China – Cyber security and data protection April round up

The financial regulators have continued to increase their efforts to develop and protect financial data. The People’s Bank of China released new standards on enhancing the data capability of financial institutions. Further, several banks were penalized for violating data protection rules in relation to processing of personal information.

MIIT has maintained its focus on its push for data protection in mobile apps remain. In addition to drafting a dedicated regulation for data protection for mobile apps, the MIIT and its local branches have run continuous enforcement campaigns against data privacy violations made by mobile app operators.

Regulatory developments

1. New guidelines issued for financial industry data capacity building

On 9 February, the People’s Bank of China (PBC) issued the Guidelines for Financial Industry Data Capability Building. The Guidelines specify the division of data strategy, data governance, data architecture, data specification, data protection, data quality, data application, and data life cycle management capabilities. The guidelines aim to provide basis for financial institutions to carry out data work, guide financial institutions to strengthen data strategic planning, focus on data governance, and strengthen data security protection.

2. General Requirements for the Safety of Critical Cyber Equipment

On 20 February, the State Administration for Market Regulation and the Standardization Administration approved seven mandatory national standards (including a telecommunications mandatory national standard) and made one amendment to the General Requirements for Safety of Critical Cyber Equipment, which will come into force on 1 August 2021. These requirements (including security function and security protection requirements) serve as important standards for the implementation of the Cybersecurity Law relating to security requirements of critical cyber equipment There are 10 parts to the security function requirements which focuses on ensuring and improving the security technology capabilities of devices. They are, device identification security, redundant backup recovery and abnormal detection, vulnerability and malicious program prevention, pre-installed software start up and update security, user identification and authentication, access control security, log audit security, communication security, data security and password requirements. Separately, security protection requirements focus on standardizing the security capability of critical cyber equipment providers throughout the equipment life cycle.

3. Five draft standards on national information security technology released for public comments

On 3 February, the Secretariat of the National Information Security Standardization Technical Committee (NISSTC) issued two draft standards on instance message service and express logistics for public comments. Further, on 24 February, NISSTC issued three draft standards on online shopping services, internet payment services and online audio and video services, for public comments. This series of standards set requirements for the type, scope, methods, conditions, and data security protection of data collection, storage, use, transfer and delete. They also provide examples of data classification and guidance for the operators to regulate data activities and for supervision authority and third-party assessment agencies to carry out supervision, management and assessments.

4. New rules on app governance to strengthen personal information protection to be published

On 7 February, the Ministry of Industry and Information Technology (MIIT) announced that it has been drafting the interim provisions on personal information protection of apps. The provisions will define the basic principles of informed consent and minimum necessary personal information protection. The principle of informed consent requires that for app-related personal information processing activity, the entities (i.e. entity processing the data) should inform users of the rules of personal information processing in a clear and easy to understand manner, and the user should voluntarily make clear their consent. The minimum necessary principle requires that there shall be clear and reasonable consent during the personal information processing, and it shall not go beyond the scope of users’ consent or unrelated to service scenarios.

Enforcement developments

1. Second group of apps 2021 declared to be infringing users’ rights released, 11th group in total

On 5 February, MIIT published a notification on apps which violated user rights by the misuse of microphones, address books and photo albums. It noted that 26 apps had failed to take the necessary rectification measures, with the deadline for doing so being 10 February. If rectification is not made within the time limit, MIIT will organize and carry out relevant disposal work in accordance with laws and regulations. The issues with the apps were due to violations of mobile phone personal information, frequent and excessive requests for permissions, making mandatory for users to use the targeted push notification function, and inadequate indication to users of app information on the application distribution platform.

2. 37 apps in violation of user rights were removed from the app store

On 3 February, MIIT announced that it had removed 37 apps from the app store that violated user rights and failed to take necessary rectification measures. The removed apps collect personal information beyond the necessary scope and were involved in other issues that violated user rights. To recap, MIIT has carried out special rectification actions for two consecutive years against apps that illegally handled users’ personal information. In addition, MIIT also announced that it will strengthen rectification efforts by promoting the development of relevant standards, and actively applying new technologies such as artificial intelligence and big data to promote the construction of a national app technology testing platform.

