« Importantly, however, the Supreme Court also ruled that the plaintiffs won part of the appeal. For the first time, the Supreme Court has established the legal principle that employers can now be held legally liable for data protection breaches caused by their employees – under the law of enforcement liability. This is very important because most data breaches are caused by human error. This decision improves data protection for millions of people in this country who are forced to share their own information with companies every day. This will raise standards. The Queen`s Bench concluded that Morrisons was not directly responsible for the violation of the SPL, but on behalf of Skelton`s violation of the SPL and the alleged common law offences. He rejected Morrison`s argument that an employer could not be held liable for a violation of the HPA. He believed that his employer had given him the opportunity to steal the data by providing it to him for a legitimate job in the course of his job, describing the misconduct as « a continuous and homogeneous sequence of events. » an unbroken chain » as defined by Mahamud v. WM Morrison Supermarkets plc  AC 677 (U.K.S.C.). In this case, a gas station employee argued with a customer, left his kiosk, approached the customer`s vehicle and warned him never to return to the gas station, and then attacked the customer. This lack of precision is inevitable given the infinite range of circumstances in which the problem occurs. The decisive characteristic(s) justifying or rejecting the responsibility of enforcement agencies varies considerably from case to case. Essentially, in all cases, the court makes an evaluative judgment, taking into account all the circumstances and, most importantly, taking into account the support provided by previous judicial decisions.
In this area, the latter form of support is particularly valuable. (emphasis added) The judgment found that Morrisons was not liable under either the law or the common law for his employee`s actions, as the conduct itself was intended to harm Morrisons. This disclaimer also addresses the future of data protection litigation in light of the evolution of the legal framework in the UK since 2018. The Supreme Court quoted Lord Nicholls at paragraph 32 of Dubai Aluminium  2 AC 366, in which he distinguished: « Cases. if the employee, although mistaken, has engaged in the promotion of his employer`s business, and in cases where the employee pursues only his own interests: on his own « game », in the language of the word in the secular fashion. The decision is likely to lead to a collective sigh of relief for organizations that have been closely watching their potential liability in data breach class actions. It is important to note, however, that Morrison`s case and verdict are very specific to the facts; This doesn`t close the door to class action lawsuits for data breaches as a whole. Boards should continue to review the technical and organizational measures they have taken to prevent personal data breaches to reduce the risk of enforcement and class actions.
Anne Sammon, a labour law expert at Pinsent Masons, said employers would welcome the Supreme Court`s decision in the Morrison case. 47. All these examples illustrate the distinction drawn by Lord Nicholls in paragraph 32 of Dubai Aluminium (2003) 2 AC 366 between `cases`. if the employee, although mistaken, has engaged in the promotion of his employer`s business, and in cases where the employee pursues only his own interests: on his own « game », in the language of the word in the secular fashion. In this case, it is abundantly clear that Skelton was not involved in promoting his employer`s business when he committed the misconduct in question. On the contrary, he pursued a personal vendetta and sought revenge for the disciplinary proceedings initiated a few months earlier. In those circumstances, in accordance with the test set out by Lord Nicholls in Dubai Aluminium, having regard to the circumstances of the case and the relevant precedents, Skelton`s fault was not so closely connected with acts which he was authorised to commit for the purposes of Morrisons` liability to third parties as it could be regarded as having been committed by him in the normal course of his employment, for the purposes of Morrisons` liability to third parties. The Supreme Court issued its decision in WM Morrison Supermarkets PLC v. Various Claimants, a landmark privacy case in which the food giant was sued by its own employees after a massive data breach in 2014. David Barker, privacy and cyber risk expert at Pinsent Masons, said: « The Supreme Court titles are obviously good news for Morrisons and good news for data controllers in general.
If the judgment of the Court of Appeal had been upheld, it would have exposed controllers to the risk of complaints, even if they had processed personal data appropriately. However, the Supreme Court did not conclude that vicarious liability can never be incurred under data protection laws. This means that each case depends on its facts. The case involved the disclosure on the Internet of payroll information for 100,000 Morrisons employees by Andrew Skelton, an internal auditor unhappy with Morrisons. « In the Morrison case, the employee in question acted maliciously and was convicted of a crime that carried an eight-year prison sentence. Other scenarios may not be so clear, » he said. Today, the Supreme Court released its decision in Wm Morrisons Supermarkets Plc v. Various Claimants  UKSC 12, closing a case that had the potential to significantly change the landscape of privacy and cybersecurity litigation and class actions.
It follows from the foregoing that the judge and the Court of Appeal misunderstood the principles of vicarious liability on a number of relevant points, the following of which were particularly important. First, the disclosure of data over the Internet was not part of Skelton`s tasks or activities in the sense that Lord Toulson used these terms: it was not an act to which he was authorized, as Lord Nicholls said. Second, the fact that the five factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society  2 AC 1, paragraph 35 were all present was irrelevant. The question is not whether the fault in question is so employment-related that liability should be imposed on enforcement agents, but the separate question whether, in the case of misconduct committed by a person who is not employed, the relationship between the perpetrator and the defendant is so similar to the employment that the doctrine of vicarious agents` liability should apply. Third, although there is a close temporal link and an unbroken causal chain linking the provision of the data to Skelton for the purposes of transmission to KPMG and dissemination over the internet, a temporal or causal link does not in itself satisfy the close connection test. Fourthly, the reason why Skelton acted unlawfully is not irrelevant: on the contrary, whether he acted in his employer`s business or for purely personal reasons is extremely important. The decisive factor is whether the unlawful act was sufficiently closely related to what the worker was entitled to do. In the Mohamud case, it was crucial that the employee pretend to be responding to his employer`s affairs by threatening the client not to return to the employer`s premises and not to act to achieve a personal goal. On the other hand, in the present case, « the worker was not involved in the promotion of his employer`s business when he committed the fault in question.
On the contrary, he pursued a personal vendetta and sought revenge for the disciplinary proceedings initiated a few months earlier. The decision again states that employers should not be held responsible for the actions of employees who pursue their own goals. In the appeal to the UK Court of Appeal, it was accepted that nothing in the SPL excluded the liability of enforcement agents. It upheld the trial judgment and held that « [t]he offences committed by Mr. S. Skelton, in passing on the plaintiffs` data to third parties, was, in our view, within the scope assigned to it by Morrisons and « emphasized that the events constituted a `continuous and continuous sequence` or `uninterrupted chain` of events » (paragraph 14). The Court of Appeal recognized that the situation of the employee`s motive to harm the employer was a unique feature of the case, but that the employee`s motive was not relevant to Mohamud`s analysis of vicarious liability. « The Supreme Court has effectively ruled that if an author discloses data with the specific intent to harm his employer, the employer cannot be held vicariously liable.
The plaintiffs, of course, respect the decision, but the troubling part of this conclusion is that the author in this case also wanted to harm his own colleagues, not just Morrisons, and he did so spectacularly.