11KBW Seminar Various Claimants v WM Morrison Ltd – Opening the Data Breach Floodgates?

December 6th, 2017 by Claire Halas

11KBW will be holding a seminar on the High Court judgment in the critically important group litigation case of Various Claimants v WM Morrison Ltd. This hugely important judgment is to be considered at a seminar to be held at 6.00pm at 11KBW on 16 January 2018 at the Turing Lecture Theatre, IET London Savoy Place, 2 Savoy Pl, London WC2R 0BL.

Issues to be discussed will include:

– the court’s approach to the application of the seventh data protection principle concerning data security

– the court’s conclusion that the DPA could be construed so as to enable an innocent employer/data controller to be fixed with common law vicarious liability for a breach of the DPA effected by a third party data controller;

– the court’s analysis of the relationship between the DPA and the common law

– the court’s conclusion that the rogue employee was ‘acting in the course of his employment’ when he criminally disclosed the payroll data, notwithstanding that this disclosure was effected whilst the employee was off work and for the specific purpose of damaging his employer

– whether the GDPR may call for a different approach

Speakers will include Timothy Pitt-Payne QC and Robin Hopkins   Read more »


Data Breach, Group Actions, and the criminal insider: the Morrisons case

December 6th, 2017 by Timothy Pitt-Payne QC


A spectre is haunting data controllers – the spectre of group liability for data breach.

In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss.  Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals.  Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial.

Cases of this nature may give rise to important questions of public policy.  Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. In such situations, should the data controller be required to compensate data subjects?  What if the very purpose of the hack or leak was to damage the data controller, so that by imposing civil liability on the controller the Courts would help further that purpose?

The recent decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 is the first significant case to grapple with these issues post Vidal-Hall.  The case involves a group claim brought by some 5,500 Morrisons’ employees in connection with the criminal misuse of a significant quantity of payroll data by a rogue employee.  In a lengthy judgment handed down on 1st December 2017, Langstaff J found that Morrisons were not directly liable to the claimants in respect of the criminal misuse of the data, whether under the DPA or at common law, but that they were nevertheless vicariously liable.  The trial dealt only with liability: quantum remains to be determined.

11KBW’s Anya Proops QC and Rupert Paines acted for Morrisons. Read more »


Vicarious Liability and Data Controllers

December 1st, 2017 by Christopher Knight

The High Court (Langstaff J) has today handed down an almost 200 paragraph judgment in the first ever group litigation data breach case to come before the courts. The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles. Read more »


Facebook fan pages and ‘pluralistic’ data controller models

November 12th, 2017 by Robin Hopkins

It’s as if everyone has their head down preparing for the GDPR. Recent weeks have produced very little by way of judgments in the data protection area. They have, however, produced an Advocate General’s opinion in a case about the data controllers of Facebook fan pages. That opinion is worth noting because (rightly or wrongly) it casts the net very widely, bringing multiple entities within the definition of data controllers. Read more »


Some DP Updates

October 10th, 2017 by Christopher Knight

Time for a few data protection-related updates which don’t merit a full post of their own (or at least, not one I can be bothered to write) but which readers may or may not have missed. Read more »


Section 10 DPA and Youtube videos: Court grants wide perpetual injunction

October 9th, 2017 by Robin Hopkins

Al-Ko Kober Ltd and Paul Jones v Balvinder Sambhi [2017] EWHC 2474 (QB) is, rather improbably, a DPA case about caravan tow-bars and braking systems. A commercial operator used Youtube videos to malign a competitor business and its marketing manager, until the High Court (Mrs Justice Whipple) granted injunctions last week. Read more »