morrison (n 1), .