On April, 1, in a landmark judgment, the UK Supreme Court (« the UKSC ») clarified its position on vicarious liability for data breaches. In this case, the Supreme Court ruled that the employer was not vicariously liable for data breaches committed by a rogue employee.
However, the Court did not rule out the possibility of applying vicarious liability and considered that nothing in the Data protection Act 1998 (“the DPA”), now repealed and replaced by the Data Protection Act 2018, excludes this solution.
This case is the first class action brought by data subjects to come before the Supreme Court. This case is a good illustration of the internal threats to be taken into account and the consequences that can result for the company.
What were the facts?
In 2013, a company operating a chain of supermarkets gave access to payroll data to one of his internal senior auditor to perform a data transfer to external auditors, tasked with the annual audit of the company’s accounts.
To proceed to the transfer, this employee was given access to the whole workforce’s payroll data, concerning around 126 000 employees. The data consisted of the names, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.
However, this company had no idea that this internal senior auditor would plot a scheme to disclose these data in retaliation to disciplinary actions for minor misconduct, taken against him earlier that year. It must be underline that he put in place several precautions to cover up his behaviour and identity.
The scenario starts in October 2013, several months before the data breach. This senior auditor searched, using his work computer, for “Tor”, a network used to disguise the identity of a computer which has accessed the Internet.
On November, a few days after he formally requested access to the payroll data, he bought a pay-as-you-go mobile phone, which could not be traced back to him.
The following day, he gained access to the payroll data and carried out the transfer a few days later, in compliance with the instructions he had received from his employer. In the meantime, he copied the data from his work laptop on to a personal USB stick.
On December 2013, he used the username and date of birth of a fellow employee, involved in the disciplinary proceedings against him, to create a false email account in a deliberate attempt to frame him. The email account was linked to the pay-as-you-go phone. He then deleted the data from his work laptop.
On January 2014, using the mobile phone, the false email account and Tor, this malicious employee published a file containing the data of 98 998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites. This file was created from the personal copy of the data he had made on his USB stick. After this disclosure, he deactivated the email account.
On March 2014, he deleted the data and the file from the USB stick.
On the day the company’s financial results were due to be announced, this employee sent CDs containing the file anonymously to three UK newspapers. He pretended he had found the file on the file-sharing website. Nonetheless, the newspapers did not publish the data. Instead, one of them alerted the company. Within a few hours, the company had taken steps to remove the data from the Internet, instigated internal investigations and informed the police. The company also informed concerned employees and took measures to protect their identity.
The employee was arrested a few days later and sentenced to eight years’ imprisonment. The company had spent more than £2.26m in dealing with the aftermaths of the disclosure, and particularly to protect the identity of the employees.
Why have employees sued their company?
9 263 employees impacted by a data breach brought proceedings against their employer.
They based their claims on a breach of statutory duty under the DPA, misuse of private information and breach of confidence. They sought for damages due to distress, anxiety, upset, and damage following the data breach.
Both the trial judge and the Court of Appeal held that the company was vicariously liable for its employee’s wrongdoing. They stated, among other elements, that there was nothing in the DPA which excluded vicarious liability. According to these jurisdictions, the wrongful conduct of the employee was committed in the course of his employment. It must be underlined that the fact that the employee’s motive was to harm is employer was not found relevant. The employer’s argument that the employee was the data controller of the data copied on his USB stick was also rejected.
Is vicarious liability compatible with the DPA?
The Supreme Court overturned the decisions of the lower courts and pointed out that their approaches had “misunderstood the principles governing vicarious liability in a number of relevant respects”.
The Supreme Court pointed out that the lower courts had taken out of their context comments from a UKSC’s judge in the precedent they applied, falsely leading the judges to construed them as introducing new principles to the concept of vicarious liability.
Hence, the Supreme Court reaffirmed that the general principle in vicarious liability remained the close connection test, which provides that:
“the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting the ordinary course of his employment”.
Applying this principle, the UKSC found that this test was not met, which excluded the vicarious liability of the company for the data breach caused by its employee.
Despite a close temporal and causal link between the employee’s functions and his publication of the data on the internet, the Supreme Court found that:
- the disclosure of personal data “did not form part of [his] functions or field of activities”, neither was it “an act which he was authorised to do”,
- the motives of the employee in disclosing the data were “highly material” and ought to be considered since the employee had decided to publish the data to harm the employer due to his personal vendetta against him.
Having established the inapplicability of vicarious liability, the Supreme Court decided to clarify the interaction between this liability regime and the DPA. All the parties had agreed that the company and the employee were independent controllers in relation to the data published online. The company argued that it could not be held liable for the acts of his employee under the DPA, since it had complied with its obligations as a controller and the employee was acting as a separate controller when disclosing the data. The company pointed out that the “statutory scheme was inconsistent with the imposition of a strict liability on the employer of a data controller, whether for that person’s breach of the DPA or for his breach of duties arising at common law or in equity”.
However, the Supreme Court found this argumentation unpersuasive considering the English law principles of statutory interpretation. It underlined that there was no basis for concluding that the common law doctrine of vicarious liability had been expressly or impliedly excluded by the DPA.
What is the scope of this decision?
This decision clarifies restrictions to employers’ vicarious liability for data breaches, especially in connection with unauthorised actions of a malicious employee.
Although it clarifies that employers will not generally be held liable for the acts of rogue employees outside of their field of activities. It is important to point out that this decision came down to the specific facts of the case.
The main development brought by this decision is to recognise that vicarious liability and the DPA 1998 are in fact compatible. In clear, it is possible that instances of unauthorised disclosure of personal data by an employee will result in the vicarious liability of his employer.
Such cases could encompass negligent disclosure of sensitive documents by employees, or a data breach caused by an employee’s failure to follow internal data security policies. This legal solution is likely to be upheld under the GDPR and the DPA 2018.