On 1 December 2017, the High Court handed down its judgment on the UK’s first class action arising from a data breach (Various Claimants v Morrisons). The High Court allowed the claim and deemed Morrisons to be vicariously liable for the criminal actions of a former employee.In July 2015, Andrew Skelton (a former Morrisons’ employee) was sentenced to eight years in jail after he was found guilty of stealing and unlawfully sharing the names, addresses, bank, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites. Morrisons then reportedly spent more than £2 million on measures to tackle the breach.
Almost 6,000 of those affected recently brought a class action, despite not having suffered any financial loss, on the basis that Morrisons was liable, directly or vicariously, for:
(i) the criminal action of its rogue employee in disclosing personal information of co-employees; and
(ii) the subsequent distress suffered by those employees;
whether in breach of certain data protection principles under the Data Protection Act 1998 (“DPA“), an action for breach of confidence, or an action for misuse of private information (a tort established in Google v Vidal Hall, discussed further below).
The judgment cleared Morrisons of direct liability as it had not breached any of the data protection principles (except in one respect which was not causative of any loss), nor could direct liability be established for misuse of private information or breach of confidentiality. This is because once Mr Skelton acted autonomously in deciding how to handle the personal data he became the data controller in respect of the relevant processing. Therefore, the acts that breached the DPA were those of a third party data controller (Mr Skelton), not Morrisons.
However, it was held that the DPA does not exclude vicarious liability, despite not expressly referring to it. As Mr Skelton’s disclosure of the data was deemed to be a seamless and continuing series of events it was held that Mr Skelton acted in the course of his employment and Morrisons was therefore vicariously liable for Mr Skelton’s actions. The judgment also stated that this conclusion would be the same regardless of whether the basis of Skelton’s liability was seen as a breach of duty under the DPA, a misuse of private information or a breach of confidence.
Google v Vidal-Hall
The recent judgement follows the landmark case of Google v Vidal-Hall in March 2015 which established the right to damages for emotional distress for breach of the DPA, including in the absence of any financial loss or other material damage. The principle of damages for emotional distress was established on the basis that section 13(2) of the DPA (which essentially required a claimant to establish actual financial loss before being able to claim compensation for data protection breaches) was incompatible with Article 23 of the EU Data Protection Directive. This meant that it should therefore be disapplied in accordance with the ‘Marleasing’ principle (to interpret national legislation “as far as possible” in light of the wording and purpose of the directive to achieve the result sought by the directive). It was also disapplied on the grounds that it conflicts with the rights guaranteed by the EU Charter of Fundamental Rights. Google v Vidal-Hall also recognised the misuse of private information as a tort. Prior to the case, the courts had used the law of confidentiality to afford appropriate protection to privacy rights under Article 8 of the European Convention of Human Rights. Therefore, recognising the misuse of private information as a tort did not create a new cause of action, but gave the correct label to an existing cause of action.
Implications for organisations
The Morrisons judgment establishes vicarious liability for data breach, in addition to direct liability, which could have significant implications for organisations. Not only are organisations liable for the distress caused by a data breach, even in the absence of financial loss, but they are now also potentially liable for the way that their employees access and handle data.
Where large scale data breaches are an almost weekly occurrence, it seems possible to imagine that such breaches could result in more compensation claims being brought from large numbers of individuals affected, even where they have not suffered financial loss. Whilst individuals may not themselves be entitled to significant sums, if the data breach affected tens or hundreds of thousand individuals, the total potential compensation liability for organisations could become relatively large.
With the GDPR applying from May 2018, the maximum fines that can be levied by regulators is very significantly increasing (in the UK from the £500,000 maximum fine the ICO can presently levy, up to a maximum of 4% of global turnover or €20 million for certain breaches, whichever is greater). It therefore remains to be seen whether damages to data subjects also increases, but the additional weight placed by regulators on data protection is likely to raise the profile of such claims. Also, given the requirements of the GDPR are stricter in some places than under the DPA, the risk of non-compliance is greater. That is without taking into account the reputational damage such incidents can also bring.
In giving the judgment, Justice Langstaff stated his concerns that the wrongful acts of Skelton were deliberately aimed at Morrisons, such that by finding Morrisons vicariously liable, the Court could be regarded as “an accessory to furthering his criminal aims”. As a result, he granted leave to Morrisons to appeal the conclusion on vicarious liability, but would not, without further persuasion, grant permission to cross-appeal his conclusions as to direct liability. Morrisons has since confirmed its intention to appeal the decision, so it remains to be seen whether this judgment will stand.
The full ‘Various Claimants v WM Morrisons Supermarket PLC’ judgment can be found here.