The Supreme Court clarifies the law on vicarious liability for data breaches


On 1 April 2020, the Supreme Court handed down the much anticipated judgment in the case of WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12.

The Court considered vicarious liability in an employment context; i.e. when can an employer be held liable for the wrongful acts of its employees, committed in the course of their employment, and whether vicarious liability may arise for breaches of an employee's duties imposed by the Data Protection Act 1998 (“DPA”).

The Morrisons case began prior to the DPA being repealed and replaced by the Data Protection Act 2018 ("2018 Act") and the provisions of the GDPR. The DPA outlined eight data protection principles, which are largely carried over into the 2018 Act - accordingly this case provides a helpful indication of how courts would respond to data breach and vicarious liability cases in the future.

The facts 

A member of Morrisons' internal audit team was tasked with transmitting payroll data for Morrisons' entire workforce to its external auditors, as they had done the previous year. However, they also kept a personal copy of the data; uploaded the file to a publicly accessible file sharing website and sent the file anonymously to three UK newspapers. The newspapers did not publish the information and one alerted Morrisons, which took immediate steps to have the data removed from the internet and to protect its employees. Morrisons spent more than £2.26m in dealing with the immediate aftermath of the disclosure, most significantly on identity protection measures for its employees. The employee has since been imprisoned for the offences committed.

Some of the affected employees brought proceedings against Morrisons personally and on the basis of its vicarious liability for the employee's acts. Their claims were for breach of statutory duty under the DPA, misuse of private information, and breach of confidence. The first instance Judge and Court of Appeal concluded that Morrisons bore no primary responsibility but was vicariously liable on each claim. The Supreme Court overturned this ruling and held Morrisons was not vicariously liable for the employee's wrongdoing on the facts of this case.

The judgment on vicarious liability for data breaches

As the Supreme Court had concluded that the necessary conditions for finding Morrisons vicariously liable in this case did not exist, it was not strictly necessary for the court to consider vicarious liability for data breaches. However, it elected to do so.

The judge at first instance held that the DPA did not exclude vicarious liability either for a breach of the duties imposed by the DPA itself or for a breach of common law or equitable obligations, and the underlying EU legislation was intended to increase the protection of data subjects rather than to take away existing protections.

The Supreme Court upheld that view, with the judgment providing:

  • Statutory liability for a data controller is not inconsistent with a common law vicarious liability upon his employer;
  • The DPA is silent about the position of a data controller’s employer so there cannot be any inconsistency between the two regimes;
  • It is of no consequence that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is a no fault regime;
  • The fault-based liability of the primary wrongdoer under the DPA and the strict vicarious liability of his employer is not incompatible.

In conclusion, since the DPA neither expressly nor impliedly indicates otherwise, the Supreme Court found that the principle of vicarious liability applies to a breach of DPA obligations, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller.

There is now clarity concerning the legal position - if a data breach occurs by an employee, an employer may be held vicariously liable. A court will consider whether there was sufficient connection between the position in which the employee was employed and their wrongful conduct, therefore making it right for the employer to be held liable under the principle of social justice.

This judgment will be welcomed by businesses and large employers. If they reasonably entrust their employees to process personal data, as was the case with Morrisons here as the employee had completed the task assigned to them the year previously, then they will not be held vicariously liable for breach of statutory duty under data protection legislation, misuse of private information, and breach of confidence, if such conduct cannot be fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.