3. Guangdong Communications Administration ordered to rectify 215 apps infringing users’ rights

On 22 February, Guangdong Communications Administration notified 215 apps that required rectification. The type of apps can be divided into 13 categories, which include, games, shopping, social networking, financial management, etc. Of the 215, 116 of them have cybersecurity issues. The infringement on user rights and interests include: (1) failing to specify the purpose, method, and scope of personal information collected and used by the third-party SDK integrated by the apps in the privacy policy; (2) applying for terminal permission in advance before the user has read and agreed to the privacy policy; (3) applying for opening address book, location, SMS, recording, camera in advance when users are not using relevant functions or services; (4) no effective account cancellation function provided and no cancellation guidance on the privacy policy nor on the actual platform.

4. Two financial institutions fined for illegal processing of personal information

On 2 February, according to the administrative penalty information form released by the business management department of PBC, Beijing Guoxu Small Loan Co., Ltd. was fined 160,000 yuan for dislcosing personal information without notifying the data subject. . Further, Xinhan Bank (China) Co., Ltd. was fined 570,000 yuan for inquiring about personal credit information without consent, and the relevant person in charge was also fined 114,000 yuan.

5. ICBC Liaocheng branch was fined 36,000 yuan for data breach

On 18 February, according to the announcement of the PBC Liaocheng branch, Liaocheng branch of ICBC was fined 36,000 yuan for inquiring about personal information without the consent of the data subject. Wang Hongqing, the general manager of bank card center, the person in charge, was also fined 8,000 yuan.

6. Liaoning Branch of Bank of China was fined for failing to collect and use consumers’ personal financial information as required

On 3 February, the administrative penalty information published by the Shenyang Branch of PBC showed that the Liaoning Branch of the Bank of China which had five counts on data protection violations, was fined 1.147 million yuan. . The violations included, among other things, failure to collect and use consumer personal financial information as required.

7. Qianbao Pay was punished for failing to keep customer identity information as required

On 24 February, according to the administrative penalty information publicity form published by the Chongqing Business Management Department of PBC, Chongqing Qianbao Technology Service Co., Ltd. which had 10 counts of data protection violations was fined 8.68 million yuan. These violations included failure to keep customer identity information as required. The company’s deputy general manager and chief compliance officer, and other five relevant persons were also jointly fined, ranging from a warning to a fine between50,000 to 135,000 yuan. The company’s violations in personal information protection and data security related to them in the midst of ensuring consistency of transaction information in the whole payment process, they had failed to perform the customer identification obligations and retain the required customer’s identity.

8. Maimai was convicted of infringement for sending text messages to unregistered users

On 7 February, Beijing Haidian District Court announced the judgment of Maimai’s infringement of data privacy. In brief, it was found that the Maimai’s website operated by Beijing Taoyou Tianxia Technology Development Co., Ltd., had sent text messages to users in the name of a friend without the user’s permission. It disclosed the user’s real name, and included a message that certain former colleagues have identified the user and many friends are waiting for them to join via a link .When the user clicks the link, the webpage will direct them to the registration page of Maimai’s website. The user subsequently sued Maimai at court by claiming for specific performance including for the website to cease the infringement of his privacy, permanently deleting his personal information, and publishing an apology statement on China Consumer News. The Beijing Haidian District Court found that the defendant’s actions illegally obtained and retained the plaintiff’s personal information such as mobile phone contact information, personal information of the plaintiff’s friend and resume. Further, Maimai had sent unsolicited messages for commercial gain to the plaintiff without consent, which disturbed the plaintiff’s right of peace and privacy. The judgment awarded all the claims of the plaintiff.

Industry developments

1. The National Information Security Standardization Technical Committee released the key action pointsfor 2021

On 25 February, the National Information Security Standardization Technical Committee released the key action points for in 2021, covering seven categories including focusing on the urgent need of national network security work and improving the effective supply of standards. The document points out that it will further develop national standards for network security in the fields of industrial Internet, blockchain, artificial intelligence and algorithms, Internet of things and digital currency, prepare white papers or research reports on network security standardization such as 5G security, face recognition security and network security talents, as well as practical guidelines for data classification and classification and data sharing security.

2. The National Equity Exchange and Quotations Company participated in the 11th joint emergency drill on network security

On 27 February, according to the Circular of the China Securities Regulatory Commission on the 11th joint emergency drill on network security of securities and futures industry, the National Equity Exchange and Quotations Company participated in the joint emergency drill on network security. Other participants included China Securities Depository and Clearing Corporation Limited, Shenzhen Securities Communication Co., Ltd., China Securities Index Co., Ltd. and other host securities companies.

