|Royal Courts of Justice|
Court of Appeal (Sir Terence Etherton MR and Lords Justices Bean and Flaux) Various Claimants v W M Morrison Supermarkets Plc  EWCA Civ 2339 (22 Oct 2018)
In Various Claimants v WM Morrisons Supermarkets Plc (Rev 1)  EWHC 3113 (QB),  3 WLR 691, Mr Justice Langstaff held that W M Morrisons Supermarket Plc ("Morrisons") was vicariously liable to its employees for the unauthorized act of one Skelton, an internal auditor, who had posted the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries of Morrisons' employees to a file sharing website. Skelton had acted as he did out of spite. He had a grudge against Morrisons and wanted to injure the company. The judge acknowledged at para  of his judgment that the effect of his judgment was to accomplish that injury and for that reason he gave the supermarket chain permission to appeal. I commented on the case in Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998 11 Dec 2017.
The defendant appealed on the following grounds:
"First, the Judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, [the Data Protection Act 1998 ("the DPA")] excludes the application of vicarious liability. Second, the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts."By their respondents' notice, the claimants sought to uphold the judge's order on the additional ground "that, in evaluating whether there was a sufficient connection between Mr Skelton's employment and his wrongful conduct to make it right for Morrisons to be held vicariously liable, the Judge ought to have taken into account that Mr Skelton's job included the task or duty delegated to him by Morrisons of preserving confidentiality in the claimants' payroll information." The appeal came on before the Master of the Rolls and Lord Justices Bean and Flaux who heard the appeal on the 9 and 10 Oct and delivered judgment on 22 Oct 2018.
Their lorsdhips dismissed Morrisons' appeal.
As for the first and second grounds, the Court concluded at para  that it was clear that the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee had not been excluded by the Data Protection Act 1998. The applicable principle for determining that issue was whether, on the true construction of the statute in question, Parliament had intended to exclude vicarious liability. The appropriate test was:
"If the statutory code covers precisely the same ground as vicarious liability at common law, and the two are inconsistent with each other in one or more substantial respects, then the common law remedy will almost certainly have been excluded by necessary implication. As Lord Dyson said in the Child Poverty Action Group case (at ) the question is whether, looked at as a whole, the common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to coexist with it."Their lordships reasoned that if Parliament had intended to exclude that cause of action, it would have said so expressly. Secondly, Morrisons' counsel had conceded in her submissions that the Act had not excluded the action for breach of confidence or misuse of personal information. Their lordships observed at :
"Morrisons' acceptance that the causes of action at common law and in equity operate in parallel with the DPA in respect of the primary liability of the wrongdoer for the wrongful processing of personal data while at the same time contending that vicarious liability for the same causes of action has been excluded by the DPA is, on the face of it, a difficult line to tread."They added at [57}:
"...... the difficulty of treading that line becomes insuperable on the facts of the present case because, as was emphasised by Mr Barnes [the claimants' counsel], the DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller."The concession that the causes of action for misuse of private information and breach of confidence are not excluded by the Act in respect of the wrongful processing of data within the ambit of the statute, and the complete absence of any provision addressing the situation of an employer where an employee data controller breaches the requirements of the Act, led inevitably to the conclusion that the Mr Justice Langstaff was correct to hold that the common law remedy of vicarious liability of the employer was not expressly or impliedly excluded by the Act.
In respect of the third ground of appeal, the Court referred to the judgment of Lord Toulson in Mohamud v WM Morrison Supermarkets Plc  UKSC 11,  IRLR 362,  ICR 485,  2 WLR 821,  1 All ER 15,  AC 677,  PIQR P11,  WLR(D) 109. At para  Lord Toulson had asked "what functions or "field of activities" have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job?" Next "the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ." As to Lord Toulson's first question, the Court of Appeal endorsed the trial judge's finding that Morrisons had entrusted Skelton with payroll data. It was part of his job to disclose it to a third party. He had clearly exceeded his authority but that did not matter because his wrongdoing was nonetheless closely related to the task that he had to do. As to the second part of Lord Toulson's test. the Court endorsed the Mr Justice Langstaff's finding that there was an unbroken thread that linked his work to the disclosure,
As noted above, the trial judge had been troubled by the thought that the court was facilitating Skelton's wrongdoing. The Court of Appeal noted at para  that it had not been shown any reported case in which the motive of the employee committing the wrongdoing was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party. Morrisons submitted that it would be wrong to impose vicarious liability on an employer in circumstances such as this especially as there were so many potential claimants. Their lordships had no trouble in rejecting those submissions. Motive was irrelevant and to have held otherwise would have left thousands of hapless data subjects without remedy.
In Mohamud, Lord Toulson had remarked at paea  of his judgment that:
"The risk of an employee misusing his position is one of life's unavoidable facts."The solution for employers was to insure against liability for the misdeeds of their staff. As the Master of the Rolls put it at :
"There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons."That last paragraph will be one of the reasons why this case will appear in countless skeleton arguments and law reports in the future. The other is the Court's analysis of the circumstances when a statutory code displaces common law remedies.
Anyone wishing to discuss this case or data protection generally should call me on 020 7404 5252 or send me a message through my contact form.