Data Protection – October 2018

Binary Code Print publication


Morrisons loses group data breach case appeal; High Court blocks collective proceedings against Google; Facebook’s £500,000 fine; Privacy Shield Review; and more.

Morrisons loses group data breach case appeal…

In a landmark judgment, supermarket chain Morrisons has lost its appeal against a High Court ruling that it is liable in damages for the actions of one of its former employees who, while employed as a senior internal auditor at the company, deliberately leaked payroll data relating to almost 100,000 employees online following disciplinary action [1]. He had been tasked with providing payroll data to Morrisons’ external auditors. Over 5,500 employees commenced proceedings against Morrisons for damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) the Data Protection Act 1998 (the Act).

Morrisons was not found directly liable, but the High Court found that the company had deliberately entrusted the individual concerned with the payroll data (disclosing it to others was closely related to the task he had been given, despite the lack of authorisation) and there was a sufficient connection between the position in which he was employed and his wrongful conduct to establish secondary (vicarious) liability. Morrisons submitted on appeal that this close connection test was not satisfied, since the wrongdoing that caused the harm was done by the individual at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work on to his personal USB stick. The Court of Appeal agreed with the High Court that there was an “unbroken thread” linking the individual’s work to the disclosure of the data. Rather than a sequence of random events, there was an unbroken chain which included the first unlawful act of downloading data from his personal work computer to a personal USB stick.

It was submitted that to impose vicarious liability on Morrisons in circumstances where the individual’s motive was to harm Morrisons would render the court an accessory in furthering his criminal aims. This was dismissed by the Court of Appeal, which did not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer. The Court of Appeal also gave short shrift to the submission that, given the number of employees affected, a finding of vicarious liability would place an enormous burden on Morrisons (and on other innocent employers in future cases). It is helpful to quote directly from the judgment:

There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward … on behalf of Morrisons”.

Further proceedings are due to take place to determine the level of compensation. Morrisons has said that it will appeal to the Supreme Court.

While the High Court found that, in relation to data deletion, Morrisons had fallen short of its duty to take appropriate organisational measures to guard against unlawful disclosure and data loss, by the time it would have been appropriate to conduct any check on deletion, the probability was that the information had already been copied, and so the failure neither caused nor contributed to the disclosure. In light of the decision in this case, it would be prudent for employers to review their existing policies and procedures and consider imposing stricter internal controls to guard against the risk of employees “going rogue”, including in those parts of the business where employees are regularly entrusted with personal data and confidential or sensitive information.

…as the High Court blocks attempt to bring collective proceedings against Google

The High Court has refused to give the go-ahead to a representative action brought against Google by Richard Lloyd (the former executive director of consumer organisation Which?) on his own behalf and on behalf of an estimated class of 4.4 million people [2]. A representative action is one of the currently available methods for bringing collective proceedings in England and Wales.

The claim alleged that Google acted in breach of the duty imposed by section 4(4) of the Act by secretly tracking the internet activity of Apple iPhone users, collating and using the information obtained, and selling the accumulated data (it was able to do this by using what has been termed “the Safari Workaround”). The claim was for compensation under section 13(1) of the Act, which provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage. No financial loss or distress was alleged.

Mr Lloyd applied for permission to serve the proceedings on Google in the United States. The main issues were: whether the pleaded facts disclosed any basis for claiming compensation under the Act; and if so, whether the Court should or would permit the claim to continue as a representative action.

The Court answered “no” in respect of each issue. The facts alleged did not support the contention that Mr Lloyd or any of the represented claimants had suffered any actual “damage” within the meaning of the Act as a result of the alleged breach (whether financial or non-financial, for example distress). The Court concluded that the essential requirements for a representative action were absent. Mr Lloyd and the represented claimants did not all have the “same interest” within the meaning of the relevant procedural rule. It could not be supposed that the breach of duty or the impact of it was uniform across the entire class of claimants – inevitably, the nature and extent of the breach and the impact it had on individuals would have varied greatly. It was also impossible reliably to ascertain whether any given individual was a member of the represented class.

Finally, in any event, the Court would exercise its discretion against the continuation of the action as a representative action: “It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches…the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated.