International developments

1. EDPB held the 45th plenary session and adopted a wide range of documents

On 2 February, the European Data Protection Board held the 45th plenary session. It adopted a statement on the draft provisions on a protocol to the Cybercrime Convention, recommendations on the adequacy referential under the Law Enforcement Directive (LED), an opinion on the draft Administrative Arrangement (AA) for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB), and response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research. EDPB also had an exchange of views on Whatsapp’s recent Privacy Policy update.

2. EDPS published Opinions on the Digital Services Act and the Digital Markets Act

On 10 February, the European Data Protection Supervisor (EDPS) published Opinions on the Digital Services Act and the Digital Markets Act. It aims to protect individuals’ fundamental rights, including the data protection. For the Digital Services Act, EDPS recommended additional measures to better protect individuals in relation to content moderation, online targeted advertising and recommender systems used by online platforms, such as social media and marketplaces. For the Digital Markets Act, it recommended regulating large online platforms, to promote fair and open digital markets and the fair processing of personal data, to foster competitive digital markets to provide individuals additional choices..

3. German adopted draft law on data protection in telecommunications and telemedia

On 10 February, German Federal Cabinet adopted the draft law on data protection and the privacy protection in telecommunications and telemedia. It plans to replace the existing provisions of the Telecommunications Act 2004 and the Telemedia Act 2007, and implement the Directive on Privacy and Electronic Communications (2002/58/EC). The draft includes provisions on the confidentiality of communications, location data, caller ID display and suppression, end-user directories, technical and organisational precautions, consent for storage of information in terminal equipment, and penalties.

4. Vietnam released the Draft Decree on Personal Data Protection for public comments

On 9 February, the Ministry of Public Security (MPS) of Vietnam released the second version of the Draft Decree on Personal Data Protection. It plans to set more robust rules and provide provisions on data subjects’ specific rights, cross-border transfer of data, and processing of sensitive personal data. Violation may cause temporary suspension of operation, revocation of permission for cross-border data transfer and monetary fines.

5. Virginia passed the Consumer Data Protection Act

On 2 March, the Virginia Consumer Data Protection Act (CDPA) was signed by the governor and will come into effect on 1 January 2023. The CDPA establishes rights for Virginia consumers to control how companies use individuals’ personal data. It stipulates that companies shall protect personal data in their possession and respond to consumers exercising their rights.

6. Danish Data Protection Authorities published Quickguide for setting cookies

On 12 February, the Council for Digital Security, the Danish Business Authority and the Danish Data Protection Agency published a Quickguide for the use of cookies. The Quickguide can be used as a checklist for organizations that set cookies, guiding them on how to comply with both the e-Privacy Directive’s rules for the placement of cookies and the Data Protection Regulation’s rules for the processing of personal data in associated with it.

7. UK ICO published Toolkit for data analytics

On 17 February, the Information Commissioner’s Office of UK (ICO) published Toolkit for organisations considering using data analytics. It aims to help recognise risks to individuals’ rights and freedoms created by the use of data analytics, from the beginning of data analytics project lifecycle. The Toolkit begins by asking questions to determine the legal regime, including lawfulness, accountability and governance, the data protection principles, and data subject rights. It will then produce a report containing tailored advice for the specific data analytics project.

Mark Robinson
Mark Robinson
Partner, Singapore
+65 6868 9808
Nanda Lau
Nanda Lau
Partner, Mainland China
+86 21 2322 2117
James Gong
James Gong
Of Counsel, Mainland China
+86 10 6535 5106

The not so mega ‘mega fine’: ICO fines British Airways £20 million for its 2018 data breach

  • The ICO has fined British Airways £20 million for breach of the GDPR in relation to its 2018 data breach.
  • This is a significant reduction in the original proposed fine of £183 million.
  • In the monetary penalty notice issued to British Airways, the ICO has confirmed that the reduction of almost 90% was only partially influenced by the effects of COVID-19 on the financial position of British Airways.
  • In contrast, the vast majority of the reduction appears to come as a result of the ICO having taken into account BA’s representations following its notice of intent, combined with a change of approach by the ICO which meant less of a focus on turnover as the driving factor in calculating fines.
  • The ICO has also published details of the specific GDPR infringements committed by British Airways which have been limited to breach of the integrity and confidentiality principle in Article 5 and the security obligations in Article 32 GDPR.
  • The moral of the story appears to be that it can be commercially worthwhile for controllers to push back robustly against any notice of intent.


