Today’s decision by the Supreme Court to allow the appeal in WM Morrison Supermarkets plc v Various Claimants may on first glance look like a significant setback to privacy advocates. However, the court’s unanimous judgment should be viewed with some relief by those arguing for greater privacy protections. Whilst the Supreme Court ruled that, on the facts, WM Morrisons Supermarkets plc (“Morrisons”) could not be held liable for the actions of its rogue former employee, the court said that, had it been necessary to decide the question, it would have held that the statutory data protection regime did not exclude the imposition of vicarious liability on employers. Furthermore, the decision also provides no protection to companies who have been held to be at fault for a data breach, since data subjects will have a direct right of action against the company in those cases and will not be relying on establishing vicarious liability. READ MORE
Lewis has worked on a significant number of high-profile international data breaches and regulatory investigations, and works with experts from forensics, consulting and cybersecurity to help clients respond to cyberattacks and data privacy incidents.
Although Lewis focuses on contentious incident response matters, he has experience in data protection advisory projects, and is able to assist clients in developing risk mitigation strategies and to understand the practical and organisational challenges of the GDPR and the wider data protection environment.
Posts by: Lewis Brady
We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism. READ MORE
Over the past few days, commentators and, in some cases, government ministers have stated that the GDPR (and by association the Data Protection Act 2018) are preventing some organisations from providing a comprehensive response to the COVID-19 crisis. READ MORE
The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.
However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK’s Information Commissioner’s Office (the “ICO”) against British Airways, Marriott and Dixons Carphone, all three companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.
In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.