UK businesses should use caution when interpreting Morrisons data breach ruling

6 May 2020

Lawyers for UK grocery chain Wm Morrison Supermarkets heaved a sigh of relief in April after the country’s Supreme Court ruled the company was not liable for a data breach caused by a disgruntled employee. But multinationals would be gravely mistaken to take encouragement from the narrow ruling. Though the UK has split from the European Union, GDPR privacy rules remain in full force there and carry penalties that could swing a wrecking ball at company finances.

The Supreme Court’s decision overturns two lower court rulings that had held Morrisons responsible after an angry employee published sensitive company payroll information on the internet and shared it with newspapers in 2014. The employee was convicted for fraud and disclosing personal information and sentenced to eight years in prison. Nine thousand Morrisons workers sued the company for the breach.

“Vicarious liability” verdict

The high court quickly dismissed the case’s direct liability allegations and turned its attention to the lesser-known standard of “vicarious liability.”

Proving vicarious liability entails demonstrating that an employee acted “in the course of employment,” i.e., in the course of carrying out his duties to the employer. In this case, the employee, who carried a grudge after receiving a disciplinary warning, released the information without company authorization on his home computer. Deliberately harming the employer (and doing so while not at work) contradicts the concept of carrying out one’s duties, the court found, ruling that the company could not be held responsible for the actions precipitated against it.

The importance of the GDPR

There are two important things for companies to note about this ruling. The first is that the ruling deals only with a narrow subset of law concerning the question of indirect liability. The second is that the incident occurred in 2014, four years before GDPR legislation came into effect.

If the breach had occurred later, after the GDPR was in force, Morrisons would have been subjected to an intensive GDPR investigation of its policies and its enforcement of data privacy rules. Any violations that came to light could have received the full force of the law, which can result in fines of up to 20 million euros or 4 percent of revenues, whichever is greater.

Though the UK has officially left the EU, it is in a transition period at least until the end of 2020 to allow for a new trading relationship with the EU to be negotiated. Throughout this period the same trade rules and free movement of goods and services continue to apply in the UK, and the GDPR also remains in full effect. Whatever the outcome of the UK-EU trade talks, it is certain that from 2021 onwards, GDPR requirements will continue to apply throughout the UK, as the GDPR has already been imported into UK national law. Following the transition, it will be known there as the UK GDPR.

UK employers should also bear in mind that — although some have described the Morrisons ruling as “a great result for employers,” — the case went all the way to the Supreme Court and involved thousands of employees seeking damages. Had the ruling gone another way, more of Morrisons’ 100,000 employees might have added claims, with devastating financial and public relations results.

Taking privacy seriously

Since the GDPR came into effect in May 2018, authorities have received an average of 278 personal data breach notifications per day. Though the total amount of fines collected so far — 114 million euros — is much lower than it could be given what the law allows, some legal experts believe that new German guidelines will cause penalties to rise in the future.

Quite a few multinationals have been hit, including Marriott, Uber, Yahoo, Facebook, and British Airways, which received one of the largest fines (183 million pounds) after website visitors were diverted to a fake site where their payment information was stolen. The fine has been deferred twice and could be appealed.

In the end, then, the Morrisons case should serve as a reminder to all organizations with UK operations that — Brexit or no Brexit — the country takes data privacy very seriously. UK employers should review their employee handbooks and training to make sure they comply with all UK GDPR requirements.

In cases involving an employer transferring data outside the UK — for example, to the United States — the employer should also ensure that it fully complies with all GDPR rules relating to cross-border data transfers. Note that data transfers to the U.S usually require membership in the EU-U.S. Privacy Shield Framework or the execution of EU standard or contractual model clauses.

UK employers should also update their policies to convey that their company will not be held responsible for employees’ actions while they are not conducting work business. This will not necessarily absolve an organisation from vicarious liability, but should be done. Other actions may also be necessary to ensure GDPR compliance.

Vistra's Paul Sutton contributed to this article.