In this case preview, Kenny Henderson and Joanna Clark, who both work within the CMS Dispute Resolution team, consider the appeal which starts tomorrow in the matter of WM Morrisons Supermarket plc v Various Claimants:

On 6 and 7 November 2019, the Supreme Court will hear Morrison’s appeal from the ruling of the Court of Appeal, in a data breach claim brought by 5,500 employees.  The claim raises important questions of employee liability for the actions of rogue employees.  It is one of a series of large cases which are working their way through the Courts (including claims against Google and British Airways), which each illustrate the increasing risks businesses face from group claims/class actions, arising from data protection breaches.

Factual background and first instance decision

The claim concerns the liability of Morrisons for the criminal actions of a rogue employee.

The employee in question, acting in the course of his duties, downloaded a copy of the company’s payroll data pertaining to almost 100,000 employees.  Two months later  he uploaded the data onto a file sharing site using his home computer. Subsequently, he anonymously sent a CD containing the data to three different newspapers pointing out that this data had been made available on the web. Two of the newspapers alerted Morrisons to the matter who immediately took steps to have the website taken down and contacted the Police. The employee was subsequently charged with fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“DPA”). He was later sentenced to eight years’ imprisonment.

A group action seeking damages was then launched against Morrisons on behalf of around 5,500 of the employees affected by the data breach. The claimants argued that Morrisons were liable – either primarily or vicariously – for breach of statutory duty under the DPA, misuse of private information and/or breach of confidence.

At first instance, Langstaff J held that Morrisons had no primary liability to the claimants. Morrisons had not directly misused or authorised or carelessly permitted the misuse of any information personal to the employees. However, in relation to vicarious liability, the judge held that there was a sufficient connection between the position in which the employee was employed and his wrongful conduct such that Morrisons should be held vicariously liable.

The Court of Appeal’s decision

Morrisons appealed the decision: Wm Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 2339. They put forward three grounds of appeal:

  1. the DPA excluded the application of vicarious liability;
  2. the DPA excluded the common law remedies of misuse of private information and breach of confidence (and/or the imposition of vicarious liability for breaches of the same); and
  3. the judge had been wrong to conclude that the wrongful acts of the employee occurred in the course of his employment and that Morrisons were vicariously liable for those acts.

Grounds 1 and 2: Exclusion from the DPA

The Court of Appeal rejected Morrisons’ arguments on the first and second grounds of appeal, noting that the DPA contained no express exclusions to this effect.

“…if Parliament had intended such a substantial eradication of common law and equitable rights, it might have been expected to say so expressly.”

The court also noted that Counsel for Morrisons had sought to tread “a difficult line” in her oral submissions, conceding on the one hand that causes of action at common law and in equity operated in parallel with the DPA in respect of the primary liability of the wrongdoer while simultaneously arguing that vicarious liability for the same causes of action had been excluded by the DPA. This could, the court said, be viewed as inconsistent with one of the DPA’s principal aims, namely the protection of privacy and provision of an effective remedy for its infringement.

Ground 3: Vicarious liability

In relation to the third ground of appeal, Morrisons submitted that that the tortious act which had caused the harm in this case was the disclosure of the data. This act (the uploading to the filesharing website) had been carried out by the employee at his home, using his personal computer, on a Sunday, several weeks after he had downloaded the data onto the personal USB stick. Morrisons argued that in these circumstances, vicarious liability did not arise.

The Court of Appeal rejected this argument, pointing out firstly that the claimants had had a cause of action in tort against the employee as soon as he downloaded the data onto his personal USB stick at work. At that point, prior to disclosure, it would have been competent for the claimants to seek an injunction and/or nominal damages. Further and in any event, the court agreed with Langstaff J that the employee’s activities were “within the field of activities assigned to him by Morrisons” and that “there was an unbroken thread that linked his work to the disclosure.” His actions met the test for a finding of vicarious liability.

Did motive matter?

It was noted that a novel feature of this case was that the employee’s motive for doing what he did was to harm his employer rather than some other party. None of the other cases on vicarious liability that the court was referred to shared this feature.

Langstaff J had explicitly stated in his judgment that he was troubled by this fact and on appeal, Counsel for Morrisons submitted that if vicarious liability was imposed on Morrisons, this would effectively render the court an accessory in furthering the employee’s criminal aims. In this regard, the Court of Appeal referred to the most recent Supreme Court case on vicarious liability, Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 in which it had been stated that “motive was irrelevant”. The court was of the view that there was no basis for finding an exception to that rule in cases where harming the employer was the employee’s objective.

The court was also unmoved by Morrisons’ submissions as to the potentially significant impact of the decision. With regard to the increasing prevalence of reports of substantial data breaches that might lead to mass claims against companies for very large sums, the court stated that “[the] solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.


It will be interesting to see whether the Supreme Court takes the same view of Morrisons’ arguments as the Court of Appeal. Much is at stake, particularly following the recent Court of Appeal decision in another group claim for a different type of breach of the DPA: Richard Lloyd v Google LLC [2019] EWCA Civ 1599.

In that case, the Court of Appeal granted permission to Mr Lloyd to serve an opt-out class action out of the jurisdiction under Rule 19.6 of the Civil Procedure Rules. Traditionally, it has been very difficult to utilise Rule 19.6 due to the need to show that all claimants have the “same interest”. However, in that case the Court of Appeal took the view that the breach (unauthorised use of an advertising cookie on users’ iPhones) had a common impact on all members of the proposed class (loss of control of their data) and it was not necessary to conduct a claimant-by-claimant analysis of the impact of the breach to establish the “same interest”.

The Morrisons claim was brought on the traditional “opt in” approach of each employee issuing their own claim. The 5,500 employees who elected to participate represent approximately 5.5% of the estimated 100,000 employees affected. The significance of the Rule 19.6 approach is therefore immediately obvious. Had this mechanism been used in Morrisons, then all 100,000 of the affected employees would have been automatically included in the class (other than those choosing to opt-out) .