Top of page ↑

Case report

UK Supreme Court, April 1, 2020
2020/21 Employer not liable for misuse of personal data by ‘rogue’ employee (UK)
The Supreme Court has allowed an appeal by one of the UK’s major supermarket chains, overturning a finding that it was vicariously liable for a rogue employee's deliberate disclosure of payroll data related to some 100,000 co-workers, of whom 10,000 brought a group claim for damages.

Summary

The Supreme Court has allowed an appeal by one of the UK’s major supermarket chains, overturning a finding that it was vicariously liable for a rogue employee's deliberate disclosure of payroll data related to some 100,000 co-workers, of whom 10,000 brought a group claim for damages.

Background

The UK common law principle of ‘vicarious liability’ makes employers indirectly liable for wrongful acts committed by their employees in the course of their employment. In recent years, case law has established a two-stage test for vicarious liability:

  • Did the employee’s actions fall within the ‘field of activities’ entrusted to them by the employer?
  • Was there sufficient connection between the position in which the individual was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice?

In the controversial case reported below, these principles fell to be applied in relation to a significant data breach committed by an employee which triggered a group action for damages against the company by thousands of his co-workers.

Facts

Mr Skelton was employed by Morrisons Supermarkets plc as an internal IT auditor. In 2013, after receiving a formal warning following a disciplinary hearing, he developed a grudge against his employer. He copied the payroll data of a large number of employees onto a USB stick and took it home. A few weeks later, just before Morrisons’ annual financial reports were announced, Mr Skelton uploaded the file containing those data onto a file-sharing website and sent it to three newspapers. He had sought to frame a colleague in an attempt to conceal his actions. Following an investigation, Mr Skelton was arrested, charged and convicted of criminal offences.

Many current and former co-workers whose data had been disclosed then brought a claim in the High Court (HC) against Morrisons for misuse of private information and breach of confidence, and for breach of its statutory duty under the UK’s Data Protection Act (DPA). The claimants – initially around 5,000 but the cohort increased as the case progressed through the appellate courts – argued that Morrisons was either primarily (i.e. directly) liable or vicariously (i.e. indirectly) liable for Mr Skelton’s actions.

Lower court decisions

The HC found that Morrisons had not directly misused or permitted the misuse of any personal information and therefore bore no primary liability. On the issue of vicarious liability, however, the HC concluded there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable. The HC rejected Morrisons’ argument that the DPA excluded the possibility of vicarious liability.

The Court of Appeal (CA) dismissed Morrisons’ appeal, ruling that the HC had been correct to hold that the DPA did not expressly or impliedly exclude the possibility of vicarious liability. As to whether such liability arose on the facts of this case, the CA said that Mr Skelton had been deliberately entrusted with the payroll data, and his wrongful acts in sending it to third parties were within the field of activities assigned to him.

The novel feature of this case, the CA noted, was that the wrongdoer’s motive was to harm his employer rather than to benefit himself or inflict injury on a third party. The CA concluded, however, that motive was irrelevant in these circumstances. It suggested that, if a finding of vicarious liability leads to multiple claims against the employer for potentially ruinous amounts, the solution was for the employer to insure against such an eventu

Supreme Court’s judgment

The Supreme Court (SC) reviewed the previous case law on vicarious liability and made several observations, including:

  • It was well established that there was a ‘close connection’ test for vicarious liability – was the wrongful conduct so closely connected with acts the employee was authorised to do that it might fairly and properly be regarded as done by the employee in the ordinary course of their employment?
  • In applying this overall test, the first question was what functions or ‘field of activities’ the employer had entrusted to the employee.
  • Next, the court must decide whether there was sufficient connection between the position in which the employee was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
  • The statement in one of the previous SC judgments on vicarious liability that ‘motive is irrelevant’ would be misleading if read in isolation and should not be taken out of the context of that particular case (Mohamud – v – WM Morrison Supermarkets plc [2016] UKSC 11).