We understand that Mr Lloyd has sought permission to appeal the judgment. With the introduction of the EU General Data Protection Regulation and the new Data Protection Act 2018 in May 2018, there was concern that these might open the floodgates to US-style class actions in data breach cases (see our earlier briefing on this topic). The decision in this case suggests otherwise, for now.

In other news…

  • Facebook has been fined £500,000 (the maximum under the Act, which was applicable at the time) by the Information Commissioner’s Office (ICO) in the wake of the Cambridge Analytica scandal. The Information Commissioner will provide a further update on the ICO’s investigation into data analytics for political purposes when she gives evidence to the Department for Digital, Culture, Media and Sport Select Committee on 6 November 2018.
  • Heathrow Airport Limited was fined £120,000 by the ICO after it failed to ensure that the personal data held on its network was properly secured. The ICO’s Director of Investigations said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them”. Among other things, the investigation found that only two per cent of the workforce of 6,500 had received data protection training, and there was widespread use of removable media in contravention of the company’s own policies and guidance.
  • In other recent enforcement action, a marketing company was fined £90,000 by the ICO after millions of nuisance emails were sent to people who had subscribed to websites operated by the company’s affiliates, but who had not given their consent to receive them.
  • The second annual review of the embattled EU-US Privacy Shield, one of the approved mechanisms for the transatlantic transfer of personal data, took place in Brussels on 18 and 19 October 2018. See the joint press statement. The European Commission will publish a report on its findings before the end of the year.
  • The Irish Supreme Court is expected to hear Facebook’s appeal in the Schrems litigation in December 2018. Earlier this year, the Irish High Court referred to the Court of Justice of the European Union 11 questions over the validity of the Commission’s adequacy decisions on model contract clauses, one of the alternative available data transfer mechanisms. A number of the questions refer directly to the Privacy Shield. Facebook was granted unprecedented leave to appeal to the Irish Supreme Court.
  • We reported previously that, on 28 September 2018, Facebook announced that a security issue had been discovered three days earlier affecting almost 50 million of its user accounts. Cyber attackers exploited a vulnerability in Facebook’s code which impacted the “View As” feature. According to a brief statement at the time, the ICO was making enquiries to establish the scale of the breach and to establish if any UK citizens had been affected by it. In an update on 12 October 2018, Facebook said that about 30 million people were affected. Names and contact details of 29 million people were accessed and, in respect of 14 million of them, other details on their profiles including date of birth, relationship status and work.
  • On 26 October 2018, British Airways published an update on the cyber-attack which it first announced in September 2018. It says that the holders of a further 185,000 payment cards may have been affected by the breach. Also, fewer customers were affected than was originally announced. The ICO issued a statement in response.
  • The government is undertaking a survey of UK businesses and charities to find out how they approach cybersecurity and learn more about the cybersecurity issues they face. The fieldwork for the latest survey is taking place by telephone from October to December 2018. Businesses and charities from across the UK have been selected at random. See the webpage for details.
  • On 16 October 2018, the National Cyber Security Centre published its second annual review, looking at the work it has undertaken over the past year.
  • On 19 October 2018, the European Data Protection Supervisor set out the “urgent case for a new ePrivacy law”. Among other things, he said that the adoption of the proposed ePrivacy Regulation is crucial to protect the fundamental rights to privacy and the protection of personal data in the digital age. See the blog post for details.
  • The ICO has welcomed the government’s early signing on 10 October 2018 of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as “Convention 108”), which is the only legally binding international agreement on data protection. It describes the Convention’s modernisation as “a key milestone for global data privacy regulation”. See the ICO’s blog on its international work.
  • In other international news, the Information Commissioner was announced on 23 October 2018 as the new chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). At its recent annual meeting, the ICDPPC adopted a declaration on ethics and data protection in artificial intelligence, in order to contribute to the global discussion on this matter.
  • And finally, the ICO published an expanded guide to the Network and Information Systems Regulations 2018 for organisations providing digital services such as online marketplaces, online search engines and cloud services.


[1] WM Morrison Supermarkets Plc v Various Claimants, [2018] EWCA Civ 2339
[2] Richard Lloyd v Google LLC, [2018] EWHC 2599 (QB)