The Supreme Court of the United Kingdom has ruled in a Judgment from April 1, 2020 and decided differently from the two lower courts that the supermarket chain WM Morrison Supermarkets plc was not liable (under civil law) if an employee unauthorizedly and intentionally disclosed personal data of almost 100,000 employees. This data breach – here criminal and punishable by eight years in prison – was not sufficiently related to the duties of the employee in question. The court paraphrases the relevant standard as follows:
the question is whether Skelton’s disclosure of the data was so closely connected with acts he was authorized to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
This was clearly not the case here. It was not sufficient that the employee had the possibility to commit this violation due to his activity.
According to Swiss law the employer’s liability for damages under civil law is assessed according to similar criteria:
- Liability for auxiliary personsPursuant to Art. 55 of the Swiss Code of Obligations (this usually concerns non-contractual liability cases), the principal is liable for damage caused by a Employees (if he is not an organ, otherwise Art. 55 of the Civil Code applies), provided that there is a subordination relationship between the principal and the auxiliary person (otherwise joint liability of both is possible) and the damage was caused by the auxiliary person “in the exercise of official or business activities”. This requires a “functional context” between the activity as an auxiliary person and the injury. In order to avert such liability, the employer must exercise due care, which requires an appropriate work organization. In the area of data protection, this should include an appropriate compliance organization, at least to the extent that compliance is aimed at preventing data protection violations that could cause harm to the data subject (this should include, in particular, appropriate data security). In particular, the deviation of the auxiliary person from instructions does not yet eliminate the functional connection, which is why the exoneration evidence remains decisive in such a scenario.
- Liability by activity of the organs: Pursuant to Art. 55 CC or Art. 722 CO, the company is also only liable through the non-legal actions of its (formal or material) organs if there is a functional connection between the corresponding offense and the organ’s capacity. Here, however, proof of exoneration is naturally excluded (because the organ is part of the liability subject itself).
The Members of the BoD of an AG for their part, are liable to the AG if the latter has become liable because an auxiliary person or an organ has caused damage in the required functional context (Art. 717 and 754 CO; if applicable, also if the AG is fined). This presupposes that the BoD member in question has breached his duty of care and loyalty. Ignorance on the part of the BoD, lack of independence, inadequate organization and lack of resources may therefore give rise to BoD liability.