The UK High Court recently found supermarket chain Morrisons vicariously liable for the actions of an ex-employee who leaked payroll data of almost 100,000 employees. The claim was brought by 5,518 employees of Morrisons. This is an important decision as it is the first class-action case for a personal data breach in the UK, and demonstrates how an employer can be liable for an employee’s data breach.
In Various Claimants v WM Morrisons Supermarket PLC  EWHC 3113 (QB) a senior auditor at Morrisons, Mr Skelton, downloaded and leaked payroll data of almost 100,000 employees, while assisting KPMG with an audit. Mr Skelton posted the data on a file sharing website, and sent it anonymously to three newspapers, one of which notified Morrisons. The newspapers did not publish the data, which consisted of personal data such as names, addresses, dates of birth, salaries, and bank details, and Morrisons immediately took steps to ensure the website was taken down, and alerted the police. Subsequently 5,518 Morrisons’ employees, whose data was disclosed, brought compensation claims for breaches of privacy, confidence and data protection laws. These claims were made on the basis that Morrisons was primarily liable for its own acts and omissions, and vicariously liable for the actions of Mr Skelton that harmed his colleagues.
The UK High Court ruled that Morrisons was vicariously liable for Mr Skelton’s actions. However, primary liability was not established, as Morrisons had not breached any of the data protection principles, save in one respect which was not causative of any loss.
In finding Morrisons vicariously liable, the Court considered whether the data breach was connected by time, place and nature from the employee’s employment, as per Mohamud v WM Morrison Supermarkets PLC  UKSC 11,  AC 677. It held that there was an “unbroken thread” that linked the work that Mr Skelton was doing to the breach. The data was given specifically to him for a task that he was carrying out in the course of his employment, and even though he was told to only disclose the data to KPMG, his disclosure to other parties had a sufficient link to his task, particularly due to the fact that he was entrusted with it. The fact that the disclosure occurred later, outside of working hours and with the intention to injure the employer was deemed to be irrelevant. Therefore the Court concluded that Mr Skelton’s criminal act of disclosing the payroll data was sufficiently closely connected to his employment so as to make Morrisons vicariously liable.
The Court was, however, uncomfortable with its decision on vicarious liability. The judge stated: “the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims. I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it: but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.”
This is a landmark decision, being the first data breach class action in the UK. It is likely that more of these class action cases for data breaches will be taken in the UK after the enforcement of the GDPR on 25 May 2018. Article 80 of the GDPR permits not-for-profit bodies or associations to bring judicial actions on behalf of data subjects, where permitted by Member State law, and the draft UK Data Protection Bill provides for such class actions. However, it remains to be seen whether data breach class actions cases will be permitted in Ireland in the future, as current Irish law does not permit such actions, and the draft Irish Data Protection Bill 2017 does not provide for same in regard to the GDPR. There does, however, appear to be an appetite to permit class actions here, as demonstrated by the recent Private Members’ Multi-Party Actions Bill 2017.
The decision in this case dealt with liability only, so the compensation to be awarded has yet to be determined. It is noteworthy that under UK law the employees affected by the data breach do not have to have suffered financial loss as a result of the breach, and may be awarded damages for any distress caused by the breach (following Google v Vidall-Hall  EWCA Civ 311). Whilst it is not yet possible to recover compensation for non-material loss, such as distress, in Ireland (see Collins v FBD Insurance  IEHC 137), such compensation may be awarded here post-25 May 2018 (pursuant to Article 82 of the GDPR).