20 April, 2020

Off the Hook - UK Supreme Court Considers Companies' Vicarious Liability for Data Breaches by Employees

Since the introduction of the General Data Protection Regulation, data breaches and their consequences have been a huge topic in Europe and abroad, with the GDPR imposing tremendous fines for breaches if they occur. Needless to say, many companies have taken note of the courts dealing with these issues, and one case, in particular, has rattled many cases in its journey through the UK Courts; the Morrisons case. Disgruntled workers can cause huge damage to a company, its reputation and its customers, which can include the sharing of sensitive information, but the case has led to the question of whether a company can be vicariously liable for the breaches of their disgruntled workers, in particular in relation to data. To the delight of many, the Supreme Court has finally handed down its hotly anticipated decision in the Morrisons case at the beginning of April 2020.

The case of WM Morrison Supermarkets plc v Various Claimants concerned the grocery store chain Morrisons in the UK, and a former employee of the company, Andrew Skelton. During his tenure with the company, Mr Skelton was a senior in-house auditor, who had access to employee information for auditing purposes. After a disciplinary action against him, Mr Skelton copied information relating to around 98,000 employees from Morrisons internal systems and shared the data on a file-sharing website (subsequently also sending the data to three newspapers as an anonymous third party). Morrisons took action to remove the data from the website, and Morrisons was then sued by the Respondents (a collective of various employees) alleging vicarious liability for Mr Skelton's actions and the data breach. After several years of litigation via the High Court and Court of Appeal (with Morrisons losing at every stage), the matter finally landed on the desk of the Supreme Court for final determination.

Lord Reed, handing down the judgment of the unanimous court, initially considered the long appellate history of the matter and the findings of the lower courts. Lord Reed considered that the lower courts had misunderstood the principles governing vicarious liability, and saw that the matter would have to be considered entirely afresh by the Supreme Court.

The first matter was to consider the matter under the test set out in Dubai Aluminium, which required the court to consider whether "...the disclosure of the data was so closely connected with acts [Mr Skelton] was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment". Indeed Mr Skelton was authorised to collate and transmit the data as a part of his function as an internal auditor. However, the question of whether the wrongful disclosure was so closely connected with that authorisation that it would render Morrisons liable for it.

Morrisons GC pictured before the judgment hearing
Following an exhaustive consideration of related case law, Lord Reed noted that mere employment giving Mr Skelton the opportunity to commit the act would not be sufficient to make Morrisons liable for the act. Even though, as set out by the lower courts, the acts were closely linked to what Mr Skelton was tasked to do (including their transmission), the acts were an independent personal venture of Mr Skelton's.

As set in Dubai Aluminium, for the employee's acts to cause vicarious liability through their acts, misguidedly or not, they would need to be done "...in furthering his employer's business". Clearly, he was not engaged in furthering his employer’s business when he committed the wrongdoing, as he was merely pursuing a personal vendetta against Morrisons, and the wrongdoing, therefore "...was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment".

The Court then moved onto consider whether the Data Protection Act 1998 excludes vicarious liability for the torts caused by an employee.

As a starting point, DPA does not exclude vicarious liability either for a breach of the duties imposed by the DPA itself or for a breach of common law or equitable obligations. Although argued by Morrisons, the Court did not see that the DPA excluded employers vicarious liability impliedly (specifically under s. 13). In short, the Court concluded that "...the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment".

The Court ultimately decided that Morrisons could not be held responsible for Mr Skelton's actions and allowed their appeal.

The case is a huge win for employers, particularly considering the appellate history and Morrisons' consecutive losses, and sets an important precedent even in the light of the GDPR which has taken over from the DPA. The position would most likely be the same under GDPR, so employers liability should not be excluded. Employers should therefore be extra careful to avoid any data breaches by employees during the course of their employment, and take any measures possible to avoid issues like that, especially considering the humongous fines that the ICO can impose under the GDPR.

No comments:

Post a Comment

All comments will be moderated before publication. Any messages that contain, among other things, irrelevant content, advertising, spam, or are otherwise against good taste, will not be published.

Please keep all messages to the topic and as relevant as possible.

Should your message have been removed in error or you would want to complain about a removal, please email any complaints to jani.ihalainen(at)gmail.com.