Kerry Underwood


with 2 comments

Underwoods Solicitors are acting for the Joint Administrators for The Cambridge Analytica Group of Companies

Kerry Underwood offers consultancy services in relation to this and other matters and details are here.

Please also see yesterday’s blog – Information Disclosure.

Vicarious Liability of Employer for Breach by Data Controller


WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339

the Court of Appeal upheld the High Court’s finding that the supermarket chain Morrisons was vicariously liable for the actions of one its employees in deliberately disclosing confidential data about 100,000 of its staff, evenly though the motive of that employee was to damage Morrisons.

Here, the employee had a grudge against Morrisons after he had been disciplined for unauthorised use of its postal facilities for personal use.

He carefully planned and executed a scheme to post data of 99,998 employees of Morrisons on a file sharing website and sent details to the press.

He was sentenced to eight years in prison.

5,000 employees sued Morrisons and the Court of Appeal upheld the High Court’s decision that there was a sufficient connection between the position in which he was employed and his wrongful conduct, so as to create vicarious liability.

The court also found that vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee is not excluded by the Data Protection Act.

The Act here was the Data Protection Act 1998, but the same principles apply in relation to the current legislation, that is the Data Protection Act 2018.

The Data Protection Act was concerned with the primary liability and obligations of data controllers and not with vicarious liability.

Here it was common ground that the employee, not Morrisons, was the data controller and Morrisons were vicariously liable for the act of the data controller, that is the employee.

Motive is irrelevant and so the fact that Morrisons were vicariously liable for a tort aimed to damage them made no difference. 

Damages for Loss of Access to iTunes, LinkedIn, WhatsApp etc.


Richmond v Selecta Systems Ltd [2018] EWHC 1446 (Ch)

the Chancery Division of the High Court awarded the claimant £1,000 damages for loss of access to his iTunes library and the inconvenience of being unable to access his LinkedIn, WhatsApp and AOL accounts.

The claimant was employed by the defendant and during discussions over his departure, the employer accessed his company supplied laptop and phone and changed the passwords causing the loss set out above as the employer managed to lose the claimant’s iTunes library.

The claimant succeeded in an action for negligence.

The employer was entitled to protect its business interests by discovering whether there was any company information on the phone and iCloud and to delete it, but it was not entitled to alter passwords so as to affect the claimant’s use of his personal accounts.

Google: Action for Damages for Breach of Data Protection Act Fails


Lloyd v Google LLC [2018] EWHC 2599 (QB)

the Queen’s Bench Division of the High Court refused the claimant permission to serve the proceedings on Google, permission being needed as Google is a foreign corporation which had not agreed to accept service of the proceedings.

The claimant alleged breach of duty under the Data Protection Act 1998, the allegation being that in 2011/2012 Google secretly tracked the internet activity of Apple iPhone users and collated that information and sold it.

Mr Lloyd was the only named claimant but was suing in a representative capacity on behalf of other people in England and Wales.

No financial loss or destress was alleged and the claim was for compensation for damage and was made under section 13 of the Data Protection Act 1998.

No other remedy was sought.

The claim was for an equal, standard, tariff award for each member of the class, to reflect the infringement of the right, the commission of the wrong, and loss of control over personal data.

In the alternative each class member sought damages reflecting the value of the use to which the data were wrongfully put by Google.

No specific figure was suggested for the tariff, although a range of figures was put forward, and the letter of claim suggested a figure of £750 per potential claimant.

The claimant’s best estimate is that the class comprises 4.4 million people and Google’s estimate of the potential liability is between £1 billion and £3 billion. In its own summary the High Court said that there was no dispute that it is arguable that Google’s alleged role in the collection, collation, and use of data obtained was wrongful, and a breach of duty.

The main issues raised by the application were:

  • whether the pleaded facts disclosed any basis for claiming compensation under the Data Protection Act;
  • if so, whether the court should or would permit the claim to continue as a representative action.

Here, in a judgment running to a 105 paragraphs, the High Court held that the facts alleged in the Particulars of Claim did not support the contention that Mr Lloyd or any of those represented by him had suffered damage within the meaning of section 13 of the Data Protection Act 1998.

In any event, even if it had reached the opposite conclusion, the court would have refused to allow the claim to continue as a representative action because members of the class do not have the same interest within the meaning of CPR 19.6(1) and/or it is impossible reliably to ascertain the members of the represented class and in any event permission to continue the action in this form would be refused as a matter of the court’s discretion.

Section 13 of the Data Protection Act 1998, in so far as relevant, read:

13. Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”











Written by kerryunderwood

January 17, 2019 at 11:24 am

Posted in Uncategorized

2 Responses

Subscribe to comments with RSS.

  1. A very sensible decision, and a well-deserved smack in the chops for Mishcons, who were quite clearly running this litigation for their own benefit and that of the funders.

    As the judge rightly said, none of the people supposedly affected by this technicality has been sufficiently bothered to take any action themselves and the whole action appears to have been a costs-generating exercise, no doubt hoping that Google would write a cheque just to get rid of them. It’s completely unacceptable that hard-pressed court resources should be wasted on this sort of private enterprise.

    Pro Bono

    January 17, 2019 at 1:11 pm

  2. Obviously as senior partner in a firm of solicitors defending data protection claims, I could not possibly comment…..



    January 17, 2019 at 1:41 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: