Court of Appeal upholds vicarious liability finding after malicious data breach: WM Morrison Supermarkets plc v Various Claimants

The Court of Appeal has confirmed that the Data Protection Act does not exclude vicarious liability for tortious privacy actions such as breach of confidence and misuse of private information and has left the door open for further group actions arising from a cyber or data breach.

We’ve all been waiting for the Court of Appeal to hear Morrisons’ appeal from the 2017 High Court judgment (please see our article here), where a class of 5,518 Morrisons employees successfully sued the supermarket chain following a data breach. It did so on 08 and 09 October, with the judgment handed down yesterday. Unfortunately for Morrisons, and for employer data controllers and processors everywhere, the appeal was dismissed.

First Instance

The data breach occurred when a disgruntled Morrisons employee (a Mr Skelton) stole and posted into the public domain the personal data of nearly 100,000 employees. While the High Court found that Morrisons had (more or less) done everything it could and should have done to ensure the safety and security of the data (and was therefore not directly liable for any breach), it was vicariously liable for Skelton’s actions. As well as suing for breach of statutory duty under s.4(4) Data Protection Act 1998 (DPA 1998), the claimants had also sued under the common law tort of misuse of private information and at equity for breach of confidence. It was under these heads of claim that Morrisons was vicariously liable.


On appeal, it was common ground that the trial Judge was correct to dismiss the claims against Morrisons for breach of statutory duties under the DPA 1998, and that the data controller was Skelton, not Morrisons. Morrisons argued that that on the proper interpretation of the DPA 1998, it excluded an employer’s vicarious liability at common law for an employee’s misuse of private information and breach of confidence. The Court of Appeal did not accept this, for three key reasons:

  • If such a substantial eradication of common law and equitable rights had been intended Parliament would have expressly said so
  • The interpretation was inconsistent with application of the Data Protection Directive, and
  • The DPA 1998 says nothing about the liability of an employer, who is not data controller, for breaches of the act by its employee, who is a data controller. The DPA 1998 is only concerned with the primary liability and obligations of the data controller, and is silent about the liability of someone else for wrongful processing by that data controller.

Morrisons remaining ground of appeal focussed less on the aspects of privacy law and more on the concept of vicarious liability. It argued that Skelton’s wrongful acts did not take place during the course of his employment with Morrisons. The Court of Appeal disagreed, finding that "the tortious acts of Skelton in sending the claimants' data to third parties were within the field of activities assisgned to him by Morrisons" [71].


Employer and other data controllers may read this judgment with dismay, particularly after the costs judgment in relation to the first instance hearing, and the Lloyd v Google decision (see our blog post here) suggested a resistance by the courts to what could be termed opportunistic collective actions arising out of data and cyber incidents. The appellant alluded to the challenges that other innocent employers could face in similar cases (see paragraph 77). Further collective actions (whether through representative actions or Group Litigation Orders) seeking redress for data subjects seem inevitable (the reasoning in Morrisons would have been the same under the new data protection regime).

The Court of Appeal appears to recognise this referring to “a large number of claims against the relevant company for potentially ruinous amounts”. However, the solution, it says, is insurance - “a valid answer to the Doomsday or Armageddon arguments”.

Please see our Class Actions and Collective Redress microsite here.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.