Morrisons’ Last Chance Saloon at Supreme Court: Morrisons appeal against vicarious liability data breach ruling

November 25, 2019

2 min read

Sign up to our mailing list! 👇

What's going on here?

British supermarket chain Morrisons has appealed its case to the Supreme Court to try and overturn a ruling that found the supermarket giant vicariously liable for a data breach, after an aggrieved employee released staff’s personal data online and to newspapers.

What does this mean?

The Supreme Court will decide two issues:

  • Whether the Data Protection Act 1998 excludes vicarious liability; and
  • Whether the Court of Appeal made an error in ruling that the data leak occurred in the employee’s course of employment, which makes Morrisons vicariously liable.

After employee Andrew Skelton released the personal data of 100,000 staff online and to newspapers in January 2014, he was arrested, convicted of fraud, and sentenced to 8 years in prison.

Over 5,500 employees have since claimed compensation from Morrisons directly or through vicarious liability, as they hold Morrisons responsible for Skelton’s data leak.

What's the big picture effect?

This is the UK’s first data leak class action and Morrisons’ “last chance saloon”. Depending on the outcome of the Supreme Court hearing, the ruling could be overturned or affirmed a third time. If upheld, the decision could set new precedents on group liability, and have implications for all UK individuals, businesses and their insurers.

If the Supreme Court maintain that Morrisons is liable, Morrisons could end up with a serious fine and a substantial bill to pay out, as employees are likely to claim compensation for the upset and distress caused by these breaches of privacy, confidence and data protection laws. This could lead to an increase in “David-and-Goliath” group action cases against employers as current and former employees would be able to find a new route for recourse.

Many have expressed surprise that the Court of Appeal unanimously affirmed the High Court’s decision that Morrisons was guilty of vicarious liability, despite Skelton being jailed for his actions. Morrisons argued in court that it was not the “data controller”, suggesting that Skelton’s unlawful actions went beyond the scope of his role at the supermarket, indicating that the supermarket should not be liable for his conduct or the breach.

Unfortunately, we will have to wait until 2020 to learn the Supreme Court’s judgement.

Report written by Hannah-Mei Grisley

If you’d like to write for LittleLaw, click here!

Share this now!

Check out our recent reports!