Client Alerts & Newsletters

Morrisons Supermarket Not Liable for Employee’s Data Breach

April 1, 2020

In a much anticipated judgment, today the United Kingdom Supreme Court ruled in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12. Judgment was given by Lord Reed, with whom the remaining members of the panel agreed.

Morrison Supermarkets plc (“Morrisons”) was sued for breach of section 4(4) of the Data Protection Act 1998, misuse of private information and breach of confidence by 9,263 of its employees after their personal information held by Morrisons was published on the internet and sent to three newspapers on CD. It was sent by another employee, a senior auditor, who published the personal data of 98,998 employees to which he had access for payroll audit purposes in retaliation for internal disciplinary action against him.

The judgment has found that Morrisons is not vicariously liable for its employee’s actions either under statute or by common law because the conduct was itself intended to harm Morrisons. This alert also discusses the future of data protection litigation given the changed legal regime in the United Kingdom since 2018.

Proceedings Background

After a group litigation order, in the High Court Langstaff J held that Morrisons had no primary liability, but that it was vicariously liable for its employee’s conduct, which was performed in the course of his employment exploiting data Morrisons held: [2017] EWHC 3113 (QB); [2019] QB 772. The Court of Appeal (Sir Terence Etherton MR, Bean and Flaux LJJ) agreed: [2018] EWCA Civ 2339; [2019] QB 772. Morrisons appealed a final time.

No Vicarious Liability When the Acts Are Motivated by Vengeance and Harm Intended Against the Employer

As a starting point, the Court had regard to the discussion of the “close connection” test Lord Nicholls of Birkenhead had set out in Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48; [2003] 2 AC 366, summarizing it as:

…the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.1

It was clear that the employee was only able to do what he did because he had been entrusted with the personal data to carry out his auditor functions. However, in the present case “it was not an act which he was authorised to do, as Lord Nicholls put it.”2

Furthermore, there was a distinction to be drawn between cases where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a “frolic of his own.3

Moreover, and in contrast to the views of the Court of Appeal, the Court also held that the motive of the employee was not irrelevant.4 More particularly, after reviewing a series of prior cases, the Court confirmed that personal vengeance breaks an otherwise close connection that would exist where an employee exploits the access he or she has to an employer’s materials, such as firearms provided for police duties or, in this case, other people’s personal data.5 The Court’s judgment also breaks new ground because “[p]erhaps unsurprisingly, there [did] not appear to be any previous case in which it has been argued that an employer might be vicariously liable for wrongdoing which was designed specifically to harm the employer.6

But the Data Protection Act 1998 Does Not Exclude Vicarious Liability Per Se

Morrisons had also argued that the Data Protection Act 1998 (“DPA 98”) in fact both overrode the common law causes of action and excluded vicarious liability. Despite finding that Morrisons would not be liable in any event, the Court also decided these issues.

First, the Court flatly rejected that the DPA 98 could undermine the common law causes of action and vicarious liability thereon – they exist despite DPA 98. Moreover, the fact that DPA 98 was silent on vicarious liability did not mean it was displaced. And:

That conclusion is not affected by the fact that the statutory liability of a data controller under [DPA 98], including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault. There is nothing anomalous about the contrast between the fault-based liability of the primary tortfeasor under [DPA 98] and the strict vicarious liability of his employer.7

The Court’s ruling is also support for the general proposition that unless a statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of statutory obligations which it imposes in the same way as to a breach of obligations at common law or equity.

Impact for the Future? The GDPR and Data Protection Act 2018

DPA 98 has since been superseded by the General Data Protection Regulation (GDPR) and its United Kingdom implementing legislation, the Data Protection Act 2018 (DPA 2018).

Under all the data protection legislation, employees may be considered data controllers themselves, with the consequent possibility of suit against them personally. But this case has made it clear that employers are not safe from data protection suit simply by blaming their employee’s mishandling of data, at least under the DPA 98, as long as claims under that Act are likely to be possible by virtue of the transitional provisions of DPA 2018. It has also made clear that common law causes of action were not displaced by that Act. But it does now appear firmly the case that if reasonable safeguards have been put in place such that an employer would not be held directly liable, it should be safe from liability for its employees’ malicious exploitation of the data they handle.

Under GDPR Article 82(4), if more than one data controller or processor are responsible for damage, they are jointly and severally liable for it as against the injured party. Similar language is not expressly stated in DPA 98. But that is still an issue of direct liability. DPA 2018 and the GDPR again do not expressly address vicarious liability. The question for the future is therefore whether that additional consideration of joint and several liability in GDPR could have any bearing on the English courts’ approach to vicarious liability under the new regime. Our own view is that this is unlikely. However, only time will tell.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Nicola Phillips
Partner – London
Phone: +44.20.7413.1317

Maarten Stassen
Partner – Brussels
Phone: +

Robert Weekes
Partner – London
Phone: +44.20.7413.1320

Laurence Winston
Partner – London
Phone: +44.20.7413.1333

John Laird
Counsel – London
Phone: +44.20.7413.1324

Crowell & Moring LLP is an international law firm with offices in the United States, Europe, MENA, and Asia that represents clients in litigation and arbitration, regulatory and policy, and transactional and corporate matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation and government-facing matters, as well as its ongoing commitment to pro bono service and diversity, equity, and inclusion.

View Desktop Site | Mobile Sitemap |

Contact | Subscribe | Terms of Use | Privacy Statement | Alumni

© Crowell & Moring LLP 2023
Attorney advertising - prior results do not guarantee a similar outcome.