Judgment regarding application of vicarious liability test in Class Action against employer in context of malicious data use
Supreme Court corrects misunderstanding of lower Courts’ interpretation of vicarious liability test and decides Morrisons supermarkets were not vicariously liable for their employee’s conduct
The Supreme Court ruling of WM Morrison Supermarkets Plc v Various Claimants [2020] UKSC 12 this month concerned whether Morrisons were responsible for the actions of an internal audit employee whose malicious conduct resulted in his misuse of data of about 100,000 employees. Over 9,000 of those employees claimed compensation against Morrisons in a representative action, and therefore the outcome was closely observed due to potential ramifications in terms of the overall value of such claims and guidance regarding rogue employees.
This unanimous Judgment will help clarify the application of the vicarious liability test when a rogue employee’s misconduct is primarily targeted towards the employer itself, rather than say a customer. The employer – as data controller – still needs to analyse its potential risks and comply with statutory data security requirements.
1. Background to Morrisons
The internal audit employee had received a verbal warning in July 2013 in an internal disciplinary matter regarding the unpermitted use of the supermarket’s premises for his unrelated slimming aids business.
In his internal audit role, he was tasked to provide payroll data of nearly 126,000 of the supermarket’s employees’ data (including salary and bank account details) to the supermarket’s auditors. He had carried out this role the previous year, and completed the present task in November 2013.
However, between November 2013 and January 2014, whilst continuing to bear a grudge against his employer, he copied that data from his work laptop on to a personal USB stick, uploaded the file on to a publicly accessible file-sharing website and later in March 2014 anonymously sent a CD of the file to three UK newspapers (one of whom alerted Morrisons). He had taken steps to try to cover his tracks and implicate another employee. However, the subsequent investigation unearthed these and the criminal prosecution led to an 8 year prison sentence for the rogue employee.
Morrisons also incurred about £2.26 million, much of which involved identity protection measures for its employees.
2. The earlier Court Judgments
About 9,000 employees (or former employees) pursued compensation against Morrisons. They sued for misuse of private information and breach of confidence, and for breach of statutory duty under Section 4(4) of the Data Protection Act 1998 (as it was at that time – the ‘DPA 1998’).
Addressing the issue of whether or not Morrisons were liable first, in 2017 the Trial Judge rejected the claim that Morrisons were primarily liable, but stated that the supermarket was vicariously liable. Morrisons unsuccessfully appealed that decision in 2018 and then appealed again to the Supreme Court. The Supreme Court hearing took place in November 2019.
3. The Supreme Court Judgment
The first question for the Supreme Court was whether Morrisons was vicariously liable for that person’s conduct, and if so:
- whether the DPA 1998 excluded vicarious liability for statutory torts committed by an employee data controller under the DPA 1998; and
- whether the DPA 1998 excluded vicarious liability for misuse of private information and breach of confidence.
In a unanimous Judgment, Lord Reed stated that Morrisons were not vicariously liable and “that the judge and the Court of Appeal [had] misunderstood the principles governing vicarious liability in a number of relevant respects”.
What is the test for vicarious liability and the answer on the facts of this case?
Read as a whole, the Supreme Court stated that Mohamud [2016] had not changed the law of vicarious liability. It has applied long-established principles to the facts of that case (which involved a Morrisons’ petrol station attendant who had had an altercation with a customer).
When considering whether the internal auditor’s wrongful conduct was committed in the course of his employment, the earlier Courts in the current Morrisons case, had also read some phrases such as whether motive was irrelevant out of context.
Mohamud involving the petrol station attendant had referred to the approach to ‘close connection’ in cases such as Dubai Aluminium Co Ltd v Salaam [2002] in which the House of Lords identified the general principle of the ‘best general answer’.
To summarise the 1 April 2020 Judgment, the test for vicarious liability is:
- What functions or ‘field of activities’ had been entrusted by the employer to the employee? In other words what were “acts the…employee was authorised to do”.
-
- In Mohamud there was an unbroken sequence of events. In the 1 April 2020 Judgment this was described as not “directed towards the temporal or causal connection between the various events, but towards the capacity in which {the person} was acting when those events took place”. The petrol station attendant was purporting to act about his employer’s business and this was not something personal.
Therefore, reading in isolation the comment in the Judgment of Mohamud that “motive is irrelevant” was misleading, in the lower Courts of the current Morrisons’ case, as the question of whether the petrol station attendant “was acting, albeit wrongly, on his employer’s business, or was acting for personal reasons, was plainly important”.
His foul-mouthed conduct whilst inexcusable was within the ‘field of activities’ assigned to him. The assault on the customer was not unconnected due to the unbroken sequence of events. It was just the motive for why he become so enraged as to assault the customer that was irrelevant.
- Was there “sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice..”. That was more fully stated in Dubai Aluminium and paraphrased as “whether the wrongful conduct was co closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”.
