It is safe to say good news for employers at the moment is in short supply. However, last week the UK Supreme Court issued its landmark judgement in the Morrisons supermarket case. The Supreme Court’s decision overturns the decision of the Court of Appeal (WM Morrisons Supermarket PLC v Various Claimants  EWCA Civ 2339).
It is a long standing principle that employers can be held liable for the acts of their employees, this includes employees’ actions in relation to data protection issues. The Court of Appeal had in the Morrisons case confirmed that organisations can be vicariously liable for data breaches caused by employees (resulting out of employee misconduct). This was the case even if the employer had implemented appropriate measures to meet its obligations in relation to data protection legislation e.g. appropriate policies and procedures.
The Court of Appeal decision meant that employers could be exposed to a significant number of claims for compensation in relation to data breaches. The Court of Appeal decision laid the foundations for all future victims of data breaches to pursue the employer as vicariously liable for the actions of its employees.
However, the UK Supreme Court has quashed this line of potential liability.
Background and the Court of Appeal decision
In 2013 an employee of Morrisons, who was a Senior IT auditor at Morrisons was subjected to disciplinary proceedings. This was a verbal warning for a minor misconduct issue.
This led to a souring of relations between the employee and Morrisons.
The employee proceeded to download payroll data for circa 100,000 Morrisons employees. The employee then uploaded this information to a public website.
The employee was convicted of offences under the UK Computer Misuse Act 1980 and the (pre-GDPR) Data Protection Act 1998. The employee was also given a custodial prison sentence for his actions.
The UK Information Commissioner investigated the incident and deemed that no action was necessary against Morrisons.
However, over 5,000 of the employees impacted by the breach sought compensation from Morrisons.
The employees claimed that Morrisons was both primarily liable for its own acts and omissions, and vicariously liable for the actions of the employee.
Primary liability for the data breach had already been rejected by the English High Court. This was on the basis that the employee had become a data controller in his own right when he downloaded the payroll data and decided to act without the authority of his employer. The Employer had no primary responsibility as it had neither caused nor contributed to the disclosure which occurred.
However, The High Court thought Morrisons should be held vicariously liable for the actions of its employee. This was the question which was referred to the Court of Appeal.
The Court of Appeal agreed with the High Court and held Morrisons vicariously liable. The court viewed the employee’s actions as being connected to the employee’s employment with Morrisons, despite the fact the disclosure took place on the employee’s own computer and was outside of his working hours (on a Sunday).
The Supreme Court’s decision
The Supreme Court reversed the decision of the Court of Appeal and found Morrisons should not be held liable for the actions of the employee.
- The Supreme Court confirmed that the appropriate test to establish vicarious liability is:-
- if the actions in question were within the acts the employee was authorised to do. The court referred to this as in the employee’s “field of activities”; and
- if the wrongful conduct and the employee’s authorised acts were so closely connected that the wrongful conduct may fairly and properly be regarded as done whilst acting in the ordinary course of the employee’s employment.
- In this case the employee publishing the payroll details was clearly not within his “field of activates” i.e. he was not authorised to carry out the acts.
The court has made clear a “temporal or casual” link alone will not be enough to satisfy the close connection test to hold the employer vicariously liable.
The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability.
Whether the employee is acting on the employer’s business or for personal reasons is indeed important for the purpose of establishing vicarious liability.
- The decision will be welcome news to employers in light of two significant developments:-
- The growth in claimant firms actively looking for opportunities to pursue claims on a collective basis on behalf of a large number of claimants; and
- The coming into force of the more stringent data protection legislation, which has raised the profile of data protection rights like never before and increased the sanctions for failing to comply with those obligations.
To download this briefing note please click here.