Retail Bulletin - Winter 2017/18

In this edition we look at:

Employee leaks personal data and company is found liable

Various Claimants v WM Morrison Supermarket Plc [2017] EWHC 3113 (QB)A Morrisons' employee committed a breach of the Data Protection Act 1998 (DPA), releasing personal information of around 100,000 employees onto the internet and sending it to a number of newspapers. He downloaded it onto a data storage device and transferred it to his home computer, from which he orchestrated the leak. The employee in question worked as a Senior IT Auditor and was provided with access to the personal data as part of his role. The release of data appears to be a retaliation against disciplinary action taken by Morrisons, and the breach was, in the words of the judge at his criminal trial, designed "to do as much damage to Morrisons as could be achieved." The employee was convicted under the Computer Misuse Act 1990 and the DPA. Around 5,500 of the data subjects brought a claim against Morrisons:

  1. for breach of the DPA; and
  2. alleging that they were in any case vicariously liable for the actions of the employee.

The claim failed on the first part, as Morrisons were found not to have been in breach of the DPA. But (and this is the alarming point for retailers) Morrisons were found to be liable for the employee’s breach, and therefore responsible for the losses of the claimants.It was held that the employee had become a data controller and it was on this basis that the court decided that Morrisons were not themselves in breach of the DPA. They had in place systems and processes that the court (as well as the ICO, who had also investigated) felt were appropriate. The employee had legitimate access to the data. Morrisons had data protection systems in place, and swiftly arranged for personal data to be taken down from the internet. And yet, despite the fact that there was nothing Morrisons could do, the judge decided that the employee’s acts were connected: “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events.”

The case will go to appeal - we will be watching keenly to see what happens next.


The Morrison’s case is interesting on a number of levels. Most notably, the imposition of vicarious liability on a company for the data breach actions of its employee, particularly in malicious circumstances such as this, is alarming for businesses as they are unable to control all of the actions of their employees.

Morrisons’ potential liability as a result of the judgment cannot be overstated. While only 5,500 employees brought the action, other individuals could bring claims for damages following on from this decision; Morrisons may need to compensate up to 100,000 people for loss. Potential liability is high, and there seems to have been nothing Morrisons could have done to avoid it.

It is particularly interesting that Morrisons were found not to have breached the DPA themselves. The imposition of liability for the employee seems to be based on the fact that he could download the data in the course of his employment, and yet the judge did not feel that giving him access was unlawful on Morrisons’ part. He needed access to carry out his job. 100,000 individuals did, or could have, suffered harm because of a data breach. Advocates for those individuals will argue that it is the job of the justice system to work out how to protect them, as innocent parties. As this case shows, that is not always straightforward.

On a practical level, if the case stands it looks to open up a new market in data breach insurance. It may be worth assessing your own coverage.Finally, it goes without saying that as the GDPR compliance deadline (25 May 2018) approaches, data protection should be on everyone’s radar. Companies considering their own systems may wish to take note of the following statements of the judge, which emphasise a proportionate approach which is more onerous on larger companies: “I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100k employees than I would expect in respect of a small enterprise employing 6 or 7 workers… with economies of scale, measures that might be prohibitively expensive if analysed per head of a small workforce may seem relatively insignificant if spread over the headcount of a large corporate employer”.

Jessica Matthews Solicitor 0345 166

UK Retailers Consider the Impact of the Latest Rise in the National Living Wage

The National Living Wage is set to increase from £7.50 per hour to £7.83 per hour for workers aged 25 and over from April this year taking it one step closer to the Government’s target of £9.00 per hour by 2020.


For some retailers this will be an additional blow as trading was mixed over the Christmas period. As a result many retailers will consider covering the increased cost by cutting staff hours and reducing staff numbers, mostly by not replacing employees when they leave. Others may look to recruit more employees under 25. In addition, companies are turning to technology to replace people and for example are installing more self-service and self-scanning technology to try and reduce staff labour costs. We have recently seen Stores in the US who now have no people on their checkouts.Many shop workers have already been made redundant from leading UK store chains as a result of financial pressures and new technology rendering many low-skilled jobs obsolete. Tesco and Sainsbury’s, for example, have announced that they are axing thousands of in-store roles as they face rapidly changing shopping habits, the rise of online shopping and a raft of cost headwinds, including the national living wage and the apprenticeship levy. Supermarkets have claimed that these reorganisations are to ensure efficiency in stores however it is inevitable that the rise of the national living wage amongst other financial pressures will bring with it a need to offset costs.

Key Considerations

Before taking the decision to undertake a transformation project including cutting staff numbers employers should consider;

  • Whether there are unions or elected staff forums already in place who should be consulted with;
  • Consultation requirements (depending on the number of people affected) - to avoid employers also being hit with protected awards;
  • How to best manage the communication of the changes both internally and externally to minimise impact on brand and morale;
  • Whether relocation of staff and the offer of voluntary redundancy can be used to minimise the number of compulsory redundancies; and
  • Whether it has sufficient internal resource to manage the project.


Can you Restrict sales channels in Distribution Agreements without it being anticompetitive?

The Court of Justice of the European Union recently determined that Luxury goods suppliers are entitled to set certain restraints on their authorised distributors with regard sales channels that they can use, including restrictions from selling their branded products on third-party e-commerce platforms such as Amazon and eBay.

This was the decision in the recent case of Coty Germany GmbH - a seller of luxury cosmetics and its authorised distributor Parfumerie Akzente GmbH .Coty, like many luxury brands, in its agreements with distributors, imposes requirements relating to the approval of location of bricks and mortar stores and prescriptive rules on amongst other things decor, cleanliness and signage. In addition it also has particular requirements regarding e-commerce sites to preserve the ‘look and feel’ and character of the products.

The court confirmed that distribution agreements containing restrictions are permissible where:

  • Distributors are selected on the basis of objective criteria laid down uniformly and not applied into discriminatory faction
  • The characteristics of the product in question necessitate such a network to preserve the quality and ensure proper use
  • The criteria laid down did not go beyond what is necessary

The court held that restrictions on selling the products under a different name or engaging an unauthorised third-party to sell the product can be restricted. Hence sales through discounters, clearance houses and sites such as Amazon and eBay can be restricted/ prevented as they are not conducive to the ‘luxury image’.It also held that Coty could restrict Internet sales through a specific portal only because this restriction applied to other distributors too and was objective and uniform. Also it was appropriate because the aim was to support the preserving of the luxury image of the goods in question.

It is still the case that an absolute prohibition on Internet sales would not be effective and would be unlawful. For example, if Coty had banned internet sales completely or had required a pharmacist to be present for all sales (effectively preventing internet sales) then this would have been unlawful as such a restriction would have been unjustified.


It’s very important for suppliers of luxury goods to ensure the aura of luxury and the prestige of the products is maintained. This case shows that the European courts recognise this fact and are prepared to enforce restrictions. However this will probably not be the case for more ordinary goods where there are large volumes of sales eg Branded running shoes or sportswear. Here the items are not really luxury and little damage would be done where products are discounted.

Cases considered

Coty Germany GmbH v Parfumerie Akzente GmbH 6 December 2017Philippa Dempster Managing Partner 0345 274


The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.