Supreme Court allows appeal in Morrisons data theft case

March 31, 2020

The Supreme Court has allowed Morrisons’ appeal in WM Morrison Supermarkets plc (Appellant) v Various
Claimants (Respondents)
[2020] UKSC 12.

The appeal concerned:

  • the
    circumstances in which an employer is vicariously liable for wrongs
    committed by its employees, and
  • whether
    vicarious liability may arise for breaches by an employee of duties
    imposed by the Data Protection Act 1998.

Background

The appellant operates a chain of supermarkets and employed
S. In 2013 S received a verbal warning after disciplinary proceedings for minor
misconduct and subsequently bore a grievance against the appellant. S was asked
to transmit payroll data for the appellant’s entire workforce to its external
auditors, as he had done the previous year. He did so, but also made and kept a
personal copy of the data. In early 2014, he used this to upload a file
containing the data to a publicly accessible filesharing website. He also sent
the file anonymously to three UK newspapers, purporting to be a concerned
member of the public who had found it online. The newspapers did not publish
the information. Instead, one alerted Morrisons, which took immediate steps to
have the data removed from the internet and to protect its employees, including
by alerting police. S was soon arrested and has since been prosecuted and
imprisoned.

The respondents were some of the affected employees. They
brought proceedings against the appellant personally and on the basis of its vicarious
liability for S’s acts. Their claims were for breach of statutory duty under
the DPA, misuse of private information, and breach of confidence. At trial, the
first instance judge concluded that the appellant bore no primary
responsibility but was vicariously liable on each basis claimed. The judge
rejected the appellant’s argument that vicarious liability was inapplicable
given the DPA’s content and its foundation in an EU Directive. The judge also
held that S had acted in the course of his employment. The appellant’s
subsequent appeal to the Court of Appeal was dismissed and they appealed to the
Supreme Court.

Judgment

The Supreme Court unanimously allowed the appeal.

The primary issue before the court was whether Morrisons was
vicariously liable for S’s conduct.  The
court considered the existing case law, in particular the existing “close
connection” test of whether the wrongful conduct was so closely connected with
acts the employee was authorised to do that for the purposes of the liability of
the employer to third parties, that it may fairly and properly be regarded as
done by the employee while acting in the ordinary course of his employment. The
test had to be applied having regard to the circumstances of the case and
previous court decisions.

The first question was what functions or “field of
activities” the employer had entrusted to the employee. The Court concluded
that the first instance judge and the Court of Appeal misunderstood the
principles governing vicarious liability in a number of respects. In
particular, the online disclosure of the data was not part of S’s field of
activities, as it was not an act which he was authorised to do. A temporal or
causal connection alone does not satisfy the close connection test. In
addition, it was highly material whether S was acting on his employer’s
business or for purely personal reasons.

The Supreme Court said that no vicarious liability arose in
this case. S was authorised to transmit the payroll data to the auditors. His wrongful
disclosure of the data was not so closely connected with that task that it could fairly and properly
be regarded as made by S while acting in the ordinary course of his employment. On long-established
principles, the fact that his employment gave him the opportunity to commit the wrongful act was not
sufficient to warrant the imposition of vicarious liability. An
employer is not normally vicariously liable where the employee was not engaged
in furthering his employer’s business, but rather was pursuing a personal
vendetta. The “close connection” test was not satisfied.

The second major issue before the court was whether the DPA
1998 excluded the imposition of vicarious liability for either statutory or
common law wrongs. The court found the appellant’s argument that liability is
excluded unpersuasive. Imposing statutory liability on a data controller like S
is not inconsistent with the co-existence of vicarious liability at common law,
whether for breach of the DPA or for a common law or equitable wrong, as the
DPA says nothing about a data controller’s employer. It is irrelevant that a
data controller’s statutory liability under the DPA is based on a lack of
reasonable care, while vicarious liability for an employee’s conduct requires
no proof of fault. The same contrast exists at common law between, for example,
an employee’s liability in negligence and an employer’s vicarious liability. It
makes no difference that an employee’s liability may arise under statute instead.

The appeal was therefore allowed.