Morrisons wins Supreme Court appeal against finding of vicarious liability in data breach class action

Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants [2020] UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.

The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.

The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.

Background

In 2015 a former Morrisons employee was found guilty of stealing and unlawfully sharing the personal data (including names, addresses, bank account details, salary and national insurance details) of almost 100,000 of Morrisons’ employees with members of the press and with data sharing websites. At the time, the ICO investigated and found no enforcement action was required with respect to Morrisons’ compliance with the Data Protection Act 1998 (“DPA”).

Nevertheless, around 5,000 Morrisons employees brought a claim for damages – irrespective of the fact that they had not suffered any financial loss. Instead, the employees claimed that Morrisons was vicariously liable for the criminal acts of its employee and for the resulting distress caused to the relevant employees.

For full details of the background to the High Court and Court of Appeal arguments, please see our previous Morrisons data protection briefing. Following the conclusion of the Court of Appeal case, the Supreme Court subsequently granted leave to appeal, which led to a two day hearing in November 2019 and, ultimately, the judgment handed down today.

Decision

The Supreme Court overturned the Court of Appeal’s decision, finding that Morrisons was not vicariously liable for the employee’s unlawful actions. Lord Reed gave the judgment of the court, with which Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed.

Lord Reed concluded that the courts below had misunderstood the principles of vicarious liability, and in particular had misinterpreted the Supreme Court’s judgment on vicarious liability in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. That judgment was not intended to change the law on vicarious liability, but rather to follow existing authority including, importantly, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48.

In Dubai Aluminium, Lord Nicholls identified the general principle that applies when the court considers the question of vicarious liability arising out of an employment relationship: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Applying that test, vicarious liability was not established in this case. The Supreme Court found that the employee’s wrongful conduct was not so closely connected with the acts he was authorised to do that, for the purposes of assessing Morrisons’ liability, it could fairly and properly be regarded as being done in the ordinary course of his employment.

Lord Reed referred to the distinction drawn by Lord Nicholls in Dubai Aluminium between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.”

In the present case, he said, it was clear that the employee was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary he was pursuing a personal vendetta against the company, seeking revenge for disciplinary proceedings some months earlier. In those circumstances, the close connection test was not met.

Although it did not affect the outcome, in light of the court’s findings, Lord Reed also considered Morrisons’ contention that the DPA excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”

Implications of the decision

Data privacy implications

Although this case was argued under the repealed Data Protection Act 1998, it will likely result in a collective sigh of relief for organisations now subject to the GDPR which expressly allows individuals to claim compensation for non-material damages (including distress) caused by non-compliance with the regulation. This is exactly the decision that many organisations wanted. In a world where companies can already be fined up to EUR 20 million or 4% of annual worldwide turnover for non-compliance with the GDPR, there are real fears concerning the potential for additional significant liability under class action claims for data breaches. Many organisations will be comforted by the steps that the Court has now taken to reduce the likelihood of such claims being successful.

However, it is important to caution against too much optimism. The Morrisons case was quite unique because the compensation claim was brought by individuals despite no regulatory action being taken by the ICO at the time of the data leak itself. The decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen which are starting to result in significant fines from the ICO.

Despite the claim not being successful in this instance, another, perhaps unintended, consequence of the case is that employers will be seriously considering what steps can to taken to mitigate against the risk of rogue employees leaking personal data. This may result in increased employee monitoring in the workplace, with all the data privacy implications that that may entail.

Employment implications

The “close connection” test for rendering an employer vicariously liable for an employee’s actions (as described above) is well established. What has been less clear is how broadly that test should be applied to the facts. For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for the employee’s conduct towards customers even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.

Given there is no ‘reasonable steps’ defence against vicarious liability for torts, employers will welcome today’s ruling which rows back from that liberal interpretation of the test. The Supreme Court has made clear that the mere fact that the job provides the employee with “the opportunity to commit the wrongful act” is not sufficient to impose vicarious liability, nor is the fact that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive. Doing acts of the same kind as those which it is within the employee’s authority to do is not sufficient either.

The test is whether the wrongful act was sufficiently closely connected with what the employee was authorised to do. In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective. In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” The ruling helpfully re-establishes that employers should not be liable for the acts of employees engaged on “frolics” of their own, pursuing their own objectives.