This close connection was not merely a closeness in timing or causation .
In the 1 April 2020 Judgment, the Supreme Court applied the test that it set out in paragraph 31 of its Judgment, as follows:
- The Court commented that disclosure of data on the Internet was not part of his functions or ‘fields of activities’. It was not an act that he was authorised to do.
- Regarding the ‘close connection’ test, whilst there was closeness in timing and an unbroken chain of causation linking data being given to him for the purpose of passing it on to the supermarket’s auditors and him disclosing it on the Internet, that timing or causal connection does not in itself satisfy the ‘close connection’ test.
- Applying the ‘best general answer’ principle, identified in Dubai Aluminium, and referring to past Judgments for guidance, it was noted that the facts were unusual because there were no other cases where the wrongdoing was designed specifically to harm the employer – the closest were those in which harm was intended to be inflicted on a third party for personal reasons.
- The reason why he acted wrongfully was not irrelevant; whether he was acting on his employer’s business or for purely personal reasons was highly material.
- Overall, the Supreme Court decided that “he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier… [his] wrongful conduct was not so closely connected with acts which he was authorised to do, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”
Therefore, Morrisons succeeded in its appeal and it was not liable for the claims by the claimants.
Whether the DPA 1998 excluded vicarious liability for breaches of its own provisions or for misuse of private information and breach of confidence?
As Morrisons were not found to be vicariously liable for the internal auditor’s wrongful conduct, the remaining questions (the issue of whether the DPA 1998 excluded vicarious liability for breach of statutory duty by an employee data controller or for misuse of private information and breach of confidence) did not need to be considered by the Court. As the issues had been fully argued, the Supreme Court stated that it was desirable for it to express a view. These would therefore be passing comments by the Supreme Court.
The Trial Judge in 2017 stated that the DPA 1998 did not exclude these and that EU legislation was intended to increase the protection of data subjects, not take away existing protections.
Morrisons relied on Majrowski [2007] that stated that:
“Unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.”
Morrisons argued that the DPA 1998 impliedly excluded the vicarious liability of an employer, stating that:
Section 13 (1) provided that “[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Subsection (2) makes similar provision in relation to compensation for distress. Subsection (3) provides that “[i]n proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.” and the seventh data protection principle (Schedule 1, paragraph 10) of the DPA 1998 also provided “the data controller must take reasonable steps to ensure the reliability of any employees of his who have access to personal data”.
It was argued by Morrisons that vicarious liability was to be imposed only on data controllers, and only where they had acted without reasonable care, and that statutory scheme was inconsistent with the imposition of a strict liability on the employer of a data controller, whether for that person’s breach of the DPA 1998 or for his breach of duties in the other forms alleged. Since it was common ground that Morrisons performed its obligations as data controllers, and that the internal auditor was a data controller in his own right in relation to the data which he copied and disclosed, it was alleged that Morrisons could not be under a vicarious liability for his breach of his duties.
The Supreme Court was not persuaded by this argument, although presented attractively. The 1 April 2020 Judgment contained comments that:
“the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault”.
CPB Comment
This Supreme Court decision brings to an end the first group action in the UK for this type of breach. The facts of this vicarious liability case were unusual and there were no other Judgments where the wrongdoing (in this case misuse of data) was designed specifically to harm the employer – the closest were those in which harm was intended to be inflicted on a third party for personal reasons.
The employee was pursuing a personal vendetta against the employer rather than his acts being to further the employer’s business. His motives were relevant.
This case highlights that it is important to scrutinise the acts that the employee was authorised to carry out, along with the chain of events both from a timing and causation point of view. When there is close timing or an unbroken chain of causation linking the provision of data for anauthorised use and ultimate misuse by that employee, that does not of itself satisfy the close connection test.
Whereas the Lloyd v Google decision in October 2019 favoured the data subjects in that representative action, who were seeking permission to serve a Section 4(4) DPA 1998 breach of statutory duty court claim outside the jurisdiction of England & Wales, this month’s decision in Morrisons may mean that the start of such representative actions against employers, particularly in the context of acts by an employee who bears a grudge against their employer, shall be approached with more caution.
Helen Tilley
Partner
T: 0203 697 1910
M: 00771 773 3865
Samantha Zaozirny
Associate
T: 0203 697 1906
M: 007880 221676
E: Samantha.zaozirny@cpblaw.com
Lisbeth Poulsen
European Qualified Lawyer
T: 0203 697 1905
M: 07832 467563
This information has been prepared by Carter Perry Bailey LLP as a general guide only and does not constitute advice on any s pecific matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not as a result of this information, Carter Perry Bailey LLP is a limited liability partnership registered in England and Wales, registered number OC344698 and is authorised and regulated by the Solicitors Regulation Authority. A list of members is available for inspection at the registered office 10 Lloyd’s Avenue, London, EC3N 3AJ.