As we reported here, in July 2019 the Information Commissioner’s Office (“ICO”) published a notice of its intent to fine British Airways a staggering £183 million for infringement of the General Data Protection Regulation (GDPR) as a result of its 2018 data breach where the personal data of around 500,000 British Airways customers was stolen by hackers.

Importantly, this was a notice of intent and not a final concluded fine. The Data Protection Act 2018 sets a strict deadline of six months for the ICO to convert this into a fine, although this period may be extended if the ICO and the proposed recipient of the fine agree to an extension. Multiple times the ICO and British Airways took advantage of this extension mechanism so that the final Penalty Notice was only published on 16 October 2020, more than a year after the initial notice of intent.

At the time, no reasons for any of the extensions were offered by either side, although it was understood from International Airline Group’s (IAG, British Airway’s parent company) Annual Report and Accounts 2019, and has now been confirmed by the final Penalty Notice, that British Airways made extensive representations to the ICO regarding the proposed fine and that there were multiple further information requests. The impact of COVID-19 also likely had its part to play in the extension.

At the time of the initial notice of intent, the proposed British Airways fine was touted as the first ‘mega fine’ to be issued by a European data regulator since the implementation of the GDPR. The biggest data protection fine previously issued by the ICO was £500,000, the maximum possible under the old legislation.

The first GDPR ‘mega’ fine: not so ‘mega’: a reduction of almost 90%

The ICO finally issued its Penalty Notice to British Airways on 16 October 2020, fining British Airways £20 million. While still the largest ICO fine to date, this is a significant reduction of almost 90% from the original figure of £183.39 million.

Although the Penalty Notice refers in a couple of places to the original intended fine of £183.39 million, very little is said in the notice regarding why exactly, the final fine has been reduced by such a significant amount. Instead, the notice effectively appears to start from scratch in calculating the final level of fine, taking into account the following factors in accordance with Article 83 GDPR and the ICO’s Regulatory Action Policy:

  • Financial Gain: BA did not gain any financial benefit or avoid any losses directly or indirectly as a result of the breach.
  • Nature and Gravity: The ICO considered the nature of the failures to be serious, affecting a significant number of individuals for a significant period of time (103 days).
  • Culpability: Although the breach was a not an intentional or deliberate act on the part of BA, the ICO found BA to be negligent.
  • Responsibility: The ICO found BA to be wholly responsible for the breaches of Articles 5 and 32 GDPR.
  • Previous Actions: BA had no relevant previous infringements or failures to comply with past notices.
  • Cooperation: BA fully cooperated with the ICO’s investigation.
  • Categories of Personal Data: Although no special category data was affected, the nature of the data, in particular payment card data, was nonetheless sensitive.
  • Notification: BA acted promptly in notifying the ICO of the attack.

Taking into account all of these factors above, the ICO considered that a penalty of £30 million would be appropriate starting point to reflect the seriousness of the breach, and the need for the penalty to be effective, proportionate and dissuasive in the context of BA’s scale and turnover. So far, there is no obvious reason why the fine is so much lower than the notice of intent.

The ICO did not consider there to be any aggravating factors to apply in order to increase the penalty and further did not consider it necessary to increase the penalty in order for it to be ‘dissuasive’.

Turning to any potential downwards adjustment, the ICO considered a 20% downwards adjustment (£6 million) to be appropriate, taking into account various mitigating factors, including:

  • The immediate steps to mitigate and minimise any damage to data subjects;
  • BA’s prompt notification of the breach to data subjects and relevant regulatory authorities;
  • The broad press coverage as a result of the attached will have likely raised awareness with other controllers of potential risks; and
  • The adverse effect on BA’s brand and reputation.

Finally, the ICO also explicitly acknowledged that the impact of COVID-19 on British Airways was taken into account when determining the level of the final fine, although this only accounted for a further £4 million downwards adjustment and does not therefore account for the vast majority of the reduction.

Details of the GDPR infringements

In its final Penalty Notice, the ICO focussed on BA’s breach of Article 5(1)(f) GDPR – the integrity and confidentiality principle – and Article 32 GDPR – security of processing. The previous notice of intent, had also found BA to be in breach of Article 25 GDPR – data protection by design and by default – but this was dropped in the final Penalty Notice.

