Morrisons data protection. Please enter Byline.
A landmark ruling in a group action by employees has found Morrisons Supermarket vicariously liable for a deliberate data breach carried out by a rogue employee, out of working hours and at home on a personal computer. The judgment has significant implications for all data controllers (and in the future, data processors) as Morrisons was vicariously liable even though, overall, it had discharged its own obligations as required under the Data Protection Act 1998 (DPA) and common law. This is the first group litigation data breach case to come before the courts, and with the General Data Protection Regulation (GDPR) coming into force in May 2018, employers will be concerned that the finding is an indication of what is to come under the new regime: Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) 2017 Morrisons had no primary liability.
WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent) WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent) Case ID: UKSC 2018/0213 Case summary Issue(s)
COURT OF APPEAL. HIGH COURT. SUPREME COURT. Data Breach, Group Actions, and the criminal insider: the Morrisons case - Panopticon Panopticon. A spectre is haunting data controllers – the spectre of group liability for data breach.
In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss. Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals. Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial. Cases of this nature may give rise to important questions of public policy. Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. Milestone UK court ruling on data protection liability. Executive Summary The UK’s Court of Appeal gave a very important judgment in March in a case concerning Google’s internet behaviour tracking through a browser where it found that: This case is particularly important because litigation for data protection infringements is rising steadily.
We reported previously on privacy class actions here concerning the Schrems case, and here concerning consumer associations in Germany, and we also talked about it in one of our Cordery TV YouTube videos. Following this ruling (Google -v- Vidal-Hall/Hann/Bradshaw, 27 March 2015), the legal footing upon which to obtain compensation in court claims for data protection infringements has moved forward significantly and may pave the way in general for class actions.
EU General Data Protection Regulation. Linked In Posts Live Coverage of Morrisons in composite document. When is an employer vicariously liable for acts by an individual who is not an employee? - QCS. What Was He Doing? Vicarious Liability After WM Morrison PLC v Various Claimants [2020] UKSC 12 - Experts in Family, Employment, Personal Injury & Civil Law. Employers can be held vicariously liable for wrongful acts performed by their employees.
As one would expect, an employer can be held liable for damage caused by an employee who negligently performs an action that the employer has authorised or instructed him to perform, as when an employed labourer negligently fits a kitchen and causes damage. In certain cases, however, employers can also be held vicariously liable when their employees deliberately perform wrongful actions for their own reasons.
The classical statement of the test for vicarious liability, first presented in Salmond on Torts (1907), focused narrowly on whether the employee had committed the wrongful act by performing a task authorised by the employer in an unauthorised way; if the wrongful act was not performed in furtherance of a task authorised by the employer, the employer was not liable because the employee had gone on a frolic of his own. The classical test thus struggled to cope with deliberate wrongful action.
Introductory page to accompany contemporaneous Linked In posts from court.