Cyber and data security implications

While the spectre of no fault liability presented by Morrisons has fallen away, there is still a significant risk from fault based claims. ICO is imposing substantial fines upon organisations for inadequate technical and organisational security measures. Claimants are cutting and pasting adverse findings from the ICO into claim forms. Organisations will have to make sure that the measures they are taking are appropriate, which will involve considering many factors including state of the art and the harm that may be caused if the security measures fail.

Class actions implications

Data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for “distress” or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands. Today’s judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.

The key question for the viability of those claims will be how much a bare data breach is “worth” by way of damages, even if there’s no other loss suffered by the victim. We will have to wait a bit longer now to find that out. The principles applied in misuse of private information cases may be helpful to the courts in considering this issue, given how little case law there is on damages in data protection claims.

Insurance implications

The judgment is good news for corporates and their insurers. The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim – namely to harm Morrisons. Insurers may therefore also be breathing a sigh of relief – but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That’s because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.

The good news for concerned corporates is that they can buy cyber insurance to cover data breach claims, whether for direct or vicarious liabilities, as well related losses such as costs of managing the incident, regulatory investigations and loss of profits if systems are impacted. However, risk transfer strategies within corporates vary, and that cover cannot necessarily be banked upon in all cases. The main challenge therefore remains – and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Tim Leaver
Tim Leaver
Partner, Employment, Pensions & Incentives, London
+44 20 7466 2305
Julian Copeman
Julian Copeman
Partner, Disputes, London
+44 20 7466 2168
Greig Anderson
Greig Anderson
Partner, Disputes, London
+44 20 7466 2229
Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Consultant, Disputes, London
+44 20 7466 3737
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483
Anna Henderson
Anna Henderson
Professional Support Consultant, Employment, Pensions & Incentives, London
+44 20 7466 2819
Maura McIntosh
Maura McIntosh
Professional Support Consultant, Disputes, London
+44 20 7466 2608

The Encryption debate is far from ‘going dark’

Shortly after the release of the communiqué from the most recent ministerial meetings of the ‘Five Countries’ security alliance — Australia, Canada, New Zealand, the UK and the US — at the end of July, we warned that the issue of the use of, and access to, encrypted services and technologies ‘remains front of mind for the alliance and further legislative or regulatory action in the Five Countries may follow’.

This week, It became clear that three of the Five Countries planned to follow through. On 4 October 2019, representatives of the Australian, UK and US governments planned to release:

Continue reading

SHAREHOLDERS ACTIVISM FOCUSES ON PRIVACY ISSUES

  • With privacy issues these days commonly featuring as a board legal agenda item, recent shareholder activity at Amazon has shown that privacy is also at the forefront of shareholders’ minds.
  • A group of Amazon shareholders sought to prevent the company from selling its facial recognition technology because of privacy concerns.
  • Although the Amazon motions were defeated, they demonstrate that shareholders are willing to try and hold companies to account over privacy concerns.
  • The action also highlights a growing trend for interesting and innovative uses of privacy rights and regulation as a tool.

Continue reading

Happy GDPR-versary! Herbert Smith Freehills reflections on a year of GDPR regulation

The GDPR came into effect almost a year ago on the 25 May 2018. As the most significant reform of data protection law in Europe for over 20 years, the legislation raised expectations of a cultural shift in attitude to data privacy. A year on from the fanfare of implementation, this bulletin looks at key aspects of what we have seen and learnt since implementation, and what we can expect for the future.

Enforcement

Although we are still waiting for a ‘GDPR mega fine’, we have seen a EUR 50 million fine levied by the CNIL in France and there have also been some interesting enforcement decisions coming out of Europe in the first 12 months. There have been rumours of a fine matrix being developed by the regulators to help assess the level of fine to be imposed but, for now at least, it remains unclear how fines are calculated and when a ‘mega fine’ may be appropriate.

Interesting enforcement action to note so far includes:

UK: ICO finds HMRC to be in “significant” breach of data protection legislation but does not impose a fine

In May 2019, the ICO found HMRC in the UK to be in “significant” breach of the GDPR by processing special category biometric data (voice recognition data) without a lawful basis. However, instead of imposing a monetary penalty, the ICO issued an enforcement notice requiring HMRC to delete the relevant data by early June 2019. For more information on this enforcement action, see our blog post here.

