The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2338.
Permission to appeal
We reported previously that on 1 December 2017, the High Court in London concluded, as a matter of English law, that a company can be held vicariously liable in respect of data breaches caused by its employees. The claim, brought in data protection, misuse of private information and breach of confidence, related to the disclosure of payroll data which was stolen and then leaked online by a then employee of Morrisons. Mr. Justice Langstaff held that although Morrisons was not directly liable, the company was vicariously liable under each cause of action for the actions of the employee.
Morrisons subsequently appealed the judgment on three grounds. First, it argued that the Data Protection Act 1998, by implication, excluded vicariously liability and as a consequence, vicarious liability for misuse of private information and breach of confidence with regards to the processing of personal information, should also be excluded. Morrisons further claimed that the trial judge had incorrectly concluded that the wrongful acts of Morrisons’ employee occurred during the course of employment.
On 22 October 2018, we then reported that in a unanimous judgement of the Court of Appeal, the Master of the Rolls, Lord Justice Bean and Lord Justice Flaux dismissed all three of Morrisons’ arguments and affirmed the High Court’s decision in favour of the claimants. The Court of Appeal refused permission to appeal, leaving Morrisons open to contest this by application to the Supreme Court. Morrisons subsequently applied to the Supreme Court for permission to appeal the judgement and this permission was granted on 15 April 2019.
The effect of the High Court and Court of Appeal judgments is that a company can in principle be held liable to compensate affected data subjects for loss – including non-pecuniary loss such as distress – caused by a data breach. This may be the case even when the company has taken preventative measures and no wrongdoing has been committed by the company itself.
Whether this position will survive the appeal to the Supreme Court remains to be seen. The appeal will no doubt be monitored closely due to the significant impact the decision will have on future claims brought in the data breach context.