Tag Archives: [2018] EWCA Civ 2339

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.