United Kingdom’s Supreme Court erred on liability of joint-data controllers


UK Supreme Court decision on an employer’s liability for data breach in the case of WM Morrison Supermarkets versus Various Claimants. Morrisons was sued by 9,263 employees for the (malicious) publication of their personal data on the internet by one disgruntled employee of Morrisons.

On the 1st day of April 2020, happily, COVID-19 pandemic did not prevent the United Kingdom’s (UK) Supreme Court from delivering a landmark decision on an employer’s liability for data breach in the case of WM Morrison Supermarkets Plc (Morrisons) v Various Claimants (2020) UKSC 12 allowing the appeal of Morrison Supermarkets – the fourth largest chain of supermarkets in the UK and upturning the earlier decisions of the trial court and Court of Appeal (reported at 2018 EWCA Civ 2339; (2019) QB 772) at one fell swoop.

When my attention was drawn to this oven-fresh decision by Mr. Folabi Kuti (an unassertive labour law expert) as posted on ELLAN’s platform (Employment and Labour Lawyers Association of Nigeria), I thought its jurisprudential value only bordered on law of torts and labour law not until Mr. Nonso Azih (the GM, Legal of APM Terminals – an enthusiast and keen player in data protection law and practice) commented on a thought-provoking aspect of the judgment as it relates to the liability of data controllers in the event of data breach. Admittedly, that intervention made me study the judgment carefully.

After reading the 56-paragraphed judgment, it is my respectful submission that, their lordships overlooked some in-depth provisions of the Data Protection Act 1998 (DPA) which was applicable at the accrual of cause of action in the case.

For a clear appreciation of my opinionated but respectful perspective, I will first, set out the brief facts and then proceed to areas of the perceived misdirection of the law by the erudite lords of the UK Supreme Court in the case.


Relevant facts as gleaned from the judgement

The appellant (Morrisons), a company which operates a chain of supermarkets was sued by the respondents (9,263 of Morrisons’ employees or former employees) for the (malicious) publication of their personal data on the internet by one Mr. Andrew Skelton – a disgruntled employee of Morrisons.

At the time of publication, Skelton was a senior auditor in Morrisons’ internal audit team but in July 2013, he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning. Following those proceedings, he harboured an irrational grudge against Morrisons, which led him to leak the personal data in question.

Morrisons’ accounts are subject to an annual external audit. In preparation for the audit, on 1 November, 2013 the auditors, KPMG, requested payroll data from Morrisons in order to test their accuracy. The head of Morrisons’ internal audit team delegated the task of collating and transmitting the data to Skelton. He had also performed that task in 2012. To enable him to carry out the task, he was given access to the payroll data relating to the whole of Morrisons’ workforce: around 126,000 employees. These consisted of the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.

When the payroll data was provided to Skelton, he transmitted the data to KPMG as he had been instructed to do but afterwards, he copied the data from his work laptop on to a personal USB stick. Some days later, he used the personal information of Mr. Kenyon - a colleague - to create a false email account, in a deliberate attempt to frame him. Mr Kenyon had been involved in the disciplinary proceedings earlier that year.

On 12 January, 2014, Skelton uploaded a file containing the personal data of 98,998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites. The file was created from the personal copy of the data which he had made on his USB stick on 18 November. He made the disclosure when he was at home, using the mobile phone, the false email account. Having made the disclosure, he deactivated the email account, and on 12 March deleted the data and the file from the USB stick.

On 13 March 2014, the day on which Morrisons’ financial results were due to be announced, Skelton sent CDs containing the file anonymously to three UK newspapers. The newspapers did not publish the data. Instead, one of them alerted Morrisons. Within a few hours, Morrisons had taken steps to ensure that the data was removed from the Internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Skelton was arrested a few days later. He was subsequently convicted of a number of offences and sentenced to eight years’ imprisonment. It was noted that Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for its employees.


The decision

The trial court and Court of Appeal found Morrisons vicariously liable for the data breach orchestrated by Skelton but the Supreme Court set aside their concurrent findings when their lordships concluded that:

“For the reasons explained above, the circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer. Morrisons cannot therefore be held liable for Skelton’s conduct. It follows that the appeal must be allowed.”

As much as the conclusion above remains the law in the UK, this writer is of the respectful opinion that, had the apex court thoroughly considered the relevant and decisive provisions of DPA with respect to the status of Skelton and Morrisons, it would have come to a different conclusion.


Particulars of misdirection

In arriving at the conclusion, the apex court formulated the following issues:

“Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA. Whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence.” (Emphasis mine)

It is this writer’s respectful opinion that, from the first issue, their lordships had already concluded that Mr. Skelton was a data controller but the court did not even call in aid, the interpretation sections before resolving this issue. For the avoidance of doubt, section 70 (1) (e) of the DPA provides that:

recipient”, in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.” (Emphasis mine)

From the clear and unambiguous definition above and without any fright of contradiction, it appears clear enough that, Mr. Skelton falls within such description of a recipient. Hence, Morrisons remains the data controller as far as employees’ personal data are concerned.

Although, to my mind, the DPA does not contemplate a situation where an employee can assume the position of a data controller but for the purpose of such argument, let’s for a second, assume such was the state of the law in 1998, we then turn to the definition of “data controller” at section 1(1)(d) DPA thus:

“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed” (Emphasis mine)


While subsection 4 states that:

“(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act, the data controller.”

Again, from the provisions above, can it be said that that Mr. Skelton fits the role? The answer, to my mind, is in the negative. What is more is the implication of the court’s finding at a paragraph 53 of the judgment that:

“Since it was common ground that Morrisons performed the obligations incumbent upon them as data controllers, and that Skelton was a data controller in his own right in relation to the data which he copied and disclosed, it followed that Morrisons could not be under a vicarious liability for his breach of the duties incumbent upon him.”

The holding above suggests the finding of a relationship of joint-data controllers between Morrisons and Mr. Skelton, hence, the former shares equal liability with the latter even though it did not take part in the subsequent processing. See the decision in Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta (intervening) Case C 25/17, (2018) ECLI 551 par. 68 and 69 where the European Court of Justice (CJEU) held that, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned. See also the recent decision of the CJEU in Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Facebook Ireland Ltd intervening) (Case C- 40/17) (2020) 1 WLR 969 which was orally cited by Morrisons’ lawyers.



Conclusively, it is this writer’s respectful opinion that, the court’s ultimate fixation on the principle of vicarious liability at the expense of explicit provisions of the DPA on the definitions of the parties vis a vis their liabilities, got the better of their lordships’ conclusion.  Since Mr. Skelton’s status as an employee falls within the definition of a recipient, the court, with respect, erred to have treated him as a controller under the DPA. Conversely, if it is conceded that Mr. Skelton was a data controller, then Morrisons’ undeniable status as a joint-controller ought to have rendered them liable for the data breach under the relevant sections of the DPA.

While there is a silver lining in the decision for data controllers, the data subjects are still left in the cold by this novel but unprotective decision, from the data subjects’ perspective.


Article provided by: Olumide Babalola (OBLP, Nigeria)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.