Friday 3 April 2020

Supreme Court allows Morrison's Appeal


UK Supreme Court


















Jane Lambert

Supreme Court (Lady Hale, Lord Reed, Lord Kerr, Lord Hodge and Lord Lloyd-Jones) Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 (01 April 2020)

On 12 Jan 2014, a disgruntled member of the staff of Wm Morrison Supermarkets plc called Andrew Skelton posted a file containing the personal details of nearly 100,000 of the company's employees on a file-sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. Mr Skelton was caught, prosecuted, convicted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first, a trial on liability and, if necessary, an assessment of damages.    The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information but it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which were to injure his employer. However, the claimants had suffered and were entitled to be compensated  (see Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2018] IRLR 200, [2018] EMLR 12, [2017] EWHC 3113 (QB), [2018] 3 WLR 691 and Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998 11 Dec 2017).

The company appealed to the Court of Appeal on the following grounds:
"First, the Judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, [the Data Protection Act 1998 ("the DPA")] excludes the application of vicarious liability. Second, the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts."
The appeal came on before the Master of the Rolls and Lord Justices Bean and Flaux who dismissed the appeal (see  WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, [2019] 2 All ER 579, [2019] ICR 357, [2019] 2 WLR 99, [2019] QB 772, [2019] IRLR 73, [2018] WLR(D) 653 and The Morrisons Appeal - Vicarious Liability for Employees' Breaches of Confidence and Statutory Duty 24 Oct 2018).

As for the first and second grounds, the Lord Justices held at para [48] that it was clear that the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee had not been excluded by the Data Protection Act 1998. With regard to the third ground, the Court of Appeal referred to the judgment of Lord Toulson in Mohamud v Wm Morrison Supermarkets Plc [2016] UKSC 11, [2016] IRLR 362, [2016] ICR 485, [2016] 2 WLR 821, [2017] 1 All ER 15, [2016] AC 677, [2016] PIQR P11, [2016] WLR(D) 109. At para [44] Lord Toulson had asked "what functions or "field of activities" have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job?" Next "the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ." As to Lord Toulson's first question, the Court of Appeal endorsed the trial judge's finding that Morrisons had entrusted Skelton with payroll data. It was part of his job to disclose it to a third party. He had clearly exceeded his authority but that did not matter because his wrongdoing was nonetheless closely related to the task that he had to do. As to the second part of Lord Toulson's test. the Court endorsed the Mr Justice Langstaff's finding that there was an unbroken thread that linked his work to the disclosure,

The supermarket chain appealed to the Supreme Court which heard argument on 6 and 7 Nov 2019 and delivered judgment on 1 April 2020.  Readers can see the following video recordings of counsels' argument (morning 6 Nov, afternoon 6 Nov and morning 7 Nov) and Lord Reed's summary of the judgment of 1 April 2020). They can also find the full judgment (see Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 (1 April 2020) and a press summary.  The issues before the Supreme Court were:
"(1) Whether Morrisons is vicariously liable for Skelton’s conduct.
(2) If the answer to (1) is in the affirmative:
(a) Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA.
(b) Whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence."
Allowing the appeal, Lord Reed remarked in the opening paragraph of his judgment (with which the rest of the Court agreed) that the appeal provided the court with an opportunity to address the misunderstandings which have arisen since its decision in the case of Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677.

Lord Reed made clear in paragraph [17] that Lord Toulson’s judgment in Mohamud was not intended to effect a change in the law of vicarious liability. The judgments at first instance and in the Court of Appeal focused on the final paragraphs which were taken out of context and treated as establishing legal principles which would represent a departure from the precedents that Lord Toulson was expressly following.

