Some good news for employers: Supreme Court reverses Court of Appeal’s decision that Morrisons was vicariously liable for unlawful disclosure of personal data by rogue employee

WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12 (1 April 2020). Morrisons has won its appeal from the Court of Appeal’s decision that it was vicariously liable in damages to over 5,000 employees and ex-employees for the unlawful disclosure by a rogue employee, an internal IT auditor, of payroll data comprising their personal data. While it agreed that the Data Protection Act 1998 (DPA) did not exclude vicarious liability, the Supreme Court held that the judge at first instance and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. In particular, the Supreme Court considered that when assessing whether the employee’s wrongful conduct was closely connected with acts that he was entitled to do, it was “highly material” that he was acting for purely personal reasons, here pursuing a vendetta against the company.

Background

Andrew Skelton was employed by Morrisons in its internal audit team. In July 2013 he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning. Following those proceedings, he harboured an irrational grudge against the company.

In November 2013, Skelton was tasked with transmitting payroll data for Morrisons’ entire workforce to its external auditors, KPMG. He transmitted the data to KPMG as he had been instructed to do but also surreptitiously copied the data from his work laptop onto a personal USB stick. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary details.

In early 2014, using the personal details of a fellow employee who had been involved in the disciplinary proceedings to create a false email account, Skelton uploaded, from home, a file containing the data from the USB stick to a publicly accessible file-sharing website, with links to the data posted on other websites. The file contained data of 98,998 Morrisons employees. He also sent a CD containing a copy of the data and a link to the file-sharing site to three newspapers in the UK. One of the newspapers alerted Morrisons, which within a few hours took steps to ensure that the website had been taken down. Morrisons also alerted the police.

Skelton was arrested and charged with fraud and offences under the Computer Misuse Act 1990 and s 55 of the DPA. In July 2015, he was convicted and sentenced to eight years' imprisonment.

Some 9,263 employees of Morrisons whose data was disclosed by Skelton's actions now make up the group involved in bringing the proceedings against Morrisons for breach of statutory duty under s 4(4) of the DPA, misuse of private information, and breach of confidence. They also claimed that Morrisons was vicariously liable for Skelton’s conduct.

At first instance, Langstaff J dismissed the claims that Morrisons was primarily liable. However, he also rejected Morrisons’ argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive. The judge also held, on the basis of Lord Toulson’s judgment in Mohamud v WM Morrisons Supermarkets plc [2016] UKSC 11, that Skelton had acted in the course of his employment since Morrisons had provided him with the data in order for him to carry out the task assigned to him, and what had happened thereafter was, in Lord Toulson’s words, “a seamless and continuous sequence of events … an unbroken chain”. Applying the factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2013] 2 AC 1, the judge also considered it important that Morrisons were better placed to compensate the victims of Skelton’s wrongdoing than Skelton himself and could be expected to have insured against that liability, and that by employing Skelton to carry on the activity, it created the risk of the tort being committed.

Morrisons’ subsequent appeal was dismissed, the Court of Appeal emphasising like the judge that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events and finding, amongst other things, that Skelton’s motive for disclosing the data was irrelevant.

The issues before the Supreme Court, on Morrisons’ further appeal, were whether it was vicariously liable for Skelton’s conduct and, if so, whether the DPA excluded vicarious liability for breaches of its own provisions, committed by an employee as a data controller, or for misuse of private information and breach of confidence.

Decision

Was Morrisons vicariously liable?

The Supreme Court began with Lord Toulson’s judgment in Mohamud. That case, their Lordships stressed, was not intended to change the law of vicarious liability, in particular, the “close connection” test as expressed in Lister v Hesley Hall Ltd [2002] 1 AC 215 and elaborated by Lord Nicholls in Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366. According to that test “the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”.

The Supreme Court observed that, having explained the “close connection” test, Lord Toulson in Mohamud summarised the law in “the simplest terms”. The first question was what functions or “field of activities” the employer had entrusted to the employee. In other words, as Lord Nicholls put it in Dubai Aluminium, it is necessary to identify the “acts the … employee was authorised to do”. Secondly, in Mohamud Lord Toulson said “the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice”. This statement had been more fully explained in Dubai Aluminium by Lord Nicholls and, in the Supreme Court’s view, Lord Toulson was not suggesting any departure from Lord Nicholls’ approach. Further, read in context, Lord Toulson’s comments that, on the facts of Mohamud there was an “unbroken sequence of events” and a “seamless episode” were not directed towards the temporal or causal connection between the various events, but referred to the capacity in which the employee had been purporting to act when the wrongful conduct took place, namely “about his employer’s business”. The Supreme Court also stressed that Lord Toulson’s comment, in relation to the facts of Mohamud, that “motive is irrelevant” should not be taken out of context: whether the employee was acting on his employer’s business or for personal reasons was important, but, in Mohamud, the reason why he had committed the tort could not make a material difference to the outcome because Lord Toulson had already concluded that the employee was going, albeit wrongly, about his employer’s business.

Having reviewed the authorities, the Supreme Court held that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects. First, the disclosure of the data on the internet did not form part of Skelton’s functions or field of activities: it was not an act which he was authorised to do. Secondly, the factors listed by Lord Phillips in Catholic Child Welfare Society to which the judge referred were irrelevant. That case was not concerned with the question whether the wrongdoing in question was so connected with the employment that vicarious liability ought to be imposed, but with whether, in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should apply. Thirdly, although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test. Fourthly, the reason why Skelton acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was “highly material”.

Considering the question afresh and applying the “close connection” test in Dubai Aluminium, the Supreme Court was satisfied that no vicarious liability arose in the present case. The mere fact that Skelton’s employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability (see, for example, Morris v C W Martin & Sons Ltd [1966] 1 QB, and Lister). In Dubai Aluminium, Lord Nicholls drew a distinction between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’ in the language of the time-honoured catch phrase”. In the present case, Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. For these reasons, the Supreme Court concluded that Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Did the DPA exclude vicarious liability?

While, given its findings on vicarious liability, it was not strictly necessary for the Supreme Court to consider whether the DPA excluded imposition of vicarious liability for either statutory or common law wrongs, the court expressed a view. This was that, since the DPA says nothing about the position of a data controller’s employer, the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. It was irrelevant that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault. A similar contrast existed between the fault-based liability of an employee under the common law (for example, for negligence) and the strict vicarious liability of his employer, and was no more anomalous where the employee’s liability arose under statute than where it arose at common law.

Comment

This will come as a mighty relief to Morrisons and indeed any large employer who fears the possibility of an employee, trusted with access to large amounts of personal data, going rogue. The case had otherwise appeared to open even further a Pandora’s box of class actions against employers for unlawful disclosures of personal data by such an employee even where the employer, as data controller, has not itself breached data protection law in connection with the employee’s wrongdoing. The Supreme Court’s decision, however, does not close the lid on that box entirely. Its decision is about vicarious liability, not class actions which, as the law stands, may be brought against data controllers in relation to data breaches by individuals whose data has been compromised even where they have suffered no financial loss or distress, in other words merely for the loss of control of their data as a result of such breach. All eyes now turn, therefore, to the Supreme Court’s judgment in Lloyd v Google LLC, expected later this year or early next, on whether, in a representative action, uniform per capita damages can be awarded for breaches of data protection legislation, leading to a loss of control of personal data, without proof of distress or any material damage.