As we all adjust to the strange new reality ushered in by the arrival of Covid-19, it is reassuring to see that the wheels of the justice system continue to turn, and at the highest levels. Today the Supreme Court has handed down its judgment in one of the most watched data protection and employment cases of recent years: Various Claimants v Morrisons. The judgment is a real watershed moment, and one that will doubtless bring considerable relief to employer data controllers across the land.
The factual background
The factual background to the case is important. In mid-November 2013, Morrisons gave one of its senior internal auditors (one Andrew Skelton) access to the payroll data of its entire workforce (some 120,000 individuals), so that he could in turn provide that data to Morrisons’ external auditors for statutory auditing purposes. Subsequently, and unbeknownst to Morrisons, Skelton nefariously copied the data from his work laptop before then going on, in January 2014, to disclose much of the data online, on a file-sharing website. When the online disclosure failed to attract attention, Skelton sent the data to various newspapers, doing so on the day Morrisons published its annual financial results in an attempt to maximise the damage to the company.
Skelton took substantial steps to attempt to cover his tracks, effecting the online disclosure at home, using a ‘burner’ phone and a false email address in an attempt to avoid identification and with a view to framing a fellow employee. Skelton also used ‘The Onion Router’ (TOR) in order to disguise the identity of his computer as it connected to the internet. The data of just under 100,000 Morrisons employees was affected by the online disclosure, which was not only unlawful but also criminal. Perhaps most remarkably, Skelton engaged in this criminal venture because he wanted to punish his employer for having subjected him to a disciplinary process earlier on in 2013.
Despite the steps Skelton took to avoid detection, he was caught, prosecuted and ultimately sentenced to eight years in prison. The length of his sentence was designed in part to reflect the significant damage that Skelton had caused his employer. The sentencing judge noted that Morrisons had spent more than £2.26m dealing with the aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for Morrisons’ employees.
The Morrisons Litigation
In the wake of Skelton’s prosecution, a group action for damages was mounted against Morrisons. The claimants within the group, who ultimately numbered 9,263, were all current or former employees whose data had been disclosed online by Skelton. They all alleged that that they had suffered distress as a result of Skelton’s online disclosure of their data, and that Morrisons was liable in damages for that distress, either directly or on the basis of the application of common law vicarious liability. Had the claimants within the group succeeded in their claims, that would immediately have exposed Morrisons to potential claims from all of the c. 100,000 individuals whose data had been disclosed, subject to limitation issues.
The Courts Below
The claim that Morrisons was directly liable in respect of the disclosure was dismissed by the High Court: the disclosure had not been effected on Morrisons’ behalf and did not come about as a result of Morrisons having failed to apply appropriate security measures to the payroll data it controlled; in the circumstances, Morrisons could not be held directly liable for any harm resulting from the disclosure. However, the High Court and thereafter the Court of Appeal held that Morrisons could in principle be held liable on a vicarious basis: [2017] EWHC 3113 (QB) and [2018] EWCA Civ 2339 (CA).
The Supreme Court – A reversal of fortune for Morrisons
Following an appeal against the Court of Appeal’s judgment by Morrisons, the Supreme Court has now unanimously, and very happily for Morrisons, reached precisely the opposite conclusion. Critically, the Supreme Court held that vicarious liability was not established on the facts: whatever Skelton was doing when he effected his unauthorised and indeed criminal online disclosure, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed on Morrisons. Lord Reed, the new President of the Supreme Court gave the leading judgment, with which all the other judges agreed.
So where did both the High Court and the Court of Appeal go wrong? The Supreme Court held that ‘the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects’ [31]. It then went on to list the following four ‘particularly important’ misunderstandings, effectively disapproving all the core aspects of the High Court/Court of Appeal’s reasoning. I summarise its reasoning below.
- First, the “field of activities” was cast too widely – It is well established that one condition that must be met in order for vicarious liability to be established is that the wrongful act fell within the scope of the rogue employee’s “field of activities”. The Supreme Court held that, contrary to the High Court/Court of Appeal’s conclusions, Skelton’s online disclosure of the payroll data did not fall within the field of his employed activities: his act of disclosing the data for his own nefarious purposes could not be equiparated with his authorized act of disclosing the data to Morrisons’ auditors in the context of his employed role. Applying the approach adopted by Lord Toulson in Mohamud v Morrisons [2016] AC 677, the disclosure was not, as the Court put it, ‘an act he was authorised to do’ [31]. In this context, the Supreme Court compared the facts of Morrisons with the facts of the earlier cases of Bellman v Northampton [2018] EWCA Civ 2214 and Kooragang Investments Pty Ltd v Richardson & Wrench Ltd [1982] AC 462.
- In Bellman, the Managing Director of a company assaulted a subordinate in the context of an impromptu off-site drinks party. The Supreme Court held that vicarious liability was properly imposed in that case because the assault took place whilst the MD was seeking to assert his authority qua MD over a subordinate in connection with work-related matters [46].
- Compare Kooragang where vicarious liability was not imposed on a surveyor who was engaged in moonlighting: the fact that he was, in the context of his moonlighting, undertaking very similar tasks to those undertaken in his employed role did not mean he was acting within the field of his employed activities [35].
- Second, the fact that the five factors identified in Various Claimants v Catholic Child Welfare were present was irrelevant – The courts below had erred when they relied on the five factors identified in Catholic Child Welfare as establishing vicarious liability: the fact that all of those factors were present in the instant case was ‘nothing to the point’ [31]. This is because those factors are relevant where the court is considering a very different question, namely whether ‘in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should apply’ [31].
