Author- Naman Malik
To the Point
Corporate liability for data protection failings in the UK is a dual-edged sword: a business is primarily liable for its own inadequate security measures under the UK GDPR, but it also faces common law claims under vicarious liability for the actions of its employees. The UK Supreme Court’s landmark decision in WM Morrison Supermarkets plc v Various Claimants gave businesses a substantial, albeit limited, reprieve from lawsuits resulting from malicious employee actions. The UK GDPR/DPA 2018 still imposes a heavy burden of direct responsibility on the corporate entity, requiring strong organisational and technical security measures, as confirmed by later High Court rulings and the constant .The key legal battle remains the interpretation of whether the employee’s wrongful act was “closely connected” to their authorised duties.
Use of Legal Jargon
Vicarious Liability: A common law doctrine that makes an employer legally responsible for the wrongful acts (torts) of its employees, provided those acts are committed in the course of their employment.
Controller/Processor: Terms defined by the UK GDPR. The Controller (the organisation) determines the purpose and means of processing personal data and bears the primary legal responsibility. The Processor processes data on the Controller’s behalf.
Non-Material Damage: A concept under UK GDPR allowing individuals to claim compensation for distress, anxiety, and loss of control over their personal data, even without financial loss.
Misuse of Private Information (MPI) & Breach of Confidence (BoC): Common law torts often brought alongside GDPR claims, particularly where highly sensitive data is involved. MPI requires a reasonable expectation of privacy.
Close Connection Test: The standard applied in UK vicarious liability cases: the employee’s unauthorised or wrongful conduct must be so closely connected with acts they were authorised to do that it can fairly and properly be regarded as done while acting in the ordinary course of employment.
Material Scope (of GDPR): The types of data processing activities that are regulated by the UK GDPR. Recent cases have tested these limits, particularly concerning international actors.
The Proof (Legal Analysis)
The modern legal landscape for corporate data security is a fusion of strict statutory liability (UK GDPR) and nuanced common law principles (Vicarious Liability).
I. The Supreme Court’s Clarification on Vicarious Liability: The Morrisons Case
The case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 is the definitive authority on an employer’s vicarious liability for a rogue employee’s data breach under English law.
• The facts: In an effort to hurt his firm, a disgruntled senior internal auditor with authorised access to staff payroll data duplicated and purposefully posted the personal information of almost 100,000 coworkers online.
• The Lower Courts: Morrisons was found vicariously liable by both the High Court and the Court of Appeal, which contended that the employee’s data processing was a “unbroken chain” that began with an allowed work task.
• The Supreme Court’s Reversal: The ruling was unanimously overturned by the Supreme Court. It concluded that the employee’s primary motivation—a personal grudge to hurt Morrisons—was crucial. Importantly, the court decided that the employee’s wrongdoing (posting the data) was not sufficiently related to the acts he was permitted to perform (transferring payroll data) to be justly and appropriately considered to have occurred during his employment. Instead of advancing the employer’s business, his goal was to cause harm to it.
The Caveat: Although Morrisons was granted relief, the Supreme Court explicitly affirmed that the doctrine of vicarious liability does, in theory, apply to data protection claims. This means that claims in which an employee’s actions are careless, unintentional, or not obviously motivated by a malicious intent to harm the employer are still open.
II. Direct Liability Under UK GDPR: The Corporate Responsibility
The Morrisons judgment offered no shelter from direct, primary liability under the UK GDPR and DPA 2018, which is the main financial threat to corporate health.
The Standard: Under Article 5 of the UK GDPR, data controllers must implement “appropriate technical and organisational measures” to ensure data security (the ‘Integrity and Confidentiality’ principle). This is a strict liability regime.
The High Court’s View on Negligence: In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the High Court dismissed claims based on the common law torts of MPI and Breach of Confidence following a cyber attack, stating these torts require a positive wrongful act by the defendant (or the employee). However, the underlying claim for breach of the statutory duty under the DPA remained. This reinforces that while common law torts may require a positive act, the GDPR/DPA statutory duty can be breached by a simple failure to maintain adequate security.
ICO Fines: The ultimate risk is the ICO’s power to issue massive fines (up to £17.5 million or 4% of annual global turnover). Recent ICO enforcement actions—for instance, against organisations that failed to implement multi-factor authentication or properly oversee third-party suppliers—prove that the corporate entity remains primarily accountable for any security failure, regardless of the employee’s motivation.