Belgium: Court of Appeal asks CJEU for GDPR guidance on the ‘one stop shop’

In May 2019, the Belgian Court of Appeal asked the European Court of Justice for help interpreting the application of the GDPR’s ‘one stop shop’ and whether the designation by companies of a lead supervisory authority in Europe precludes any other European supervisory authority from taking enforcement action against that company. The results of the case will either open or close the doors for regulators across Europe to cast aside the one stop shop when looking to enforce GDPR compliance in their home jurisdiction. For more information on this enforcement action, see our blog post here.

Poland: When is it a disproportionate effort to provide a privacy notice?

In April 2019, the Personal Data Protection Office in Poland issued a €220,000 fine to a digital marketing company for breaching its obligations under Article 14 of the GDPR (i.e. to provide a privacy notice to individuals). The decision has some important practical implications for organisations, including that: (i) the collection of publicly-available information from the internet does not relieve you of your obligations under the GDPR; (ii) a significant cost (in this case €8 million) involved with providing privacy notices to individuals is not sufficient to be able to rely on the ‘disproportionate effort’ exemption under Article 14; and (iii) the GDPR is not prescriptive about how individuals must be provided with privacy information but the ‘passive’ posting of a notice on a website is unlikely to be sufficient where the individuals are unaware of the collection of their data. For more information on this enforcement action, see our blog post here.

Germany: German competition regulator takes enforcement action against Facebook for data issues

In a slight move away from privacy regulation, the German competition authority, the Federal Cartel Office, announced the results of its investigation into Facebook in February 2019. The decision highlights the ever increasing tension between competition and privacy regulation. The FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. For more information on this enforcement action, please see our blog post here.

UK: First extra-territorial enforcement action commenced by the ICO

In October 2018, the UK data protection regulator, the ICO, issued its first enforcement notice under the GDPR. The notice was particularly noteworthy because it was issued against a company located in Canada, which does not have any presence within the EU. Despite the breaches being alleged, the enforcement notice was the first issued by the ICO relying on the extra-territorial provisions of the GDPR under Article 3. For more information on this enforcement action, please see our blog post here.

Guidance

For many companies, a frustrating aspect of GDPR compliance over the last year has been the uncertainty. One year on from GDPR implementation and many questions remain unanswered. But we have now started to see signs that fundamental questions may eventually be answered and new regulatory guidance is starting to drip feed through the process.

Interesting regulatory guidance published over the last year includes:

A global regulation? EDPB guidelines on GDPR’s extra-territoriality provisions

The expansive nature of the GDPR’s extra-territoriality provisions has resulted in many organisations outside of Europe questioning whether or not they are subject to the GDPR regime. The market has eagerly awaited any guidance in respect of how Article 3 of the GDPR should be interpreted, and so the draft EDPB guidance published late last year was welcomed by the data community and the market as whole. However, whilst the draft guidance answered certain questions about the application of the GDPR, it also left a number of gaps and so we are still awaiting the final version of the guidance in the hope that some of those gaps will be closed. For more information on this guidance, see our blog post here.

EDPB guidance on when processing is “necessary for the performance of a contract”

In April 2019, the EDPB published guidance on the ability of online service providers to rely on the fact that processing is necessary for the performance of a contract in order to legitimise their processing of personal data. Although aimed specifically at online services, the guidance will nonetheless be useful for all controller organisations looking to rely on this processing condition. The guidance adopts a fairly narrow approach to interpretation with an objective assessment of “necessity” being required as opposed to relying on what is permitted under or required by the terms of a contract. For more information on this guidance, please see our blog post here.

EDPB opinion on the interplay between GDPR and ePrivacy

With companies having completed their GDPR compliance programmes, thoughts are now turning to the next major piece of European regulation in the data privacy sphere, the proposed ePrivacy Regulation, and how ePrivacy interacts with the GDPR, particularly with respect to cookie consent and email marketing. In March 2019, the EDPB published an opinion on the interplay between GDPR and ePrivacy which, whilst interesting, also confirmed that the whole ePrivacy regime is currently being renegotiated at a European level and the new ePrivacy Regulation could further change the position outlined in the opinion. As such, the opinion itself appears to be of minimal use for companies. For more information on this guidance, please see our blog post here.

What’s still to come?

One year on from GDPR implementation and we’ve seen limited enforcement action and even less regulatory guidance, meaning that companies are still having to try and find their way through compliance without direction. Much remains unknown and unanswered but what can we expect (or hope) from the next 12 months?

Brexit

The Brexit issue rumbles on without much/any clarity or certainty. We know that an adequacy decision for the UK is extremely unlikely in the short term but whether or not an interim transition deal is achievable (including with respect to data protection and data transfers) remains unknown at this stage.