- Third, a temporal and/or causal link is not enough – Contrary to the approach adopted by the High Court/Court of Appeal, the fact that there was a ‘close temporal link and an unbroken chain of causation’ linking (a) the provision of the data to Skelton by Morrisons for the purposes of his job and (b) his unlawful disclosure was not sufficient to establish vicarious liability: ‘a temporal or causal connection does not in itself satisfy the close connection test’ [31]. In this context, the Court sought to draw a distinction between cases where the employment merely offered the ‘opportunity’ for the wrongdoing and other cases where the wrong itself was perpetrated in the context of the employee doing the job they were employed to do [35].
- Fourth, the rogue’s motive is highly relevant to the analysis – The courts below had both held that, based on the Supreme Court’s judgment in Mohamud, Skelton’s motive was irrelevant to the vicarious liability analysis. The Supreme Court held that ‘on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material’ [31] and at [47]: ‘In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier’.
Looking at the matter afresh, the Supreme Court went on to conclude that: ‘applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’ [47]. Notably, and contrary to the conclusions reached by the Court of Appeal, the Supreme Court held that to recognize vicarious liability on the facts of Morrisons would not constitute a business as usual approach to the application of vicarious liability principles but would instead constitute ‘a major change in the law’ [16], which change the Supreme Court considered was plainly not warranted in the circumstances.
It is important at this point to note that, though Morrisons succeeded on the argument that vicarious liability could not be imposed on the facts, it lost on the argument that the Data Protection Act 1998 (DPA) operated so as to exclude vicarious liability in toto.
In summary, the arguments on the latter issue went as follows:
- the only thing connecting Skelton’s rogue disclosure to his employment was the fact his employer entrusted him with the data in the first place;
- the DPA specifically contemplates a scenario where an employer entrusts data to an employee (see further the seventh data protection principle, and also paragraph 10 of schedule 1 to the DPA), and it draws the liability line in respect of such disclosure very firmly at fault-based liability, i.e. direct liability (see further s. 13 which provides that, even in the event of a breach of the DPA, no compensation is payable if the employer took reasonable steps to avoid the breach);
- it is not for the common law to redraw the line that has been very clearly been drawn by Parliament so as to impose additional no-fault, strict liabilities on the employer;
- these points apply with even greater force given that the “data controller” concept, which is so central to the operation of the DPA is itself a ‘principal/master’ concept that doesn’t naturally fit with the idea of an employee acting “in the course of his employment” (on the latter point, it is important to note that the claimants’ case on vicarious liability was put on the basis that, insofar as he was processing data for his own nefarious purposes, Skelton was at all times processing the data as a “data controller”).
The Supreme Court rejected these arguments, essentially on the basis of the following simple premise: whilst the DPA does indeed purport to speak to a situation in which data is entrusted to an employee by an employer/controller, it is not concerned with the next stage of the analysis, namely whether an employer is then vicariously liable for the processing activities of an employee who has become a third party data controller in their own right. As the Supreme Court neatly put it: ‘the DPA is silent about the position of a data controller’s employer’ [54]. Given that the DPA was silent on this issue, there was no basis for concluding that the common law doctrine of vicarious liability had been excluded by statutory fiat.
In terms of where the judgment leaves us on the question of an employer’s vicarious liability for rogue processing by an employee, it seems to me that the following points are key:
- First, it is important to note that the analysis under the GDPR is unlikely to differ from that which the Supreme Court applied under the DPA. In other words, this is a judgment which is likely to have continuing resonance in the GDPR era.
- Second, where an employee is processing data exclusively on behalf of their employer, rather than their own behalf, the employer will in any event be subject to direct liability in respect of that processing on an application of the data protection legislation.
- Third, employers who fail to comply with their security obligations in a manner that is causally relevant to the rogue processing in issue will be exposed to liability on a direct basis under the GDPR. Vicarious liability only became an issue in Morrisons because the claimants lost on the direct liability question on the facts of the case.
- Fourth, it is clear there is no blanket exclusion of the vicarious liability doctrine in rogue employee data cases: on the right facts, vicarious (no-fault) liability could still be imposed.
- However, fifth, it is clear from the judgment that the mere fact that the employer/controller entrusted the data to the rogue employee is unlikely by itself to be sufficient to found vicarious liability. Indeed, looking at the judgment in the round, it can well be argued that in order to establish vicarious liability, what is required is that the employee is acting qua employee in the moment they undertake the relevant unlawful processing, in the sense that they are acting or purporting to act about their employer’s business or are otherwise asserting the authority given to them by their employer (see further not least [28] of the judgment which focusses on the ‘capacity’ in which the wrongdoer in Mohamud was acting when the relevant wrong occurred, and see [16-30] more generally).
Beyond these points, it is important to note that the Supreme Court was anxious to use its judgment as an ‘opportunity to address the misunderstandings which have arisen since its decision in the case of Mohamud’ [1] and to make clear that, in Mohamud, it was not seeking to extend the law on vicarious liability but was instead seeking to keep it well within its existing, precedent-based boundaries. As Lord Reed put it, ‘Lord Toulson’s judgment was not intended to effect a change in the law of vicarious liability: quite the contrary’[17]. It is clear from the judgment that this constrained approach to the law on vicarious liability applies equally in data cases as it does in other types of case.
In conclusion, Morrisons is a hugely important judgment in both the data and employment fields. It constitutes a very happy outcome for Morrisons, bringing to an end the significant group action brought against it. However, its ramifications go far wider. The Court has firmly rejected the highly permissive approach to vicarious liability endorsed by the lower courts in a judgment that should bring considerable comfort to all employers.
You may wish to note that I am planning a webinar on the judgment, along with Rupert Paines, to be broadcast in the coming days. So watch this space.
Anya Proops QC