Morrisons is not vicariously liable for its employee’s breach of data protection laws
Morrisons is not vicariously liable for its employee’s breach of data protection laws
In a unanimous ruling, five Supreme Court justices have ruled in favour of Morrisons in the UK’s first group action for a data breach.
In WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 the Court held that the supermarket was not vicariously liable for the actions of its disgruntled employee, Andrew Skelton, who leaked the personal data of more than 100,000 of its staff online.
Finding against the 5,000 employees who brought the group action for compensation, the Court held that the online data disclosure was not part of Mr Skelton’s “functions or field of activities”, as he was not authorised to do such an act in the course of his employment. To the contrary, the Court found that Mr Skelton “was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier” when he committed the wrongdoing in question.
The Supreme Court held that the Court of Appeal had misinterpreted the law on vicarious liability when it observed that “motive is irrelevant” when applying the authority of Mohamud v WM Morrison Supermarkets [2016] AC 677 to the complaint. The statement that “motive is irrelevant”, the Supreme Court noted, is misleading if read in isolation and, were it correct, would have constituted “a major change in the law”.
Having confirmed that it had not changed the law on vicarious liability by upholding Morrisons’ appeal, the justices went on to reject Morrisons’ alternative argument that the Data Protection Act 1998 excluded the imposition of vicarious liability on an employer for either statutory or common law wrongs when its employee was liable under that Act.
While the law on vicarious liability may not have been changed by its judgment, the Supreme Court’s decision should serve as a warning that, subject to the breach being perpetrated in pursuit of a personal vendetta, employers will likely remain liable for data breaches caused by their employees.