North of the border

December 8th, 2017 by James Goudie QC

The Scottish Government are consulting, until 7 March 2018, on a Draft Order, to commence on 1 April 2019, extending coverage of the Freedom of Information (Scotland) Act 2002 (“the Act”) to Registered Social Landlords, (“RSLs”) and their subsidiaries. The Act provides a statutory right of access to information held by Scottish public authorities. These range from the Scottish Parliament and Government to local authorities, NHS boards, higher and further education bodies, doctors and dental practitioners. The provisions of the Act can be extended to other bodies, including private bodies, that carry out functions of a public nature or which provide, under a contract with a Scottish public authority, a service which is a function of that authority. This can be done by making an Order under Section 5 of the Act, which designates those bodies as a Scottish public authority for the purposes of the legislation. They are then subject to the full requirements of the Act, as well as becoming automatically subject to the Environmental Information (Scotland) Regulations 2004. Read more »


11KBW Seminar Various Claimants v WM Morrison Ltd – Opening the Data Breach Floodgates?

December 6th, 2017 by Claire Halas

11KBW will be holding a seminar on the High Court judgment in the critically important group litigation case of Various Claimants v WM Morrison Ltd. This hugely important judgment is to be considered at a seminar to be held at 6.00pm at 11KBW on 16 January 2018 at the Turing Lecture Theatre, IET London Savoy Place, 2 Savoy Pl, London WC2R 0BL.

Issues to be discussed will include:

– the court’s approach to the application of the seventh data protection principle concerning data security

– the court’s conclusion that the DPA could be construed so as to enable an innocent employer/data controller to be fixed with common law vicarious liability for a breach of the DPA effected by a third party data controller;

– the court’s analysis of the relationship between the DPA and the common law

– the court’s conclusion that the rogue employee was ‘acting in the course of his employment’ when he criminally disclosed the payroll data, notwithstanding that this disclosure was effected whilst the employee was off work and for the specific purpose of damaging his employer

– whether the GDPR may call for a different approach

Speakers will include Timothy Pitt-Payne QC and Robin Hopkins   Read more »


Data Breach, Group Actions, and the criminal insider: the Morrisons case

December 6th, 2017 by Timothy Pitt-Payne QC


A spectre is haunting data controllers – the spectre of group liability for data breach.

In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss.  Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals.  Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial.

Cases of this nature may give rise to important questions of public policy.  Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. In such situations, should the data controller be required to compensate data subjects?  What if the very purpose of the hack or leak was to damage the data controller, so that by imposing civil liability on the controller the Courts would help further that purpose?

The recent decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 is the first significant case to grapple with these issues post Vidal-Hall.  The case involves a group claim brought by some 5,500 Morrisons’ employees in connection with the criminal misuse of a significant quantity of payroll data by a rogue employee.  In a lengthy judgment handed down on 1st December 2017, Langstaff J found that Morrisons were not directly liable to the claimants in respect of the criminal misuse of the data, whether under the DPA or at common law, but that they were nevertheless vicariously liable.  The trial dealt only with liability: quantum remains to be determined.

11KBW’s Anya Proops QC and Rupert Paines acted for Morrisons. Read more »


Vicarious Liability and Data Controllers

December 1st, 2017 by Christopher Knight

The High Court (Langstaff J) has today handed down an almost 200 paragraph judgment in the first ever group litigation data breach case to come before the courts. The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles. Read more »


Facebook fan pages and ‘pluralistic’ data controller models

November 12th, 2017 by Robin Hopkins

It’s as if everyone has their head down preparing for the GDPR. Recent weeks have produced very little by way of judgments in the data protection area. They have, however, produced an Advocate General’s opinion in a case about the data controllers of Facebook fan pages. That opinion is worth noting because (rightly or wrongly) it casts the net very widely, bringing multiple entities within the definition of data controllers. Read more »


Some DP Updates

October 10th, 2017 by Christopher Knight

Time for a few data protection-related updates which don’t merit a full post of their own (or at least, not one I can be bothered to write) but which readers may or may not have missed. Read more »