International transfers

Although the results of the EU-US Privacy Shield annual review in 2018 seem to confirm that the Privacy Shield remains intact for the short term, there remain significant uncertainties around the future of other compliant international data transfer mechanisms. In particular, the validity of the so-called Standard Contractual Clauses (“SCCs”) continues to be challenged through the courts which could result in the SCCs being struck down by the CJEU in the same way that the US Safe Harbor was in 2015.

Continuing on the theme of international transfers, we are also still awaiting the publication of updated versions of the SCCs. The current versions still refer to the 1995 Directive instead of the GDPR but cannot be amended for sense without the risk of invalidating them. There are rumours that the EU Commission has started to consider an update, including potentially updating the controller to processor SCCs to include Article 28 obligations. However, we have yet to see anything concrete coming out of Europe.

ePrivacy Regulation

As mentioned above, the ePrivacy Directive is currently being renegotiated and was originally intended to be ready in time for the GDPR implementation. However, the failure of the European institutions to agree on a number of issues has resulted in multiple delays and it now does not look likely that a draft will be agreed before the end of 2019/early 2020, meaning that the situation regarding cookie consent and email marketing is likely to remain uncertain for a considerable period of time.

Enforcement

As noted above, we are still awaiting a GDPR ‘mega fine’ but we also haven’t yet seen much in the way of significant volumes of enforcement action in order to be able to gain any meaningful insights into enforcement. There are rumours of significant enforcement actions in the pipeline from the ICO and the Irish Data Protection Commissioner, and we also know that there have been a number of material personal data breaches since implementation of the GDPR, but we will have to wait and see what happens in year two of GDPR.

Individual rights and data disputes

Although the GDPR provided for enhanced data subject rights for individuals, we have also started to see it being used innovatively as a mechanism by individuals to assert other rights, including human rights and the right to privacy. We have seen Prince Harry assert that a news company’s photograph of him at home was in breach of GDPR, and a claim against the Police for their use of facial recognition technology has recently started in Wales. Going forward, we are therefore likely to see GDPR used as a tool in disputes. For more information about this, please see our blog post here.

Data breach compensation

Perhaps the elephant in the room sits with data breach compensation. In April 2019 the Supreme Court granted Morissons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data, in the first successful UK class action for a data breach. Whilst the date for the Supreme Court’s hearing is still to be confirmed, the appeal is likely to take place during the course of 2020. For more information on the case, please see our blog post here.

New emerging technologies

The age-old issue of technological innovation outpacing the ability of legislation to keep up has reared its head only one year into the GDPR’s lifecycle. Organisations are having to apply the text of the GDPR to scenarios including blockchain technology, connected and autonomous vehicles and AI techniques that simply weren’t envisaged at the time of writing. In this rapidly evolving technological landscape, the need for regularly updated, up-to-the-minute official guidance in respect of these types of scenarios has never been greater but this will be an extremely challenging demand for the regulators to satisfy.

To keep up to date with the latest legal developments as they happen, please subscribe to our data blog here.

Contacts

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, Digital TMT & Data, London
+44 20 7466 2267
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483

NIS Directive and Regulations now in force

The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading

Data breaches: new Article 29 Working Party guidance

In anticipation of the GDPR, various guidance has been published by the Article 29 Working Party, the body of national EU data regulators.

Of most relevance in the cyber context is the guidance on personal data breach notifications; the Article 29 Working Party issued its initial guidance in October 2017 and published a final version of the guidelines (which remained mostly unchanged) in February 2018.

This guidance relates to the new requirement under the GDPR for all controllers to notify the appropriate data protection authority of a personal data breach, following a cyber attack for example. This will include providing the regulator with a significant amount of information about the breach and marks a change from the previous regime (under the Data Protection Act 1998) where notification to the ICO was not mandatory, although the ICO encouraged notification for serious breaches.

The key areas addressed by the guidance include further clarity on what constitutes awareness of a breach, when notification is and is not required in respect of examples of different types of breaches, when the clock starts running in relation to the 72 hour deadline and how to manage conflicting requirements of the GDPR and those of law enforcement authorities outside of the EU. For further information, a copy of the guidance can be found here.

Continue reading

Internet of Things – ICO’s six reasons why businesses should be thinking about data protection and the DCMS’s Secure by Design Report

In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.

