Vicarious Liability for Data Protection Breaches: A Case Study of Morrisons v Skelton, Exercises of Law

Download Vicarious Liability for Data Protection Breaches: A Case Study of Morrisons v Skelton and more Exercises Law in PDF only on Docsity! Hilary Term [2020] UKSC 12 On appeal from: [2018] EWCA Civ 2339 JUDGMENT WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) before Lady Hale Lord Reed Lord Kerr Lord Hodge Lord Lloyd-Jones JUDGMENT GIVEN ON 1 April 2020 Heard on 6 and 7 November 2019 Appellant Respondents Lord Pannick QC Jonathan Barnes Anya Proops QC Victoria Jolliffe Rupert Paines Gayatri Sarathy (Instructed by DWF Law LLP (Manchester)) (Instructed by JMW Solicitors LLP (Manchester)) Page 4 10. The High Court made a group litigation order in connection with the claims. Ten lead claimants were selected, with the remainder of the claims being stayed pending judgment. The claimants’ solicitors have provided details of the circumstances of each of the lead claimants, so far as considered relevant to the quantification of damages. These describe how the disclosure caused the claimants to experience feelings of anxiety and anger. The trial of liability was separated from the trial of quantum, which has not yet taken place. 11. The trial judge, Langstaff J, rejected the contention that Morrisons was under a primary liability in any of the respects alleged, but held that it was vicariously liable for Skelton’s breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence: [2017] EWHC 3113 (QB); [2019] QB 772. He rejected Morrisons’ argument that vicarious liability could not attach to a breach of the DPA by Skelton as the data controller of the data copied on to his USB stick and subsequently disclosed by him, holding that the object of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”), transposed by the DPA, was the protection of data subjects, and that if vicarious liability did not apply, the purpose of the Directive would be defeated. He also rejected Morrisons’ argument that the DPA excluded vicarious liability for misuse of private information or breach of confidence, holding that since the purpose of the Directive, and therefore of the DPA, was the protection of data subjects, it should be treated as providing additional protection rather than as replacing such protection as already existed under domestic law. 12. Finally, he rejected Morrisons’ argument that Skelton’s wrongful conduct was not committed in the course of his employment, holding that Morrisons had provided him with the data in order for him to carry out the task assigned to him, and that what had happened thereafter was “a seamless and continuous sequence of events … an unbroken chain” (para 184). That language was taken from the judgment of Lord Toulson in Mohamud ([2016] AC 677, para 47). He added that Morrisons trusted Skelton to deal with confidential information, and took the risk that it might be wrong in placing that trust in him. His role in respect of the payroll data was to receive and store it, and to disclose it to “a third party”. That “in essence” was his task: the fact that he disclosed it to others than KPMG was not authorised, but was nonetheless “closely related” to what he was tasked to do. The five factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56; [2013] 2 AC 1, para 35, were all present. The judge concluded ([2019] QB 772, para 195): “Adopting the broad and evaluative approach encouraged by Lord Toulson JSC in Mohamud’s case [2016] AC 677 I have therefore come to the conclusion that there is a sufficient connection between the position in which Skelton was Page 5 employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice which goes back to Holt CJ’.” The latter quotation was taken from Lord Toulson’s judgment in Mohamud, para 45. 13. Morrisons’ appeal to the Court of Appeal (Sir Terence Etherton MR, Bean and Flaux LJJ) was dismissed: [2018] EWCA Civ 2339; [2019] QB 772. The court stated at para 37 that there was no pleaded claim against Morrisons on the ground of vicarious liability for Skelton’s breach of the DPA. It was conceded that the causes of action for misuse of private information and for breach of confidence were not excluded by the DPA. The court considered that there was nothing in the DPA which excluded vicarious liability for such conduct. 14. In relation to the question whether, on the facts, Morrisons were vicariously liable for Skelton’s wrongdoing, the court found at para 72 that “[t]he tortious acts of Mr Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons”. Like the judge, the court also emphasised at para 74 that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events. Although it was an unusual feature of the case that Skelton’s motive in committing the wrongdoing was to harm his employer, Lord Toulson had said in Mohamud that motive was irrelevant. The court therefore agreed with the judge that Morrisons was vicariously liable for Skelton’s wrongdoing. 