April 2, 2020

In a resoundingly unanimous verdict the Supreme Court has overturned the judgments of both the High Court and the Court of Appeal, and ruled that Morrisons is not vicariously liable for the actions of its rogue employee Andrew Skelton. The decision will come as a relief to employers in the UK who were stunned by the lower courts’ decisions, which seemed to suggest that an employer’s liability for the acts of its employees, even when outside the scope of their employment, knows no bounds.

The Supreme Court found that the Court of Appeal had misunderstood the age-old test to be applied in such cases: whether the employee’s actions were ‘so closely connected’ with the employee’s proper and authorised duties that vicarious liability should exist. The real test to be applied, said the Court, is whether the employee was engaged, however misguidedly, in furthering his employer’s business, or instead engaged solely in pursuing his own interests: on a ‘frolic of his own’ in the phrase beloved by lawyers.In the case of Morrisons’ rogue employee Mr Skelton, the Court was clear that he had indeed been on such a frolic, since his actions (posting the data of thousands of Morrisons employees on the internet) were carried out purely for his own personal reasons (in this case, it seems, some form of revenge).

The court also noted in passing that “there does not appear to be any previous case in which it has been argued that an employer might be vicariously liable for wrongdoing which was designed specifically to harm the employer”, although the judgment does not appear to turn on that point.

Of more interest to data protection lawyers, the Court also expressed its view, necessarily obiter since no vicarious liability had been found, that if Morrisons had been vicariously liable for Mr Skelton’s actions there is nothing in the Data Protection Act 1998 (DPA) that would have excluded that liability.  Their lordships’ logic was that, following the authorities, vicarious liability should exist unless the relevant statue either expressly or impliedly indicates otherwise. Since the DPA is silent on the point, Morrisons had argued that the DPA impliedly excludes vicarious liability because it creates liability for the data controller alone, and it was common ground that Mr Skelton was acting as a data controller in committing his nefarious acts. The Court simply disagreed with that argument, finding no such implication in the language of the statute. In our view, this same logic would apply to the Data Protection Act 2018 and the GDPR.

On final note, employers should bear in mind that vicarious liability remains a risk when an employee is found to be acting within his or her ‘field of activities’ when the deed is done. Also, vicarious liability was tested to the limit in this case because Morrisons was found to have done nothing itself which would have been a breach of the DPA, nor had it acted or omitted to act in any other way which resulted in any primary liability. That primary liability can obviously still arise if a company is found to be itself in breach of data protection law, or any other legal principle.