Landmark Supreme Court decision reins in scope of vicarious liability in data breach cases

Wm Morrison v Various Claimants [2020] UKSC 12

In a decision that will be welcomed by data controllers everywhere, the Supreme Court has held that Morrisons is not vicariously liable for a data breach deliberately carried out by one of its employees in an attempt to harm his employer.

In 2014, Andrew Skelton, a Morrisons employee who bore a grudge against his employer, deliberately posted the personal information of thousands of other employees on the internet. He also sent the information anonymously to three newspapers.

Despite his efforts to cover his tracks, Mr Skelton's actions were quickly uncovered. The information was removed from the internet within a few hours, and Mr Skelton was arrested, and ultimately convicted and sentenced to 8 years in prison. 

9,263 of the affected employees brought a collective action against Morrisons, seeking damages for breach of data protection legislation, misuse of private information and breach of confidence. 

Both the High Court and the Court of Appeal found that while Morrisons was not directly liable for Skelton's conduct, it was vicariously liable. Those Courts had decided that there was a sufficiently close connection between Mr Skelton's wrongful acts and his employment to impose liability on Morrisons to pay compensation, and that Mr Skelton's motivation to harm his employer was irrelevant. But the Supreme Court disagreed. 

While the Supreme Court confirmed that, in principle, employers could be vicariously liable for breaches of the Data Protection Act, it held that, in this instance, Mr Skelton could not be said to be acting in the course of his employment.

In deciding that Mr Skelton's motivation was irrelevant, the lower courts had misunderstood the existing case law. The Supreme Court found that, on the contrary, Mr Skelton's motivation was highly relevant. Mr Skelton was not engaged in furthering his employer's business when he committed the act; rather, he was pursuing a personal vendetta. His actions could not therefore be said to be closely connected with the work he was employed to do.

The decision provides welcome clarification of the scope of vicarious liability, not only in data protection claims but also more widely. Employers will be relieved to know they will not have to pay compensation following acts carried out deliberately to cause them harm. And data controllers will be comforted that the still very significant burdens placed on them by data protection legislation have become just a little lighter.

A summary of the judgment is here, and the full judgment here.