15. Notwithstanding the pleading point raised by the Court of Appeal, the issues in the present appeal are agreed to be the following: (1) Whether Morrisons is vicariously liable for Skelton’s conduct. (2) If the answer to (1) is in the affirmative: (a) Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA. (b) Whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence. Page 6 I shall consider the issues in that order. (1) Whether Morrisons is vicariously liable for Skelton’s conduct The Mohamud decision 16. The courts below applied what they understood to be the reasoning of Lord Toulson in Mohamud [2016] AC 677. They treated as critical, in particular, his reference in para 45 of his judgment to “the principle of social justice which goes back to Holt CJ”, his references in para 47 to the connection between the employee’s conduct in that case and his employment (“an unbroken sequence of events”, or “a seamless episode”), which they appear to have regarded as referring to an unbroken temporal or causal chain of events, and his statement in para 48 that “Mr Khan’s motive is irrelevant”, Mr Khan being the employee whose conduct was in question in that case. The resultant approach, if correct, would constitute a major change in the law. 17. Lord Toulson’s judgment was not intended to effect a change in the law of vicarious liability: quite the contrary. That becomes clear if the judgment is read as a whole, as I shall explain. The judgments below focused on the final paragraphs, in which Lord Toulson summarised long-established principles in the simplest terms and applied them to the facts of the case then before the court. A few phrases in those paragraphs, taken out of context, were treated as establishing legal principles: principles which would represent a departure from the precedents which Lord Toulson was expressly following. 18. The question which arose on the facts of Mohamud was whether the employer of a petrol station attendant was liable for an assault which the attendant had perpetrated on a motorist. The motorist went into the sales kiosk and asked if some documents could be printed. The attendant, Mr Khan, refused the request and ordered the motorist to leave, using racist and threatening language, then followed the motorist back to his car, opened the door and ordered him never to come back, again using threatening language. When the motorist told Mr Khan to close the door, Mr Khan assaulted him. The judge dismissed a claim against the employer on the ground that Mr Khan’s actions were beyond the scope of his employment. An appeal against that decision was dismissed by the Court of Appeal ([2014] EWCA Civ 116; [2014] 2 All ER 990). The argument in the appeal to this court was that the test of vicarious liability should be broadened so as to turn, in the case of a tort committed by an employee, on whether a reasonable observer would have considered the employee to be acting in the capacity of a representative of the employer at the time of committing the tort. The court rejected that argument, holding that the established Page 9 23. In that passage, Lord Nicholls identified the general principle (“the best general answer”, as he said at para 23) applicable to vicarious liability arising out of a relationship of employment: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment. That test was repeated in later cases such as Bernard v Attorney General of Jamaica [2004] UKPC 47; [2005] IRLR 398, Brown v Robinson [2004] UKPC 56, and Majrowski v Guy’s and St Thomas’s NHS Trust [2006] UKHL 34; [2007] 1 AC 224. As Lord Phillips noted in Various Claimants v Catholic Child Welfare Society [2013] 2 AC 1, paras 83 and 85, the close connection test has been applied differently in cases concerned with the sexual abuse of children, which cannot be regarded as something done by the employee while acting in the ordinary course of his employment. Instead, the courts have emphasised the importance of criteria that are particularly relevant to that form of wrongdoing, such as the employer’s conferral of authority on the employee over the victims, which he has abused. 24. The general principle set out by Lord Nicholls in Dubai Aluminium, like many other principles of the law of tort, has to be applied with regard to the circumstances of the case before the court and the assistance provided by previous court decisions. The words “fairly and properly” are not, therefore, intended as an invitation to judges to decide cases according to their personal sense of justice, but require them to consider how the guidance derived from decided cases furnishes a solution to the case before the court. Judges should therefore identify from the decided cases the factors or principles which point towards or away from vicarious liability in the case before the court, and which explain why it should or should not be imposed. Following that approach, cases can be decided on a basis which is principled and consistent. 25. Having explained how the close connection case was expressed in Lister and elaborated in Dubai Aluminium, and having also explained that it had been applied in a number of subsequent cases at the highest level, Lord Toulson summarised the present law in paras 44-46 of his judgment ([2016] AC 677). “In the simplest terms”, he said, the court had to consider two matters. The first question was what functions or “field of activities” had been entrusted by the employer to the employee. In other words, as Lord Nicholls put it in Dubai Aluminium at para 23, it is necessary to identify the “acts the … employee was authorised to do”. Secondly, Lord Toulson said at para 45, “the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ”. That statement, expressly put in the simplest terms, was more fully stated by Lord Nicholls in Dubai Aluminium [2003] 2 AC 366, para 23: in a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely Page 10 connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment. That statement of the law, endorsed in Mohamud and in several other decisions at the highest level, is authoritative. 26. Lord Toulson was not suggesting any departure from the approach adopted in Lister and Dubai Aluminium. His position was the exact opposite. Nor was he suggesting that all that was involved in determining whether an employer was vicariously liable was for the court to consider whether there was a temporal or causal connection between the employment and the wrongdoing, and whether it was right for the employer to be held liable as a matter of social justice. Plainly, the close connection test is not merely a question of timing or causation, and the passage which Lord Toulson cited from Dubai Aluminium makes it clear that vicarious liability for wrongdoing by an employee is not determined according to individual judges’ sense of social justice. It is decided by orthodox common law reasoning, generally based on the application to the case before the court of the principle set out by Lord Nicholls at para 23 of Dubai Aluminium, in the light of the guidance to be derived from decided cases. In some cases, the answer may be clear. In others, inevitably, a finer judgment will be called for. 27. Finally, Lord Toulson considered how this approach applied to the facts of the case before the court. He began by identifying Mr Khan’s functions or field of activities ([2016] AC 677, para 47): “In the present case it was Mr Khan’s job to attend to customers and to respond to their inquiries. His conduct in answering the claimants request in a foul-mouthed way and ordering him to leave was inexcusable but within the ‘field of activities’ assigned to him.” Lord Toulson then rejected the argument that the assault on the customer was unconnected with Mr Khan’s field of activities; an argument which had emphasised in particular the fact that Mr Khan had left the sales kiosk and followed the customer to his vehicle. In that regard, he said (ibid): “What happened thereafter was an unbroken sequence of events. It was argued by the respondent and accepted by the judge that there ceased to be any significant connection between Mr Khan’s employment and his behaviour towards the claimant when he came out from behind the counter and followed the claimant onto the forecourt. I disagree for two Page 11 reasons. First, I do not consider that it is right to regard him as having metaphorically taken off his uniform the moment he stepped from behind the counter. He was following up on what he had said to the claimant. It was a seamless episode. Secondly, when Mr Khan followed the claimant back to his car and opened the front passenger door, he again told the claimant in threatening words that he was never to come back to the petrol station. This was not something personal between them; it was an order to keep away from his employer’s premises, which he reinforced by violence. In giving such an order he was purporting to act about his employer’s business. It was a gross abuse of his position, but it was in connection with the business in which he was employed to serve customers.” 28. Read in context, Lord Toulson’s comments that there was “an unbroken sequence of events”, and that it was “a seamless episode”, were not directed towards the temporal or causal connection between the various events, but towards the capacity in which Mr Khan was acting when those events took place. Lord Toulson was explaining why, in his view, Mr Khan was acting throughout the entire episode in the course of his employment. When he followed the motorist out of the kiosk and on to the forecourt, he was following up on what he had said to the motorist in the kiosk. He ordered the motorist to keep away from his employer’s premises, and reinforced that order by committing the tort. In doing so, he was “purporting to act about his employer’s business”. As Lord Toulson said, “this was not something personal”. 29. Lord Toulson concluded his analysis of the facts by stating, at para 48: “Mr Khan’s motive is irrelevant. It looks obvious that he was motivated by personal racism rather than a desire to benefit his employer’s business, but that is neither here nor there.” Read in isolation, the statement that “motive is irrelevant” would be misleading. Lord Toulson had just said, in the preceding paragraph, that one of his reasons for finding that there was a close connection was that Mr Khan was purporting to act about his employer’s business, and that his conduct towards the customer was not, therefore, “something personal”. So the question whether Mr Khan was acting, albeit wrongly, on his employer’s business, or was acting for personal reasons, was plainly important. 30. When Lord Toulson said that Mr Khan’s motive was irrelevant, he was addressing a point which the judge had mentioned, namely that the reasons why Mr Page 14 explained in para 23 above, a more tailored version of the close connection test is applied). 