On 15 April 2019, the UK Supreme Court granted permission to appeal in the data protection group action case of Various Claimants v W M Morrison Supermarkets.  The Court of Appeal ([2018] EWCA Civ 2339) had upheld the Judge’s ruling that Morrisons was vicariously liable for its employee’s data breach.

Permission was granted on all grounds of appeal and the Supreme Court will principally consider:

  1. whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
  2. whether  the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
  3. if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

The claim is a group litigation claim on behalf of 5,518 Claimants who are suing Morrisons over the significant data leak, which in 2014 saw a then senior internal auditor at the retailer’s Bradford headquarters copy and then post staff’s payroll information on the internet, including bank account details, dates of birth, salary information, National Insurance numbers, addresses and phone numbers.  We had a post on the Court of Appeal decision on 21 November 2018.

The claimants’ lawyer Nick McAleenan, of JMW Solicitors commented.

“While the decision to grant permission for a further appeal is of course disappointing for the Claimants, we have every confidence that the right verdict will, once again, be reached – it cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then leaked on such a large scale.

“This was a very serious data breach which affected more than 100,000 Morrisons’ employees – they were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information.