UK Supreme Court Clarifies Position on Vicarious Liability for Data Breaches

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

What happened?

Morrisons gave the employee access to its employee payroll data so that he could provide this information to an external auditor. The data included private information such as salary, bank account details, and national insurance numbers (the UK equivalent of US social security numbers). After providing the required information to the external auditor, the employee, who held a grudge against Morrisons due to a previous disciplinary action against him, published a file online containing the data of its employees. The employee took a number of steps to hide his conduct, including using a “burner phone” to upload the data. The employee was prosecuted and received a custodial sentence.

Subsequently, a number of the employees involved brought proceedings against Morrisons directly and on the basis of its vicarious liability for the employee’s acts. Their claims were for breach of statutory duty under the DPA 1998, misuse of private information, and breach of confidence. At trial in the High Court, the judge concluded that Morrisons was not directly liable but was vicariously liable for each of the claims. The Court of Appeal upheld this decision.

What did the UKSC decide?

• Vicarious liability. The UKSC overturned the lower courts and found that their approaches had “misunderstood the principles governing vicarious liability in a number of relevant respects”. The UKSC affirmed that the “general principle” in vicarious liability is that “the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”. The UKSC found that, in the present case, Morrisons was not vicariously liable for the data breach by its employee, which was intended to harm the employer. Disagreeing with the decisions in the lower courts, the UKSC held that the employee’s disclosure of personal data “did not form part of [his] functions or field of activities” – it “was not an act which he was authorised to do”. Further, again contrary to the decisions below, the UKSC determined that “whether he was acting on his employer’s business or for purely personal reasons was highly material” and so his motive was an important consideration in the analysis.
• DPA 1998. While it was not therefore strictly necessary to consider Morrisons’ second ground of appeal, the UKSC went on to decide that the DPA 1998 did not exclude the imposition of vicarious liability for statutory, common law, and/or equitable wrongs. Morrisons argued that under the DPA 1998, liability is imposed on data controllers only when they acted without reasonable care, and “that statutory scheme was inconsistent with the imposition of a strict liability on the employer of a data controller, whether for that person’s breach of the DPA or for his breach of duties arising at common law or in equity”. However, the UKSC found that this was “not persuasive”, based on English law principles of statutory interpretation. There was no basis for concluding that the common law doctrine of vicarious liability had been excluded, expressly or impliedly, by the DPA 1998.

What does this mean?

The UKSC decision will generally be welcome news for data controllers, given that it restates the limited circumstances in which they can be held to be vicariously liable for data breaches arising from the unauthorised actions of a rogue employee.

However, the UKSC’s finding that the DPA 1998 does not exclude vicarious liability for statutory, common, and/or equitable wrongs still leaves the door open for such claims. This is likely to be equally true under its successor legislation the Data Protection Act 2018 (and, potentially, the GDPR) in the right circumstances.

This post was prepared with the assistance of Leanne Chen in the London office of Latham & Watkins.