UK Supreme Court ruling on vicarious liability offers limited relief to corporates

A UK Supreme Court ruling in early April has overturned two previous judgments against the supermarket group Morrisons, which would have allowed thousands of employees whose personal details were posted on the internet to pursue compensation claims for upset and distress. Those potential claims have now been wiped out, as Neil Hodge reports.

The UK’s highest court ruled that supermarket chain Morrisons should not be held ‘vicariously liable’ for the criminal act of an employee who chose to leak the payroll data of some 100,000 members of staff after being disciplined by bosses.

The case concerned Andrew Skelton, a former senior internal auditor at Morrisons, who posted the payroll information online, as well as disclosing it to newspapers. He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

Lord Reed, President of the Supreme Court, said employers could only be held liable for the actions of employees if they were ‘closely connected’ with their duties at work.

‘In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question,’ Lord Reed explained. ‘On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier… In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.’

Up until the Supreme Court’s ruling, organisations could be held liable for breaches of personal data even if the act was malicious, no one was financially harmed, and the company could demonstrate that it had suitable controls, policies and procedures in place to protect that information.

In a statement, Morrisons said: ‘We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable… A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.’

Many lawyers had been surprised by the previous judgments, especially as the Information Commissioner’s Office (ICO), the UK’s data protection regulator, had investigated the case but decided that on the evidence presented, it fell below the necessary criteria for formal enforcement action. In its view, Morrisons had processes and procedures in place to protect personal data, no harm was done to any data subject, and the breach was the criminal act of an employee acting in bad faith.

Experts had also expressed concerns with the previous rulings because no party had been held ‘vicariously liable’ under the UK’s Data Protection Act – the precursor to the current legislation – in the previous 20 years. Data protection lawyers warned that the fact that the courts had been willing to find vicarious liability in such extreme actions meant that the risk of liability to organisations had potentially – and unfairly – broadened in scope.

However, the Supreme Court ruling may not provide as much safety as some organisations think. Dr Marc Hilber, Senior Vice-Chair of the IBA Technology Law Committee and a partner at Oppenhoff, says that the ruling actually reinforces the concept that a corporate should consider itself responsible for any corporate governance failing – including a data breach – unless it can prove otherwise. He says that the UK’s ruling is similar to German case law.

Hilber says that a corporate is generally liable for the actions of its employees, irrespective of whether the action is accidental, malicious or negligent. ‘The issue in this case is strictly about whether the employee committed the breach in performance of his duties, and the UK Supreme Court has apparently ruled that he didn’t. However, this does not mean that companies can make the case that they are not responsible for the malicious action of employees.’

Other experts agree that the onus remains with companies to protect employee and customer data, and that it is only under exceptional circumstances that organisations may be able to provide a defence that it is not liable.

Marlene Schreiber, Chair of the IBA Cybersecurity and Surveillance Subcommittee and a partner at Härting, says that employers – as data controllers – are liable for fines or claims for damages under the EU General Data Protection Regulation (GDPR). However, she adds that ‘whether employees can also be personally liable for data protection violations in the course of their professional activities is a much-discussed issue in Germany.’

Schreiber says that if an employee violates data protection regulations and thereby causes damage to the employer who, for example, has to pay a fine or damages, the employee may also be liable to the employer internally. In this regard, she says, German case law has developed special liability principles determining the scope of employee liability, and what kind of damages he/she would have to pay to compensate. ‘Slight negligence’ caused by minor infringements or over time would not incur any liability against the employee, while ‘medium negligence’ would be assessed proportionally by examining the degree of fault, damage and risk (among other factors). In the case of ‘gross negligence’, the employee is generally fully liable, says Schreiber, though the upper liability limit is regularly limited to the sum of three months’ of an employee’s salary. Only in the case of intent – such as in the Morrisons case – could the employee always be held fully liable.

However, Schreiber says that ‘under specific circumstances’, an employee could be held directly liable by a data protection authority in Germany (and thus receive a fine) if he/she is deemed to be a data controller. This could include data protection violations caused through deliberate actions that are not part of that employee’s job, such as knowingly accessing information that is not pertinent to one’s duties. For example, in 2019 the data protection authority of the German federal State of Baden-Württemberg imposed a €1,400 fine on a police officer who unlawfully obtained personal data in the course of his employment for private purposes.

‘Personal liability of employees remains the exception and can only be considered in extreme cases of intent,’ says Schreiber. ‘Additionally, in Germany the amount of any imposed fines against individuals will also remain rather low.’