The UK Supreme Court has confirmed that employers are not liable for the actions of their rogue employees. It overturned the Court of Appeal (CoA) decision in Morrisons that employers can be vicariously liable for an employee’s misuse of personal data that was previously under the employer’s control.
The case is the first use of a group litigation order for data breach claims. The case was referred for a hearing to determine the compensation payable to the affected employees (who had not suffered any financial loss). Under the EU General Data Protection Regulation (the GDPR) and UK Data Protection Act 2018 (the DPA 2018), individuals can claim compensation for data protection breaches without the need to prove they have suffered any financial loss.
The Supreme Court heard the appeal on 6 and 7 November 2019 against the landmark ruling in WM Morrison Supermarkets plc v Various Claimants (2017) (previously upheld by the Court of Appeal), in which an employer was held vicariously liable for a data breach caused by the actions of a rogue employee, even though the employer had in place appropriate data protection security measures to protect the personal data it controlled.
In this original case, more than 5,000 employees successfully brought a claim against their employer, Morrisons, for its breach of the UK’s old Data Protection Act 1998 (the DPA 1998), as well as damages for the tort of misuse of private information, after another disgruntled Morrisons employee, Mr. Andrew Skelton, disclosed copies of a payroll spreadsheet, including salary and other personal information relating to his 100,000 staff members, to certain newspapers. The employees claimed that their employer was liable for the actions of Mr. Skelton under the principle of vicarious liability.
Mr. Skelton, who is currently serving an eight-year prison sentence for his actions, had downloaded the data from his work computer onto a USB stick before using his personal computer to publish the information. Prior to doing so, Mr. Skelton had carried out internet searches for guidance on how to conceal his identity using software known as The Onion Router on the dark web.
In hearing the appeal, the Supreme Court considered three main issues:
Since the High Court’s decision, the UK has repealed and replaced the DPA 1998 with the GDPR and the DPA 2018. The data security obligations under the DPA 1998 remain substantively the same under the GDPR and the DPA 2018 and the principle of vicarious liability is also unaffected by the changes in the data privacy laws. Therefore, the Supreme Court’s decision is still relevant to data controllers and employers.
The Supreme Court decided that employers are vicariously liable for the actions of their employees where there is “an unbroken sequence of events” or a “seamless episode” relating to the capacity in which an employee was acting when the wrongful conduct took place. It decided that Mr. Skelton’s disclosure of the payroll data on the internet and subsequently to news outlets was not within his “field of activities”. He was, instead, on a “frolic of his own” and his activities exceed the limits for which his employer was liable.
Employers are still at risk of significant damage from rogue employees. This case, although helpful for employers to clarify the limits of their liability for employees, does reiterate the need to implement policies and procedures to reduce risks that employees can commit damage misusing its data, whether personal data or commercial data. Employers should consider implementing strategies to supplement their existing data protection procedures, including
The Morrisons case is the first instance of a group litigation order being used in a data breach case. This has been followed by the group litigation against British Airways, following the 2018 data breach, and most recently in the litigation against Google by Richard Lloyd (which has been brought as a representative (a form of “opt-out litigation” common in the US action).
In the Lloyd case, the claimant, Mr. Lloyd, was successful in his application to bring a representative case against a US entity. We expect the proposed Directive on Representative Actions to be finalised by the European Commission next year. This could further increase the use of class/collective actions for data breaches across Europe.
Increases in the use of class/collective actions in the context of data breaches would follow an increase in such actions in other areas of dispute. For example, the use of class/collective actions is already commonplace in competition law, personal injury, and pensions disputes. Further, with the development of securities litigation in the United Kingdom (see, for example, the ongoing Tesco dispute), together with the ever-increasing prevalence of litigation funding, it would seem likely that class/collective actions will become a growing part of the legal landscape in the United Kingdom.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 Read our LawFlashes on the earlier decisions: UK High Court: Employers May Be Vicariously Liable for Employee Data Breaches and UK Court of Appeal: Employers Are Liable for Employee Data Breaches.