Vicarious Liability for Data Breach: English Law



The Supreme Court of the United Kingdom (“Supreme Court” or “Court”) in WM Morrison Supermarkets plc versus Various Claimants[1] was faced with the question on the vicarious liability of employers for a data breach committed by employees. While this question has not yet arisen under Indian law, given the Puttaswamy judgment[2] – we suspect that it will arise, sooner rather than later.


To fulfil a personal vendetta, an employee of Morrison’s downloaded the entire employee payroll information he had access to and anonymously uploaded the data of almost 1,00,000 employees on the internet and sent CDs of this data to three newspapers. This was brought to Morrisons’s attention, which spent more than £2 Million to handle the aftermath of the leak. The employee was caught and imprisoned, and Morrisons managed to take down the disclosed data.

Thereafter, more than 9,000 former and present employees of Morrisons sued it for breach of statutory duty under the Data Protection Act, 1998 (“DPA”), misuse of private information, and breach of confidence. The claimants alleged that Morrisons shall be vicariously liable for the employee’s conduct.


The trial court held that Morrisons was vicariously liable for Skelton’s breach of statutory duty under the DPA, his misuse of private information, and his breach of duty of confidence; and the Court of Appeals dismissed Morrisons’s appeal against this verdict. The lower courts relied on the 2016 judgement of the Supreme Court in Mohamud versus Wm Morrison Supermarkets plc[3] to hold that Morrisons would be vicariously liable for the employee’s wrongdoings, as there was a significant connection between his employment position and his wrongful conduct. The courts rejected Morrisons’s argument that the wrongful misconduct was not committed in the course of employment because it satisfied the traditional tests of vicarious liability.


The Supreme Court analysed Morrisons’ appeal on two grounds: the first was whether Morrisons was vicariously liable for employee conduct and whether the DPA excluded vicariously liability for statutory offences.

Traditionally, vicarious liability is dependent on the “close connection test”. The underlying principle is that employers are held vicariously liable for an employee when the wrongful act arises within the area of authority given to the employee. The act must, therefore, be so closely connected with the employment so as to be fairly and properly regarded as done by the employee while acting in the course of employment.

In this case, the Supreme Court noted that the employee’s role was to receive, store, and transmit data to a “third party”. While the fact that he disclosed the data to parties other than the one he was supposed to disclose such data to, and that such disclosure was “closely connected” to his role, the leak of such data on the internet did not form a part of the employee’s functions as he was not “authorised” to do so. A “causal connection” by itself would not satisfy the test. Finally, the misconduct was in the context of personal animosity and to fulfil a personal vendetta against his employer, and not in connection with his employer’s business. In this regard, the Supreme Court was of the opinion that the lower courts had wrongly relied on Mohamud.

The Court also observed that the fact that the employee’s scope of employment gave him the opportunity to commit the wrongful act, would not be sufficient to warrant the imposition of vicarious liability. The Supreme Court held that employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer’s business and is an effort to deliberately harm the employer as part of a personal vendetta.  Consequently, no vicarious liability arose in this case.

With this conclusion, while the Court deemed it unnecessary to determine whether the DPA excluded vicarious liability for statutory offence, it agreed to express a view. Under the relevant portions of the DPA, an individual who has suffered damage or distress due to a contravention by a data controller is entitled to receive compensation from that data controller. Since the DPA neither expressly not impliedly excludes it, vicarious liability applies to a breach of obligations imposed by the DPA by an employee in the course of employment.


  • The Indian law on vicarious liability is substantively similar to English law. The decision, therefore, affords significant guidance to businesses that are trying to navigate issues of data leak caused by employee misconduct and otherwise.
  • Similarly, the decision in respect of liability under the DPA is important. Are employers liable for a data breach by an employee acting in bad faith, under the Personal Data Protection Bill, 2019?


[1] WM Morrison Supermarkets plc versus Various Claimants, [2020] UKSC 12

[2] Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors., 2017 10 SCC 1

[3] [2016] UKSC 11

For  any comments or queries, do get in touch with us.