In the present case, the SC concluded that the HC and the CA had misunderstood the principles governing vicarious liability in various ways. Looking at the question afresh, the SC said it was clear that no vicarious liability arose for the following main reasons:

  • Mr Skelton was authorised to transmit the payroll data to the auditors and his wrongful online disclosure of the data was not part of his ‘field of activities’. It was not so closely connected with the authorised tasks that it could fairly and properly be regarded as made while acting in the ordinary course of his employment.
  • A temporal or causal connection was not enough to satisfy the close connection test and it was highly material whether Mr Skelton was acting on Morrisons’ business or for purely personal reasons.
  • The fact that Mr Skelton’s employment gave him the opportunity to commit the wrongful act was not sufficient to impose vicarious liability on Morrisons. It was abundantly clear that he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings against him, rather than engaging in furthering his employer’s business.

Finally, the SC dealt with the issue of whether the DPA excluded imposing vicarious liability for either statutory or common law wrongs (even though this was not necessary in light of the conclusion that Morrisons was not liable on the facts). Agreeing with the HC and the CA on this point, the SC said that there was nothing to prevent the imposition of vicarious liability in circumstances such as in this case.

Commentary

The SC’s judgment provides a welcome clarification of the test for vicarious liability. Broadly speaking, for an employer to be vicariously liable, there needs to be a sufficient connection between the position in which the employee was employed and their wrongful conduct. On the facts of this case, the SC has decided that Mr Skelton’s unlawful act was not part of his ‘field of activities’ in that it was not an act he was authorised to do. It was highly relevant that he was essentially pursuing a personal vendetta, as opposed to furthering Morrisons’ business, when he committed the unlawful act.

This is, on the whole, welcome news for UK business following understandable concerns about the enormous burden a finding of vicarious liability would place on innocent employers. The CA had characterised such worries as “Doomsday or Armageddon arguments” saying that the answer was to be properly insured. Nonetheless, this case is far from being the final word on data protection group claims, whether involving vicarious liability or more generally. While on the particular facts of this case the claim for vicarious liability failed, on a slightly different set of facts the outcome could well differ – vicarious liability claims are notoriously fact sensitive. That being so, in many ways this decision in fact paves the way for vicarious liability claims to be brought against employers in the future following a data breach, and on a group basis.

In any event, most data protection group claims are not concerned with vicarious liability at all. Instead, they focus on an organisation’s direct liability for alleged breaches. Direct liability was not an issue in the Morrisons case given the technical and administrative controls the supermarket had in place. These led to the HC’s finding that Morrisons had “adequate and appropriate controls” in relation to most of the matters where it was alleged it fell short of its security obligations under data protection law. Many organisations are unlikely to be in the same position when faced with the ‘insider threat’ of a disgruntled employee. Their controls may not be appropriate to the risk, such that they could be found directly liable for a security failure caused by a rogue individual.

Comments from other jurisdictions

Germany (Nina Stephan & Leif Born, Luther Rechtsanwaltsgesellschaft mbH): In Germany, the principle of ‘vicarious liability’ which makes employers liable for wrongful acts committed by their employees exists as well. It requires that

- there was an obligation between the injured party and the employer,

- the employer used the employee to fulfil his duties arising from the obligation and

- there is a sufficient connection between the activity of the employee to fulfil the employer’s duties and the wrongful conduct, committed by the employee.

In the question of whether there was a sufficient connection, German case law is rather generous. According to the case law, a sufficient connection is usually given if the responsible behavior is still associated with a specific risk of the delegated tasks. However, a sufficient connection will be denied if the activity of the employee merely served as an opportunity to commit the wrongful conduct. This means that only if the employee came into contact with the legal interests of the injured party purely by chance and thus acted like an external third party, the employers' liability could be ruled out. The motive of the employee, however, is not important. The motive of the employee is usually not important. Even in the case of deliberate damage or actions against explicit instructions of the employer, a liability of the employer towards third parties is not excluded.

Apart from the principle of ‘vicarious liability’, liability of the employer for misconduct of the employee can only be considered under tort law or Article 82 of the General Data Protection Regulation (2016/679/EU). The latter at least in the view of the Independent Data Protection Authorities of the Federal Government and the Federal States in Germany. According to them, the employer should also be liable for culpable violations of data protection committed by employees, unless it is an excess of the employee. This implies, however, that the employer can exculpate himself if he can prove that he is not in any way responsible for the event giving rise to the damage. This also applies for a possible liability under tort law.

Subject: Data Protection, Employer Liability

Parties: WM Morrison Supermarkets plc – v – Various Claimants

Court: Supreme Court

Date: 1 April 2020

Case number: [2020] UKSC 12

Internet publication: https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf