The UK Supreme Court, in a unanimous decision delivered on April 1,[1] has overturned the decision of the Court of Appeal which had found that Morrisons Supermarkets plc (“Morrisons”) could be held vicariously liable for the unauthorized actions of an employee who had deliberately leaked the personal data of thousands of Morrisons’ employees online. In its judgment, the Supreme Court explained that the Court of Appeal had “misunderstood the principles governing vicarious liability”.[2] For more information on the background of this case and the High Court and Court of Appeal judgments, please see our article here. The full text of the Supreme Court judgment can be read here.

Takeaways for employers:

As the threat of class action lawsuits for personal data breaches increases, the Supreme Court’s ruling should be welcomed by employers. The EU General Data Protection Regulation (“GDPR”) sets a low bar for data subject compensation, with “non-material” damage being sufficient to warrant a pay-out.[3] Data subjects do not need to demonstrate actual financial loss and may be able to claim compensation for distress associated with an unauthorized disclosure of their personal data.

The Supreme Court judgement, therefore, brings welcomed clarity on the extent to which an employer could be on the hook for the actions of a rogue employee. Helpfully, the Supreme Court determined that:

  • An employer will not be liable for the actions of an employee in deliberately causing a data breach while acting beyond the ordinary scope of their employment, provided the employer can demonstrate the necessary standard of care imposed by data protection law has been met, thus avoiding any primary liability.
  • When assessing what is within the ordinary scope of employment, more than a temporal or causal link between the authorized acts of the employee and the wrongful disclosure of personal data, will be needed. It is not enough that the employee has the opportunity to cause a breach during the course of his employment.
  • Motivations of an employee will be a relevant part of the assessment. Where an employee is not motivated to further his employer’s business, but instead is driven by a personal vendetta, this will be taken into account.

However, the Supreme Court’s judgment is not all good news for employers. The UK’s highest judicial authority did not exclude the possibility of vicarious liability for data breaches altogether. Therefore, in principle, an employer could be vicariously liable to compensate data subjects for the actions of an employee which, for example, amount to a breach of the GDPR, a breach of confidence or a misuse of private information, where such actions are within the ordinary scope of his employment.

However, whether an employer can ever be vicariously liable for a breach of the GDPR by virtue of its employee’s actions which take place within the scope of its employment is debatable. While not specifically considered by the Supreme Court, it is generally understood that where an employee is processing personal data in the context of their employment, their processing activities are considered to be those of their employer (i.e., the data controller). An employer would not therefore be vicariously liable for such employee’s actions, but instead would be directly liable under the GDPR as the controller of such processing. This is distinct from the situation where the employee acts outside of the scope of their employment, in which case they would be deemed to be an independent data controller and at the same time vicarious liability would be precluded.

While vicarious liability at common law or in equity may still arise, the distinction with the position under statutory data protection law has important implications for potential damages claims (in light of the very low threshold for compensation set by the GDPR). Primarily therefore, employers should take all steps necessary to avoid a breach of the GDPR as a result of its employees’ actions within the course of employment.

Going forward, it will be crucial for employers to:

  • Carefully select employees to be tasked with sensitive or high volume data handling and to ensure that they have the requisite skills to perform their functions without error. This should include appropriate training on internal systems, technologies, procedures and policies.
  • Ensure that appropriate technical and organizational measures are in place to secure data, such that direct liability for data breaches can be avoided.
  • Implement effective disaster recovery plans to mitigate the financial and reputational fallout from any accidental or deliberate personal data breaches that employee actions may give rise to.

Document data processing instructions and the delegation of data handling responsibilities to employees (whether in connection with human resources, information technology, client relationship management, or the execution of internal audits) and ensure that clear and accessible internal policies provide for the appropriate parameters of such responsibilities.

[1] WM Morrisons Supermarkets PLC (Appellant) v Various Claimants (Respondents) [2020] UKSC 12, see paragraphs 2 – 8.

[2] Ibid., paragraph 31.

[3] Article 82(1), GDPR.