Continue reading

UK Government endorses new data security standards and greater patient control over use of health data

The Department of Health published its Review of Data Security, Consent and Opt-Outs (the “Review”) earlier this year. Incidents such as WannaCry (refer to article above for more detail) have created awareness of the ease and speed with which cyber-attacks can cause widespread disruption and highlight the importance of ensuring that organisations implement strong security standards, particularly in the health care sector. Continue reading

Draft Data Protection Bill published – no major surprises for businesses

Following its Second Reading in the House of Lords, on 22 November 2017 the draft Data Protection Bill (the “Bill”) passed the Committee Stage and will next be considered at the Report Stage on 11 December 2017. The Bill was initially published on 14 September and once finalised it will repeal the current Data Protection Act 1998 (the “DPA”). The Bill implements various national derogations permitted by the GDPR and also extends the GDPR standards to certain areas of data processing outside EU competence. The Bill also provides for the continuation of the Information Commissioner’s role. Continue reading

UK: Limits on employers’ ability to monitor private communications

The Grand Chamber of the European Court of Human Rights’ (ECtHR) ruling in Barbulescu v Romania (61496/08) is a timely reminder of the limits of employers’ ability to monitor their employees’ private activity on work IT systems.

The case concerned an employee’s personal use of a Yahoo Messenger account set up at the employer’s request to be used purely for work messages, and in contravention of an absolute rule prohibiting personal use. The Romanian court found the employee’s dismissal for breach of workplace rules to be fair, concluding that the employer was entitled to check whether its workplace rules had been breached.  The Grand Chamber ruled that, in so doing, the Romanian court had violated the employee’s right to privacy under Article 8 of the European Convention of Human Rights by failing to strike a fair balance between his rights and those of his employer to supervise its employees at work.  The court had failed to give due consideration to relevant factors, in particular the employer’s failure to give adequate notice of the nature of the monitoring.

The ruling highlights the broad interpretation that the ECtHR gives to the term “private life” when applying Article 8 to communications. The fact that a platform is explicitly reserved by an employer for professional communications only does not mean that private communications made on it lose their private status. An employer’s instructions “cannot reduce private social life in the workplace to zero” and accessing such communications is a potential breach of employees’ human rights. This was held to be so even when the employee insisted that he had only engaged in professional communications on the employer’s system.

The ECtHR’s guidance to domestic courts determining whether monitoring breaches Article 8 is also instructive for employers. The ECtHR emphasised that, without clear and advance notice warning of the operation of monitoring and detailing its extent and nature, the monitoring is likely to be unlawful. The guidance also indicates that extreme caution should be used when accessing and using the content of employees’ private communications, and that it should be avoided if at all possible.

Despite the media’s portrayal of the case, Barbulescu has not substantially changed the position on monitoring of communications under UK law (largely contained in the UK Information Commissioner’s Code of Practice on workplace monitoring).

Employers cannot rely on their prohibition of private use of technology alone to justify monitoring employees’ private communications.

If employers feel that they may need to monitor employees’ communications, this must be clearly communicated in advance with full details of what such monitoring entails; in the absence of such notice, monitoring is likely to be unlawful. Even in cases where employees have been notified of a monitoring program, the implementation of such a program must be considered carefully. Monitoring should occur only when strictly necessary and to a proportionate extent. Accessing the content of communications is more intrusive than mere monitoring of flow, and the test for whether this is lawful is commensurately stricter.

In addition to complying with data protection and interception laws, these steps will be important to avoid an employee claiming constructive unfair dismissal on the ground that the employer’s monitoring breached the implied duty of trust and confidence. They will also maximise the prospects of the employer being able to adduce the evidence obtained from monitoring at tribunal should a claim be brought.

See our Litigation blog post here for a more detailed discussion of the ruling.

Anna Henderson
Anna Henderson
Consultant, Employment, Pensions and Incentives, London
+44 20 7466 2819
Peter Frost
Peter Frost
Partner, Employment, Pensions and Incentives, London
+44 20 7466 2325
Andrew Taggart
Andrew Taggart
Partner, Employment, Pensions and Incentives, London
+44 20 7466 2434
Tim Leaver
Tim Leaver
Partner, Employment, Pensions and Incentives, London
+44 20 7466 2305
Christine Young
Christine Young
Partner, Employment, Pensions and Incentives, London
+44 20 7466 2845
Jemima Coleman
Jemima Coleman
Professional Support Lawyer, Employment, Pensions and Incentives, London
+44 20 7466 2116