From a penalty perspective, it is also interesting that the ICO rejected BA’s claims that the maximum fine should be 2% because of the conflict between breach of Article 5 (attracting a maximum 4% fine) and breach of Article 32 (attracting a maximum 2% fine) meaning that the principal of lex specialis should apply with the specific provision of Article 32 overriding the general provision of Article 5. The ICO instead found that the two provisions were distinct even if they did overlap, although it is fair to note that it made no difference in the context of the level of fine imposed in the end (which was significantly less than both 4% and 2% of annual worldwide turnover).

With respect to its security obligations, the ICO found that British Airways had “weaknesses in its security” that could have been prevented with security systems, procedures and software that were available at the time. None of the measures would have entailed excessive cost or technical barriers for British Airways, with some available through the Microsoft Operating System used by British Airways. Some of the numerous measures British Airways could have used to mitigate or prevent the risk of the attack include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
  • protecting employee and third party accounts with multi-factor authentication, external public IP address whitelisting, and IPSec VPN.

The attack path that the hackers used in the ICO’s view exposed a number of failings on the part of British Airways. The hackers were able to gain access to an internal British Airways application through the use of compromised credentials for a Citrix remote access gateway. The hackers were then able to break out of the Citrix environment and could then gain broader access to the wider British Airways network. Once there, the attacker was able to move laterally across the network, culminating in the editing of a Javascript file on British Airway’s website. This allowed the attacker to intercept and exfiltrate cardholder data from British Airway’s website to an external third-party domain which was controlled by the attacker.

One particular area of focus for the ICO was British Airway’s practice of storing credentials within batch scripts. The ICO did not accept British Airway’s submissions that this “aided functionality” or was “standard practice” and stuck to its position that this was not acceptable and there were other secure ways to achieve the same objectives.

As a result, the ICO was “satisfied that BA failed to put in place appropriate technical or organisational measures to protect the personal data being processed on its systems, as required by the GDPR“.

What is next?

British Airways must pay the fine to the ICO or exercise its right to appeal to the First-tier Tribunal in the General Regulatory Chamber within 28 days of the Penalty Notice. Interestingly, the Penalty Notice does not refer to the availability of any further discount for prompt payment, with such discount usually being lost if the fine is appealed. This may normally suggest that BA has agreed to settle with the ICO, although the Penalty Notice is clear that BA does not admit liability for breach of the GDPR.

There is also the potential that British Airways could face a fine or reprimand under the Payment Card Industry Data Security Standard (PCI-DSS) in relation to its collection and processing of payment card data. PCI-DSS compliance is required by all organisations which accept, process, store and/or transmit debit and credit cards. However, fines under PCI-DSS are not publicly available so it is unlikely it will be public knowledge if a PCI-DSS fine is levied against British Airways.

In conclusion, this is perhaps not the first ‘mega fine’ or tough GDPR enforcement from the ICO that commentators were expecting, but it is still a step in that direction and with some interesting guidance regarding the way in which the ICO may approach the calculation of fines (and enforcement more generally) in the future.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Andrew Moir
Andrew Moir
+44 20 7466 2773
Chloe Kite
Chloe Kite
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2540
Elena Hogg
Elena Hogg
Associate, London
+44 20 7466 2590

High GDPR fine issued but not for a data security breach

The Hamburg data protection regulator in Germany has issued a fine of €35.3 million against retail firm H&M for breaches of the GDPR relating to the excessive and unlawful collection of employee data. Interestingly, although the fine is the highest yet levied by a German regulator, it did not relate to a data security breach, which is how we have to date seen the biggest fines originating. In comparison to multiple high profile ongoing enforcement investigations in the UK and Ireland, the investigation in Germany has also been concluded at relatively high speed, in just under a year.


H&M is registered in Hamburg and operates a service centre in Nuremberg. Since at least 2014, according to the Hamburg regulator’s investigation, parts of the workforce have been subject to extensive recording of details about their private lives.

After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, comprehensive details of the employees holiday experiences or illness and diagnosis (in the case of sickness absence) would be recorded. In addition, some supervisors recorded personal information ranging from rather harmless details to family issues and religious beliefs as a result of casual and informal conversations with employees.

The recorded information was accessible by up to 50 other managers throughout the company and the information was used to create a detailed profile of individual employees and sometimes used to make employment-related decisions.