III. The Modern Scope of Damages: Non-Material Harm
The possibility of plaintiffs to obtain recompense for non-material damage is the last human factor that makes these instances so realistic. Because the Supreme Court acknowledged this possibility, anyone whose data is compromised may receive sizable compensation even if they have not experienced any financial loss due to the distress, anxiety, and loss of control they have experienced. In any group litigation, this significantly expands the pool of possible plaintiffs and raises the corporate financial liability.
Case Laws
WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 The Vicarious Liability Authority: Overturned the Court of Appeal, holding that an employer is not vicariously liable for the malicious data breach of an employee when the act was driven by a personal vendetta and was entirely unconnected to the furtherance of the employer’s business. Crucially, confirmed that vicarious liability can apply to data protection claims in principle.
Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) The Common Law/Statutory Divide: Dismissed claims for Misuse of Private Information and Breach of Confidence against the retailer following a cyber attack, ruling that these common law torts generally require a positive, wrongful act by the defendant or employee, not a simple failure to secure data. The case redirected liability squarely back to the statutory duty under the DPA (now UK GDPR), where liability for a failure to implement adequate security is strict.
Various Claimants v Google LLC [2021] UKSC 4 The Representative Action Hurdle: Though primarily a competition law case, the judgment significantly impacted data breach litigation by limiting the use of “representative actions” (where one person sues on behalf of a class) for claims seeking individualised damages like distress or anxiety. This ruling has made it harder to launch large-scale, opt-out data breach claims in the UK that rely on non-material damage.
Conclusion
The corporate entity, acting as the Data Controller, is the ultimate assurer of data security in England and Wales. This is a complicated but unambiguous legal stance regarding employee-caused data breaches. In the Morrisons case, the Supreme Court made a significant distinction by shielding employers from malevolent actions motivated only by self-interest, but it was unable to establish a complete barrier. The employer is nonetheless at risk of common law vicarious responsibility for any careless, unintentional, or even tangentially related employee data release. More significantly, regardless of whether the breach was internal or external, the UK GDPR’s strict liability scheme guarantees that the company will continue to be subject to severe regulatory fines and direct compensation claims for any security failure. The law demands that corporations move beyond simple compliance checklists to build a culture of security, underpinned by robust governance and technology, as the financial and reputational cost of failure is astronomical.
FAQs
Q1: What exactly is the ‘close connection’ test under English law? A: The Close Connection Test requires the court to assess whether the employee’s wrongful act was so intertwined with their authorised duties that it can be reasonably viewed as being done in the ordinary course of their employment. It is not enough that the employment merely gave the employee the opportunity to commit the wrong. The key is the relationship between the authorised act and the unauthorised act.
Q2: Can a company still be sued for a data breach if the rogue employee has already been jailed? A: Yes, absolutely. The criminal conviction of the employee (as happened in the Morrisons case) addresses the public aspect of the crime. The civil claims brought by the data subjects (the employees) are separate and are aimed at recovering compensation from the deep-pocketed employer (the company) for their distress and losses.
Q3: What type of data breach is still most likely to lead to vicarious liability for the employer? A: The employer is most vulnerable when the breach is caused by negligence or human error, such as an employee accidentally sending an unencrypted email containing personal data to the wrong person, or leaving a password unsecured. In these cases, the employee is clearly performing a work task (sending an email, handling a password) and their negligence is closely connected to their authorised duties.
Q4: How does the ICO fine system differ from civil liability claims? A: The ICO fine is a regulatory penalty imposed on the Controller (the company) for failing to comply with the UK GDPR, acting as a punishment and deterrent. Civil liability claims (like those for Non-Material Damage) are brought by the individual data subjects against the Controller (the company) to seek personal compensation for the damage or distress they suffered. They are two separate forms of legal action.
Q5: What is the significance of the DSG Retail case dismissing the Misuse of Private Information (MPI) claim? A: The DSG Retail case established that the common law torts of MPI and Breach of Confidence are difficult to apply to security breaches caused by external hacking or lack of internal security measures (i.e., a failure to act). This is significant because it forces claimants to primarily rely on the statutory breach of duty under the UK GDPR, where the liability standard is strict (meaning fault is less relevant than the failure itself).
