The Supreme Court has just handed down its judgment in the appeal in the data protection/vicarious liability case of Wm Morrisons Supermarkets v Various Claimants (UKSC 2018/0213). The following was originally published as a thread on Twitter, which I live tweeted as I took a preliminary run through it. As such, the usual caveats apply – this is a first reaction and (even more so than most of my posts) not to be considered to be legal advice!

Some context first: this appeal related to a claim under the DPA 1998 by a group of c. 5,000 current/former Morrisons employees, relating to a data breach involving their payroll data. It was deliberately leaked by a rogue employee looking to injure the business and to get revenge for a disciplinary hearing he had earlier been subjected to.

The employee went to prison. Morrisons escaped direct liability (because, broadly, they had adequate safeguards) but the Courts below nevertheless found them vicariously liable. Morrisons appealed that conclusion to the Supreme Court. It’s a case that has attracted a lot of attention, because of the wide-ranging implications for data controllers. The decisions below left controllers feeling exposed to liability whenever their employees committed a breach – even if the motives of the employee had been maliciously to harm the employer.

The Court of Appeal’s answer to the possibility that this would greatly increase the exposure of controllers in circumstances where they were factually innocent? “Buy more insurance” ([2018] EWCA Civ 2339, at para. 78).

The Supreme Court was asked to consider two questions: First, whether claimants were prevented by the terms of the DPA 1998 from suing under vicarious liability for a breach of the Act; for misuse of private information; or for breach of confidence. Second (if a vicarious liability claim was available in principle), whether the Court of Appeal erred when it found that the disclosure of data by the rogue employee occurred in the course of his employment for Morrisons.

As was made immediately clear by the introduction to the judgment, the Supreme Court's conclusion turned on the interpretation of an earlier case (ironically, one that also involved Morrisons): Mohamud v WM Morrison Supermarkets [2016] UKSC 11. The introductory paragraphs set out the facts, which will be familiar to most. They record the history of the trials below and the Court's conclusions that Morrisons were not at fault and that the rogue employee was motivated by malice against his employer.

The judgment also makes clear that both the first instance decision and the Court of Appeal's decision to uphold were based on an interpretation of the Supreme Court's earlier decision in Mohamud which, as the Supreme Court went on to explain, was flawed. In particular, the Courts below had focused on an element of the test in Mohamud that there should be "an unbroken sequence of events" between the conduct and the employee's employment generally. In other words, the Courts below had concluded that if the type of activity which founded the claim was within the field of activity permitted by the employer, the employee's motives did not matter.

In stark contrast to this approach, the Supreme Court emphasised that their decision in Mohamud had never been intended to authorise a departure from the existing law on cases where employees took advantage of the circumstances of their employment to do something harmful. So, for example, the House of Lords decision in Dubai Aluminium Co v Salaam [2002] UKHL 48 still applied - this was a case where one of the partners in the firm had used his position to effect a fraud.

In that case, Lord Nicholls explained the limiting test that ought to be applied in order to establish vicarious liability of the employer was able to be found: "the wrongful conduct must be so closely connected with acts the.. employee was authorised to do that... the wrongful conduct may fairly and properly be regarded as done" by the employee in the ordinary course of his employment.

The Supreme Court explained that Lord Toulson's decision in Mohamud had been clearly expressed to build on those earlier authorities, and was not intended to subvert them. References, relied on heavily by the claimants in the hearings below, to the employee's motive being "irrelevant" had to be read within that wider context.

This conclusion, that the Courts below had been led astray in their interpretation of the principles in Mohamud, led to the conclusion that the question of vicarious liability had to be considered afresh by the Supreme Court. In that fresh appraisal, the Supreme Court considered the question of the rogue employee's motive to be of overwhelming importance. It was not enough that his employment gave him the opportunity for wrong-doing, nor that he had been entrusted with the data disclosed. This seems uncontroversial. As the Court wryly observed: "Perhaps unsurprisingly, there does not appear to be any previous case in which it has been argued that an employer might be vicariously liable for wrongdoing ... designed specifically to harm the employer."

The distinction remains (per Nicholls in Dubai Aluminium) between "cases... where the employee was engaged, however misguidedly, in furthering his employer's business, and cases where the employee is engaged solely in pursuing his own interests".

In that context, the remainder of the judgment is of, perhaps, only academic interest. It is certainly not binding, given that it involves consideration of a question which has been rendered hypothetical, for the purposes of this case. But for data protection lawyers, the question of whether or not the DPA excludes vicarious liability (in principle) for data breaches or misuse of confidential information is perhaps the more interesting.

Morrisons argument had been that the DPA 1998 (now superseded by the 2018 Act) implicitly excluded vicarious liability because the Act contained a defence to data breach claims, that the controller had "taken such care as in all the circumstances was reasonably required". Elsewhere in the Act (Sch. 1, para 10) the Act required controllers to "take reasonable steps to ensure the reliability of any employees... who have access to personal data." (emphasis added)

Morrisons argued that the focus on reasonableness implicitly excluded the possibility of strict (vicarious) liability, where an employee's conduct occurred despite reasonable care having been taken. Unfortunately for Morrisons (and data controllers everywhere) this argument was damned with the most fatal of faint praise: it was "attractively presented" but "not persuasive".

Nevertheless, the Court's wider (and binding) conclusion that controllers cannot be vicariously liable for the unauthorised actions of rogue employees, outside of the scope of their employment, brings some much needed clarity to law in this area. It will be a welcome relief to data controllers, but the sting in the tail is a reminder that controllers still need to take all reasonable steps to ensure that the actions of employees within the course of their employment remains compliant. There, the risk of vicarious liability remains very real indeed - a sobering thought particularly in these times where direct supervision of staff is increasingly difficult to ensure.