The excessive and unlawful collection of employee data came to light towards the end of October 2019 when a configuration error meant that the data became accessible company-wide for several hours. The Hamburg regulator was informed about the data collection through press reports and proactively issued an order for the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation.

Despite the company’s full cooperation with the investigation, and its offer to compensate affected employees – actions which the regulator acknowledged as being an unprecedented acknowledgement of corporate responsibility following a data protection incident – the regulator considered that the seriousness of the breach warranted a significant fine (although not as significant as it appears it could have been according to the German authorities’ fine calculation model).

Practical Implications

We have set out below some key takeaways from this enforcement action:

  • Be warned that significant fines are not only reserved for security incidents – there are many ‘breaches’ of the GDPR that could potentially result in a fine of up to 4% of annual worldwide turnover;
  • Make sure that your HR and privacy functions are joined up and that HR personnel are properly trained in data protection issues – the HR function is a naturally data heavy part of any organisation;
  • Even within the HR function itself, ensure that personal data is only accessible to personnel on a need to know basis;
  • Keep the data minimisation principal front of mind and only collect data that is necessary; and
  • Full cooperation with the regulator could lead to a reduced fine but will not absolve an organisation of regulatory liability.
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Morrisons wins Supreme Court appeal against finding of vicarious liability in data breach class action

Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants [2020] UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.

The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.

The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.


In 2015 a former Morrisons employee was found guilty of stealing and unlawfully sharing the personal data (including names, addresses, bank account details, salary and national insurance details) of almost 100,000 of Morrisons’ employees with members of the press and with data sharing websites. At the time, the ICO investigated and found no enforcement action was required with respect to Morrisons’ compliance with the Data Protection Act 1998 (“DPA”).

Nevertheless, around 5,000 Morrisons employees brought a claim for damages – irrespective of the fact that they had not suffered any financial loss. Instead, the employees claimed that Morrisons was vicariously liable for the criminal acts of its employee and for the resulting distress caused to the relevant employees.

For full details of the background to the High Court and Court of Appeal arguments, please see our previous Morrisons data protection briefing. Following the conclusion of the Court of Appeal case, the Supreme Court subsequently granted leave to appeal, which led to a two day hearing in November 2019 and, ultimately, the judgment handed down today.


The Supreme Court overturned the Court of Appeal’s decision, finding that Morrisons was not vicariously liable for the employee’s unlawful actions. Lord Reed gave the judgment of the court, with which Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed.

Lord Reed concluded that the courts below had misunderstood the principles of vicarious liability, and in particular had misinterpreted the Supreme Court’s judgment on vicarious liability in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. That judgment was not intended to change the law on vicarious liability, but rather to follow existing authority including, importantly, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48.

In Dubai Aluminium, Lord Nicholls identified the general principle that applies when the court considers the question of vicarious liability arising out of an employment relationship: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Applying that test, vicarious liability was not established in this case. The Supreme Court found that the employee’s wrongful conduct was not so closely connected with the acts he was authorised to do that, for the purposes of assessing Morrisons’ liability, it could fairly and properly be regarded as being done in the ordinary course of his employment.

Lord Reed referred to the distinction drawn by Lord Nicholls in Dubai Aluminium between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.”

In the present case, he said, it was clear that the employee was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary he was pursuing a personal vendetta against the company, seeking revenge for disciplinary proceedings some months earlier. In those circumstances, the close connection test was not met.

Although it did not affect the outcome, in light of the court’s findings, Lord Reed also considered Morrisons’ contention that the DPA excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”

Implications of the decision

Data privacy implications

Although this case was argued under the repealed Data Protection Act 1998, it will likely result in a collective sigh of relief for organisations now subject to the GDPR which expressly allows individuals to claim compensation for non-material damages (including distress) caused by non-compliance with the regulation. This is exactly the decision that many organisations wanted. In a world where companies can already be fined up to EUR 20 million or 4% of annual worldwide turnover for non-compliance with the GDPR, there are real fears concerning the potential for additional significant liability under class action claims for data breaches. Many organisations will be comforted by the steps that the Court has now taken to reduce the likelihood of such claims being successful.

However, it is important to caution against too much optimism. The Morrisons case was quite unique because the compensation claim was brought by individuals despite no regulatory action being taken by the ICO at the time of the data leak itself. The decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen which are starting to result in significant fines from the ICO.