37. The basic principle normally applicable to cases where an employee is engaged in an independent personal venture was explained in Joel v Morison (1834) 6 C & P 501, which concerned a claim for personal injuries brought by a plaintiff who had been knocked down by a cart driven by the defendant’s employee. Parke B said at p 503: “The master is only liable where the servant is acting in the course of his employment. If he was going out of his way, against his master’s implied commands, when driving on his master’s business, he will make his master liable; but if he was going on a frolic of his own, without being at all on his master’s business, the master will not be liable.” 38. More recently, the issue of liability for acts performed by an employee in the course of an independent venture of his own was considered by Lord Nicholls in Dubai Aluminium [2003] 2 AC 366, para 32: “A distinction is to be drawn between cases such as Hamlyn v John Houston & Co [1903] 1 KB 81, where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase … The matter stands differently when the employee is engaged only in furthering his own interests, as distinct from those of his employer. Then he ‘acts as to be in effect a stranger in relation to his employer with respect to the act he has committed’: see Isaacs J in Bugge v Brown (1919) 26 CLR I10, 118.” 39. There are a number of relevant cases which have been decided since Lister and Dubai Aluminium. A particularly relevant example at the highest level is Attorney General of the British Virgin Islands v Hartwell [2004] UKPC 12; [2004] 1 WLR 1273, a decision of the Judicial Committee of the Privy Council. The case concerned a police officer who left his post and went into a bar where his partner worked as a waitress and, in a fit of jealous rage at finding her there with another man, fired a number of shots at one or other or both of them with a service revolver to which he had access in the course of his duties. A bystander was injured and claimed damages from the Government. The contention that the Government was vicariously liable was rejected on the ground that since, at the relevant time, the Page 15 officer had abandoned his post and embarked on a vendetta of his own, his wrongful use of the gun was not something done in the course of his employment. 40. Lord Nicholls, giving the judgment of the Board, applied the close connection test laid down in Dubai Aluminium at para 23. The connecting factors relied upon as satisfying the test were that the officer was a police officer on duty at the time of the shooting, that the place where the shooting occurred was within his jurisdiction, and that he had used a police revolver to which he was given access at the police station where he was posted and which he was permitted to use for police purposes: factors that created a connection between the wrongdoing and the acts which the officer was authorised to do which might be thought to bear a close analogy to those relied on in the present case (where Skelton committed the wrong using data to which he was given access at work and which he was permitted to use for an authorised purpose), and to be at least as strong. Those factors were held to be insufficient. Lord Nicholls explained at para 17: “From first to last, from deciding to leave the island of Jost Van Dyke to his use of the firearm in the bar of the Bath & Turtle, Laurent’s activities had nothing whatever to do with any police duties, either actually or ostensibly. Laurent deliberately and consciously abandoned his post and his duties. He had no duties beyond the island of Jost Van Dyke. He put aside his role as a police constable and, armed with the police revolver he had improperly taken, he embarked elsewhere on a personal vendetta of his own. That conduct falls wholly within the classical phrase of ‘a frolic of his own’.” That case might be contrasted with Bernard v Attorney General of Jamaica [2004] UKPC 47; [2005] IRLR 398, where a shooting was carried out by a police officer with his service revolver while purportedly acting in the execution of his duties, and vicarious liability was held to be established. 41. There are numerous other cases decided at a lower level. It is unnecessary to consider them all, but it may be worth mentioning the two cases on which the Court of Appeal principally focused. The first is the case of Warren v Henlys Ltd [1948] 2 All ER 935, a ruling by a trial judge which was cited with approval in Mohamud [2016] AC 677, para 32. The case was one in which a customer at a petrol station had an angry confrontation with the petrol station attendant, who wrongly suspected him of trying to make off without payment. The customer became enraged at the manner in which he was spoken to by the attendant. After paying for the petrol, the customer saw a passing police car and drove off after it. He complained to the police officer about the attendant’s conduct and persuaded the officer to return with him to the petrol station. The officer listened to both men and indicated that he did not think Page 16 that it was a police matter, whereupon the customer said that he would report the attendant to his employer. The officer was on the point of leaving, when the attendant punched the customer in the face, knocking him to the ground. 