The
Background
In 2014,
In the first action of its kind, 5,518 of the employees affected by the breach brought a class action against
Supreme Court judgment
The
Whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence; and
Whether the
Court of Appeal erred in concluding that the disclosure of data by the appellant's employee occurred in the course of his employment, for which the appellant should be held vicariously liable.
In allowing the appeal, the Supreme Court unanimously held:
- The Court of Appeal had misunderstood the principles governing vicariously liability. In considering the application of the 'close connection' limb of the two-stage test for establishing vicarious liability, the Supreme Court held that employers will not be liable for an employee's wrongful act where that act is not engaged in furthering the employer's business, and is an effort to deliberately harm the employer as part of a vendetta. Consequently no vicarious liability arose in this case.
For a further insight into the vicarious liability element of the
The argument by
Morrisons that the DPA excluded vicariously liability was "unpersuasive". While it was not necessary to express a view on this point in light of the conclusion that the appellant was not vicariously liable for Skelton's actions, the Court held that imposing vicarious statutory liability was "not inconsistent" with the existence of vicarious liability at common law. In particular:"Imposing statutory liability on a data controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller's employer. It is irrelevant that a data controller's statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee's conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee's liability in negligence and an employer's vicarious liability. It makes no difference that an employee's liability may arise under statute instead [54-55]. The appeal is therefore allowed [56]."
Implications
This case represents the first data class action in the
The
There is a question to be raised as to whether any potential avenues of pursuing vicarious liability claims against employers remain for affected data subjects in future cases. While the affected data subjects may be prevented from pursuing a class action on grounds of vicarious liability in circumstances where the employee was held to be acting outside of the course of employment when the data breach occurred, the Supreme Court has left the door open for class actions to be brought under the DPA in circumstances where an employer is held vicariously liable for a data breach. There are also likely to be other routes for a class action that the cyber insurance market will be exposed to. This Supreme Court decision does however narrow one particular sub-species of potential grounds for data subjects to claim.
Over the next few weeks, we will be considering the implications of this landmark judgment and providing further insights focussing on its impact on the cyber insurance landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
138 Houndsditch
EC3A 7AR
Tel: 207876 5000
Fax: 207876 5111
E-mail: communicationsteam-global@clydeco.com
URL: www.clydeco.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source