Despite the claim not being successful in this instance, another, perhaps unintended, consequence of the case is that employers will be seriously considering what steps can to taken to mitigate against the risk of rogue employees leaking personal data. This may result in increased employee monitoring in the workplace, with all the data privacy implications that that may entail.

Employment implications

The “close connection” test for rendering an employer vicariously liable for an employee’s actions (as described above) is well established. What has been less clear is how broadly that test should be applied to the facts. For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for the employee’s conduct towards customers even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.

Given there is no ‘reasonable steps’ defence against vicarious liability for torts, employers will welcome today’s ruling which rows back from that liberal interpretation of the test. The Supreme Court has made clear that the mere fact that the job provides the employee with “the opportunity to commit the wrongful act” is not sufficient to impose vicarious liability, nor is the fact that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive. Doing acts of the same kind as those which it is within the employee’s authority to do is not sufficient either.

The test is whether the wrongful act was sufficiently closely connected with what the employee was authorised to do. In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective. In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” The ruling helpfully re-establishes that employers should not be liable for the acts of employees engaged on “frolics” of their own, pursuing their own objectives.

Cyber and data security implications

While the spectre of no fault liability presented by Morrisons has fallen away, there is still a significant risk from fault based claims. ICO is imposing substantial fines upon organisations for inadequate technical and organisational security measures. Claimants are cutting and pasting adverse findings from the ICO into claim forms. Organisations will have to make sure that the measures they are taking are appropriate, which will involve considering many factors including state of the art and the harm that may be caused if the security measures fail.

Class actions implications

Data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for “distress” or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands. Today’s judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.

The key question for the viability of those claims will be how much a bare data breach is “worth” by way of damages, even if there’s no other loss suffered by the victim. We will have to wait a bit longer now to find that out. The principles applied in misuse of private information cases may be helpful to the courts in considering this issue, given how little case law there is on damages in data protection claims.

Insurance implications

The judgment is good news for corporates and their insurers. The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim – namely to harm Morrisons. Insurers may therefore also be breathing a sigh of relief – but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That’s because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.

The good news for concerned corporates is that they can buy cyber insurance to cover data breach claims, whether for direct or vicarious liabilities, as well related losses such as costs of managing the incident, regulatory investigations and loss of profits if systems are impacted. However, risk transfer strategies within corporates vary, and that cover cannot necessarily be banked upon in all cases. The main challenge therefore remains – and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Tim Leaver
Tim Leaver
Partner, Employment, Pensions & Incentives, London
+44 20 7466 2305
Julian Copeman
Julian Copeman
Partner, Disputes, London
+44 20 7466 2168
Greig Anderson
Greig Anderson
Partner, Disputes, London
+44 20 7466 2229
Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Consultant, Disputes, London
+44 20 7466 3737
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483
Anna Henderson
Anna Henderson
Professional Support Consultant, Employment, Pensions & Incentives, London
+44 20 7466 2819
Maura McIntosh
Maura McIntosh
Professional Support Consultant, Disputes, London
+44 20 7466 2608

Game changer for cyber/data breach cases opens in Supreme Court: WM Morrisons Supermarkets Plc v Various Claimants

The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?

The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act?  Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?

If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.

Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions.  You can follow her here.

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Christine Young
Christine Young
Partner, London
+44 20 7466 2845
Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Kate Macmillan
Kate Macmillan
Consultant, London
+44 20 7466 3737

Storming the Breaches: DCMS releases Cyber Security Breaches Survey 2019

Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading

British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Latest twist in the Morrisons Case: Supreme Court grants Morrisons permission to appeal

On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach.

Permission was granted on all grounds of appeal and the Supreme Court will principally consider:

  1. whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
  2. if the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
  3. if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

This latest twist in the Morrisons tale follows the Court of Appeal dismissing an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data in October 2018, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339.


  • here for our previous article on the Court of Appeal’s judgement and here for the Court of Appeal’s full judgement
  • here for our summary of the High Court decision.

Continue reading

Cyberattack on German Public Figures Leads To One of Germany’s Largest Data Breaches

Last week, it was announced that during December 2018 almost one thousand German public figures, including journalists and a number of prominent politicians including the Chancellor and President, were the subject of one of Germany’s largest data breaches. The leaked data included contacts, private chats, credit card details and other financial details of figures from many of the major German political parties. The German interior ministry have since stated that there is no evidence that government systems or data have been compromised in the cyberattack. Continue reading