42. Hilbery J held that the assault was not committed in the course of the attendant’s employment, applying the Salmond formula. He said at p 938: “It seems to me that it was an act entirely of personal vengeance. He was personally inflicting punishment, and intentionally inflicting punishment, on the plaintiff because the plaintiff proposed to take a step which might affect Beaumont in his own personal affairs. It had no connection whatever with the discharge of any duty for the defendants. The act of assault by Beaumont was done by him in relation to a personal matter affecting his personal interests and there is no evidence that it was otherwise.” 43. It is unconvincing to say that the assault “had no connection whatever” with the discharge of the attendant’s duties. The attendant’s function was to deal with his employer’s customers. He committed the assault at his workplace, while at work, against a customer of his employer, as the culmination of a sequence of events which began when the attendant was acting for the benefit of his employer. The connection between the wrongdoing and the acts which the employee was authorised to do was appreciably stronger than in the present case. 44. The judge’s reasoning is more convincing when he says that the assault “was an act entirely of personal vengeance”, and that the tort was committed by the attendant “in relation to a personal matter affecting his personal interests”. Like the police officer in the case of Hartwell, he was not acting on his employer’s business, but in pursuit of his own private ends. 45. The other case which the Court of Appeal considered in detail was Bellman v Northampton Recruitment Ltd [2018] EWCA Civ 2214; [2019] 1 All ER 1133. The claimant in that case was an employee of a company run by its managing director. The managing director arranged for the company to pay for a staff Christmas party, and for accommodation and drinks for the staff at a hotel near the venue where the party was being held. At the hotel, the conversation turned to matters at work. The managing director became annoyed after being questioned about the appointment of a new employee. He summoned the employees who were at the hotel and began to lecture them on how he owned the company, that he was in charge and would do what he wanted to do, that the decisions were his to take and that he paid their wages. The claimant challenged a statement made by the managing Page 19 Aluminium Co Ltd v Salaam [2003] 2 AC 366, 377, para 23. If this prerequisite is satisfied the policy reasons underlying the common law principle are as much applicable to equitable wrongs and breaches of statutory obligations as they are to common law torts.” Lord Nicholls summarised the resultant position at para 17: “Unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.” 52. Counsel for Morrisons argued that the DPA impliedly excluded the vicarious liability of an employer. In that regard, counsel referred in particular to section 13 of the DPA. Subsection (1) provides that “[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Subsection (2) makes similar provision in relation to compensation for distress. Subsection (3) provides that “[i]n proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.” The seventh data protection principle (Schedule 1, paragraph 10) also provides: “The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to personal data.” 53. The DPA therefore made it clear, it was argued, that liability was to be imposed only on data controllers, and only where they had acted without reasonable care. That statutory scheme was inconsistent with the imposition of a strict liability on the employer of a data controller, whether for that person’s breach of the DPA or for his breach of duties arising at common law or in equity. Since it was common ground that Morrisons performed the obligations incumbent upon them as data controllers, and that Skelton was a data controller in his own right in relation to the data which he copied and disclosed, it followed that Morrisons could not be under a vicarious liability for his breach of the duties incumbent upon him. 54. Attractively though this argument was presented, it is not persuasive. The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the Page 20 breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault. There is nothing anomalous about the contrast between the fault-based liability of the primary tortfeasor under the DPA and the strict vicarious liability of his employer. A similar contrast can often be drawn between the fault-based liability of an employee under the common law (for example, for negligence) and the strict vicarious liability of his employer, and is no more anomalous where the employee’s liability arises under statute than where it arises at common law. 55. It follows that, applying the orthodox principles of statutory interpretation explained by Lord Nicholls in Majrowski, since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment, as explained in Dubai Aluminium. Conclusion 56. For the reasons explained above, the circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer. Morrisons cannot therefore be held liable for Skelton’s conduct. It follows that the appeal must be allowed.