UK Supre­me Court: no employer lia­bi­li­ty in case of inde­pen­dent data breach of an employee

The Supre­me Court of the United King­dom has ruled in a Judgment from April 1, 2020 and deci­ded dif­fer­ent­ly from the two lower courts that the super­mar­ket chain WM Mor­ri­son Super­mar­kets plc was not lia­ble (under civil law) if an employee unaut­ho­ri­zedly and inten­tio­nal­ly dis­c­lo­sed per­so­nal data of almost 100,000 employees. This data breach – here cri­mi­nal and punis­ha­ble by eight years in pri­son – was not suf­fi­ci­ent­ly rela­ted to the duties of the employee in que­sti­on. The court para­phra­ses the rele­vant stan­dard as follows:

the que­sti­on is whe­ther Skelton’s dis­clo­sure of the data was so clo­se­ly con­nec­ted with acts he was aut­ho­ri­zed to do that, for the pur­po­ses of the lia­bi­li­ty of his employer to third par­ties, his wrongful dis­clo­sure may fair­ly and pro­per­ly be regard­ed as done by him while acting in the ordi­na­ry cour­se of his employment.

This was cle­ar­ly not the case here. It was not suf­fi­ci­ent that the employee had the pos­si­bi­li­ty to com­mit this vio­la­ti­on due to his activity.

Accor­ding to Swiss law the employer’s lia­bi­li­ty for dama­ges under civil law is asses­sed accor­ding to simi­lar criteria:

• Lia­bi­li­ty for auxi­lia­ry per­sonsPur­su­ant to Art. 55 of the Swiss Code of Obli­ga­ti­ons (this usual­ly con­cerns non-con­trac­tu­al lia­bi­li­ty cases), the prin­ci­pal is lia­ble for dama­ge cau­sed by a Employees (if he is not an organ, other­wi­se Art. 55 of the Civil Code applies), pro­vi­ded that the­re is a sub­or­di­na­ti­on rela­ti­on­ship bet­ween the prin­ci­pal and the auxi­lia­ry per­son (other­wi­se joint lia­bi­li­ty of both is pos­si­ble) and the dama­ge was cau­sed by the auxi­lia­ry per­son “in the exer­cise of offi­ci­al or busi­ness acti­vi­ties”. This requi­res a “func­tion­al con­text” bet­ween the acti­vi­ty as an auxi­lia­ry per­son and the inju­ry. In order to avert such lia­bi­li­ty, the employer must exer­cise due care, which requi­res an appro­pria­te work orga­nizati­on. In the area of data pro­tec­tion, this should include an appro­pria­te com­pli­ance orga­nizati­on, at least to the ext­ent that com­pli­ance is aimed at pre­ven­ting data pro­tec­tion vio­la­ti­ons that could cau­se harm to the data sub­ject (this should include, in par­ti­cu­lar, appro­pria­te data secu­ri­ty). In par­ti­cu­lar, the devia­ti­on of the auxi­lia­ry per­son from ins­truc­tions does not yet eli­mi­na­te the func­tion­al con­nec­tion, which is why the exo­ne­ra­ti­on evi­dence remains decisi­ve in such a scenario.
• Lia­bi­li­ty by acti­vi­ty of the organs: Pur­su­ant to Art. 55 CC or Art. 722 CO, the com­pa­ny is also only lia­ble through the non-legal actions of its (for­mal or mate­ri­al) organs if the­re is a func­tion­al con­nec­tion bet­ween the cor­re­spon­ding offen­se and the organ’s capa­ci­ty. Here, howe­ver, pro­of of exo­ne­ra­ti­on is natu­ral­ly exclu­ded (becau­se the organ is part of the lia­bi­li­ty sub­ject itself).

The Mem­bers of the BoD of an AG for their part, are lia­ble to the AG if the lat­ter has beco­me lia­ble becau­se an auxi­lia­ry per­son or an organ has cau­sed dama­ge in the requi­red func­tion­al con­text (Art. 717 and 754 CO; if appli­ca­ble, also if the AG is fined). This pre­sup­po­ses that the BoD mem­ber in que­sti­on has brea­ched his duty of care and loyal­ty. Igno­rance on the part of the BoD, lack of inde­pen­dence, ina­de­qua­te orga­nizati­on and lack of resour­ces may the­r­e­fo­re give rise to BoD liability.