On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach.

Permission was granted on all grounds of appeal and the Supreme Court will principally consider:

  1. whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
  2. if the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
  3. if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

This latest twist in the Morrisons tale follows the Court of Appeal dismissing an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data in October 2018, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339.

Click:

  • here for our previous article on the Court of Appeal’s judgement and here for the Court of Appeal’s full judgement
  • here for our summary of the High Court decision.

Implications for organisations

The Morrisons case has highlighted the wide reach of data protection. The Court of Appeal and High Court judgements have ruled that an organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision has also concerned employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.

The current fear for organisations is also that this case, combined with the legislative changes made by the EU General Data Protection Legislation (“GDPR“), increased public awareness of data protection issues, and the publicity that the case has attracted to date, could spark a new wave of court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. In this regard, it will be interesting to see how the court approaches the issue of quantum in the case against Morrisons.

Importantly, the Morrisons case related to data breaches which occurred prior to 25 May 2018 (i.e. prior to the implementation of the GDPR). In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (i.e. distress) it could become even easier to bring such actions, particularly where there have been findings of non-compliance by the Information Comissioner’s Office (“ICO“) (the UK’s data protection regulator). With multiple data breaches having hit the headlines since 25 May 2018, it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK.

It remains to be seen whether the Supreme Court will follow suit and uphold the decision of the Court of Appeal. But one thing remains certain, the latest twist in the Morrisons case will be closely followed by employers and data protection practioners alike. Watch this space.

For further detail on the background of the case please click here.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, TMT, Sourcing and Data, London
+44 20 7466 2267
Kiran Chita
Kiran Chita
Paralegal, TMT, Sourcing and Data, London
+44 20 7466 3269