The thousands of Morrisons employees who were behind the landmark data breach claim will no doubt be dejected following this month’s ruling by the UK's Supreme Court in favour of the supermarket.

Big organisations may, however, have breathed a sigh of relief.  In reality, however, respite is limited. 

The decision, which overturns previous High Court and Court of Appeal judgments, originated from the malicious leaking of 100,000 workers’ personal information by disgruntled Morrisons’ auditor Andrew Skelton.

The crux of the case was whether Morrisons was liable for the actions of its employee. Two more junior courts had both said yes to this question, but the Supreme Court overturned those decisions in favour of Morrisons. 

First of a kind

The case has received huge media attention as one of the first mass litigations in the UK involving the loss of personal data, to which the UK courts have consistently remained closed, in particular by comparison to the fully-fledged class action industry for data breach claims in the US.

However, the Morrisons case, importantly, was litigated under the now repealed Data Protection Act (DPA) 1998, specifically Section 13 which deals with compensation for failure to comply with certain requirements of the DPA, rather than under its successor act, the General Data Protection Regulation 2016 (GDPR). 

Section 13 of the DPA deals with the concept of damages and covers an individual who “suffers damage by reason of any contravention by a data controller”.

The argument was whether Morrisons would be ,vicariously liable, for a data breach for which its employee was responsible. 

The ruling added that since the DPA neither expressly nor impliedly indicates otherwise '…the principle of vicarious liability applies to the breach of the obligations which [the employer] imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment'.

In conclusion the Supreme Court decided that Skelton was not authorised to disclose the relevant data online, overruling the decision of the lower courts that he had acted in the course of his employment, and concluded that Morrisons 'cannot therefore be held liable for Skelton’s conduct'. 

This is, of course, an encouraging result for those organisations who are subject to a data breach claim – the root cause of which is an individual’s actions – at least to a certain point.

In the Morrisons case, the trial of liability was separated from the trial of quantum in the lower courts, which did not take place and has now been superseded by the Supreme Court’s decision in the appeal. As a result, the remit of a claim for damages related to 'distress, anxiety, upset and damage' remains uncertain. 

The victory may be a boost for any companies facing ongoing claims under the now repealed DPA (as well as providing important legal clarification of the meaning of vicarious liability) but the story does not end here.

GDPR trumps DPA 

While the claimants against Morrisons failed to prove their case under DPA, under which there is no obvious route to argue for the recovery of non-financial damages, any organisation facing a claim under the EU-wide GDPR regime should now be paying close attention to the Morrisons decision and how the position on recovering damages for data breaches is evolving. 

In another ongoing data breach class action case – against British Airways – the class is pursuing the airline under GDPR, specifically Article 82, which allows victims who suffer damage as a result of a data breach to claim for 'material or non-material damage'.

The claim relates to BA’s September 2018 data breach which affected hundreds of thousands of registered BA users, where identity information as well as financial data was compromised by its failing security controls. 

There has been little guidance to date on the scope of recoverable 'damages', but the damages claimed in the Morrisons case could well be indicative examples of the heads of loss that will be accepted by future courts.  It is anticipated that non-financial losses, such as stress, anxiety and the non-financial damages associated with rebuilding lost or compromised identities will form part of any claim. 

Morrisons may have evaded liability under the DPA but that is not where the biggest risk lies for organisations.

With the UK indicating it will enact a UK GDPR post-Brexit to sit alongside the existing Data Protection Act 2018, which mirrors and supplements the provisions of GDPR, any entity that has a serious data breach should be greatly concerned by the potential scope and financial magnitude of a claim under GDPR, whether brought by an individual or a class of jointly represented individuals.

Furthermore, employers who fail to comply with the security obligations required by GDPR in a manner that is linked to an employee’s rogue actions are also exposed to direct liability under GDPR. 

Kim Roberts is a counsel at King & Spalding's London office

Further reading on data and privacy

US companies lack resources to check on data privacy compliance, survey finds — More than half of respondents unsure if they are fully compliant with new regulations

Total GDPR fines climb to €114m as companies struggle to comply with regime

GPR regime emerges as early candidate for post-Brexit divergence

Data ethics transforming privacy law after 'social media hangover'

Relief after ECJ backs global data transfers

Calling out e-privacy regulation shortcomings