Vicarious Liability in Modern Data Regulation
More stringent data regulations went into effect upon the implementation of the new General Data Protection Regulations (GDPR) in the European Union (EU). The GDPR has broadly introduced more extensive laws regarding how personal data is defined as well as how firms process and store data personal data, ultimately giving the owner of the data more agency over how it is used. In light of this law coming into force, firms have been reviewing their data protection procedures. However, some firms fail to realize this is not enough to protect them from liability in data breaches.
It is important to establish the impact of the GDPR on data protection regulations in the EU. The GDPR has served to introduce more stringent laws on companies that store and process data, necessitating come up with better data protection policies. In essence, the GDPR was designed to give citizens within the EU more agency over the use of their personal data. Personal data within the GDPR has been more broadly defined to include IP addresses and other biometric information, which was not included in previous regulations. It also calls for more consumer notification, including notification when data is being stored and when there has been a data breach. [1] Finally, it calls for a class of data, personally identifiable information (PII) to be anonymized before storage in order to minimize the impact of a breach on the people whose data is being stored. [2] In essence, this requires firms housed and operating in the EU to become more stringent on the way personal data is handled.
While a firm may try its best to be GDPR compliant, it may still be responsible for an employee’s actions which cause a data breach. The recent case Various Claimants v. WM. Morrisons Supermarket (2018) highlights the case of a GDPR-compliant employer held liable after an employee misused work-related data. [3] In this case, the defendant, WM Morrisons Supermarket (WM Morrisons), was data regulation-compliant, but still was liable to claims made from employees who faced a breach of their personal data as a result of an employee’s, Mr. Skeleton’s, actions [4]. Mr. Skeleton, a manager at WM. Morrisons, was responsible for copying employee data and sending it to the supermarket’s auditors, KPMG. In addition to performing his duties, Mr. Skeleton copied this information onto a flash drive, which he used to upload the information under a pseudonym on the dark web [5].
The High Court of England and Wales found WM. Morrisons was responsible for the noncompliance that arose out of Mr. Skeleton’s actions as well as liable for damages through the torts that were brought forth against the company by employees whose data had been breached. They reached the ruling by using GDPR to extend vicarious liability, “an employer’s liability for the acts of its employees,” to cases of data misuse [6].
The consequence of extending vicarious liability can only be fully understood through an understanding of the Court of England and Wales’ previous interpretations of the term. A commonly cited vicarious liability case is Beard v London General Omnibus (1900), where a bus driver employed by London General Omnibus used an incorrect route leading to the injury of a pedestrian– raising the question of who should be held liable for his actions, himself or the London General Omnibus [7]. The court ruled that since the action happened in the course of the bus driver’s employment, London General Omnibus was responsible for the accident caused [8]. This case and a similar earlier case also involving London General Omnibus lead to the development of the closeness test- a measure for determining whether a tortious act that was committed in the course of employment would hold the employer liable.
According to the test, there are three qualifications for vicarious liability. First, a tort must have been committed. Second, there has to be a relation between the defendant and the wrongdoer (in the scope of employment law, usually the wrongdoer is an employee of the defendant). And finally, there needs to be a connection between the tortious act and the defendant such that the defendant should be held liable for the actions of the wrongdoer (the act has to be committed within the scope of the wrongdoer’s employment) [9].
In WM. Morrisons Supermarket, the court ruled that the closeness test was satisfied, even though the tortious act happened when Mr. Skeleton was at home, using his personal laptop. The court ruled that because the data was received in the capacity of Mr. Skeleton’s employment, it still fit the closeness test. As can be seen, this alters the conditions of the closeness test slightly, making it easier to establish vicarious liability claims and harder for firms to defend themselves. Hence, with the increased protections for data providers under the GDPR as well as the altered closeness test firms are now in an incredibly constrained condition. In the future, they must not only worry about what data they’re handing, but who is handling it for them.
[1] Palmer, Danny. “What Is GDPR? Everything You Need to Know about the New General Data Protection Regulations.” ZDNet, https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/.
[2] “Rules for Business and Organisations.” European Commission - European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en.
[3] Case Summary: Wm Morrison Supermarkets PLC v Various Claimants - Insurance - Canada. http://www.mondaq.com/canada/x/768192/Insurance/Case+Summary+Wm+Morrison+Supermarkets+PLC+v+Various+Claimants.
[4] Interactive, One North. “WM Morrison v Various Claimants: Employer Vicariously Liable for Data Protection Breach.” Locke Lord, https://www.lockelord.com/newsandevents/publications/2019/01/wm-morrison-v-various-claimants. Accessed 4 Dec. 2019.
[5] “Case Law: Various Claimants v W M Morrison Supermarkets, Employer Liable for Data Breach by Employee Seeking to Damage It – Alex Cochrane.” Inforrm’s Blog, 21 Nov. 2018, https://inforrm.org/2018/11/21/case-law-various-claimants-v-w-m-morrison-supermarkets-employer-liable-for-data-breach-by-employee-seeking-to-damage-it-alex-cochrane/.
[6] “Latest Twist in the Morrisons Case: Supreme Court Grants Morrisons Permission to Appeal.” Data Notes, 23 Apr. 2019, https://hsfnotes.com/data/2019/04/23/latest-twist-in-the-morrisons-case-supreme-court-grants-morrisons-permission-to-appeal/.
[7] “Beard v London General Omnibus Company: CA 1900.” Swarb.Co.Uk, 17 Mar. 2019, https://swarb.co.uk/beard-v-london-general-omnibus-company-ca-1900/.
[8] Beard v London General Omnibus. https://www.lawteacher.net/cases/beard-v-london-general-omnibus.php.
[9] https://www.16i.co.uk, 16i-. “Vicarious Liability: The ‘Sufficient Connection’ Test.” DAC Beachcroft, https://www.dacbeachcroft.com/en/gb/articles/2016/april/vicarious-liability-the-sufficient-connection-test.