The first UK class action case to arise from a data leak has found an employer vicariously liable for the act of one employee in leaking the personal data of nearly 100,000 other employees. The case is a harbinger of similar actions to come when the GDPR comes into force across the EU in May 2018.

The high profile case concerned the supermarket chain Morrisons. Andrew Skelton, a disgruntled employee, posted a file containing the personal data of 99,988 employees to a file-sharing website. Skelton was sentenced in 2015 to eight years imprisonment for a range of offences arising from this incident, including fraud, securing unauthorised access to computer materials and disclosing personal data. Subsequently 5,818 of the employees, whose data had been included in the file, sued Morrisons.

The High Court found that although Morrisons had fallen short of complying with the data protection principle of ensuring adequate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, this was not causative of the data breach, and so Morrisons was not directly liable. In determining whether Morrisons was vicariously liable for Skelton's actions, the Court had to consider whether Skelton's actions were "sufficiently closely connected" to his role at Morrisons. The Court found that they were, on the grounds that:

  • there was "an unbroken thread that linked his work to the disclosure";
  • Morrisons had entrusted Skelton with the data, rather than merely granting him access rights to it, such that even though he was not authorised to disclose the data in the manner he did, this action was sufficiently closely related to the acts he was entrusted to perform; and
  • although his actions were injurious to his employer, this did not take his actions outside the scope of his employment.

However the Court was uneasy with the submission that because Skelton's acts were aimed at damaging Morrisons, the same party that the claimants sought to hold responsible, the Court's conclusion would have the effect of furthering Skelton's criminal aims. To this end the Court granted leave to Morrisons to appeal the decision regarding vicarious liability.

As data breaches become ever more frequent and larger in scale, affected data subjects across the EU will likely resort to class action claims, whereby resources can be pooled to achieve better outcomes. Such actions are likely to become more frequent after the GDPR comes into force on 25 May 2018, as it strengthens data subjects' rights and broadens the range of damages available.