The basic principles on vicarious liability were summri\ed by Baron Parke in Joel v Morison 172 ER 1338, [1834] EWHC KB J39, (1834) 6 C & P 501, 503:
“The master is only liable where the servant is acting in the course of his employment. If he was going out of his way, against his master’s implied commands, when driving on his master’s business, he will make his master liable; but if he was going on a frolic of his own, without being at all on his master’s business, the master will not be liable.”
That principle had been affirmed recently by the House of Lords in Dubai Aluminium Company Ltd v. Salaam  [2003] 2 AC 366, [2002] UKHL 48, [2002] 3 WLR 1913, [2003] 1 LLR 65, [2003] 1 CLC 1020, [2003] 2 All ER (Comm) 451, [2003] 1 Lloyd's Rep 65, [2003] 1 BCLC 32, [2003] 1 All ER 97, [2003] WTLR 163, [2003] IRLR 608:
“A distinction is to be drawn between cases such as Hamlyn v John Houston & Co [1903] 1 KB 81, where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase … The matter stands differently when the employee is engaged only in furthering his own interests, as distinct from those of his employer. Then he ‘acts as to be in effect a stranger in relation to his employer with respect to the act he has committed’: see Isaacs J in Bugge v Brown (1919) 26 CLR 110, 118.”
In  Attorney General v. Hartwell  [2004] WLR 1273, [2004] PIQR P27, [2004] UKPC 12, [2004] 1 WLR 1273, the Privy Council refused to impose liability on Virgin Islands government for the actions of one of its constables who had deserted his post to pursue a domestic quarrel which had resulted in his discharging a firearm causing injury to a passer-by.  This was quite different from Bernard v. Attorney General of Jamaica  [2005] IRLR 398, [2004] UKPC 47 where an officer fired his weapon in the execution of his duty.

The distinction between Mohamud's case and Skelton's was expressed in paragraph [47[ pf the judgment:
"All these examples illustrate the distinction drawn by Lord Nicholls at para 32 of Dubai Aluminium [2003] 2 AC 366 between “cases … where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.” In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment."
Though logical and consistent with nearly 200 years of authority, the news that they can no longer expect a payout that they had been expecting since 2017 will be bitterly disappointing for thousands of supermarket workers who are risking their health and in some cases their lives to feed their communities.

Although no longer necessary for the disposal of the appeal, Lord Reed addressed the second question of whether the Data Protection Act 1998 excluded the imposition of vicarious liability for:
(a) statutory torts committed by an employee data controller under the Act and
(b) misuse of private information and breach of confidence,
as those matters had been fully argued.

His lordship noted that the appellant company had intended to argue that the former Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23/11/1995 P. 0031 - 0050) had been designed to harmonize national laws governing the processing of personal data and that the existence of vicarious liability under English law in circumstances falling within the scope of that directive, was therefore precluded.  The opinion of Mr Advocate-General Bobek in Case C‑40/17 Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Facebook Ireland Ltd intervening) ECLI:EU:C:2018:1039, [2020] 1 WLR 969, EU:C:2018:1039, [2018] EUECJ C-40/17_O had undermined that argument. It was therefore obliged to argue that the statute impliedly excluded the vicarious liability of an employer for breaches of statutory duty and breaches of confidence. It referred to s.13 (1), (2) and (3) of the Act and to paragraph 10 of Schedule 1 on the interpretation of the Seventh Data Protection Principle,  The company contended that those provisions implied that liability was to be imposed only on data controllers, and only where they had acted without reasonable care.

Their lordships were not persuaded.   Lord Reed said at [54]:
"The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault. There is nothing anomalous about the contrast between the fault-based liability of the primary tortfeasor under the DPA and the strict vicarious liability of his employer. A similar contrast can often be drawn between the fault-based liability of an employee under the common law (for example, for negligence) and the strict vicarious liability of his employer, and is no more anomalous where the employee’s liability arises under statute than where it arises at common law."
The Court's pronouncement on the second question, albeit obiter, means that an employer will not be exonerated from the consequences of data breaches occasioned by its employees in all circumstances.  For example, if a loss is caused by an employee's negligence in carrying out his employer's instructions the employer will be vicariously liable.

Anyone wishing to discuss this article, this decisions or data protection and privacy law generally should call my clerk Stephen on 07986 948267 during normal office hours for the duration of the coronavirus crisis or on our usual number afterwards.  Alternatively, message me through my contact page.

No comments:

Post a Comment