Throughout the world, the Internet, information, and communication technologies (ICT) such as smartphones and computers undeniably play a significant role in the modern world of work. Within the South African context, employers and employees can conclude valid and enforceable employment contracts via e-mail, SMS or other electronic communication methods (see Jafta v Ezemvelo KZN Wildlife  10 BLLR 954 (LC)), valid resignations can be made electronically (see Sihlali v SA Broadcasting Corporation Ltd (2010) 31 ILJ 1477 (LC);  5 BLLR 542 (LC)), and dismissals can be fairly made on grounds of derogative and/or offensive statements made by an employee on social media (see Sedick and Another v Krisray (Pty) Ltd  8 BALR 879 (CCMA) and Fredericks v Jo Barkett Fashions  JOL 27923 (CCMA). For defamatory statements posted or liked on social media by an employee see H v W  2 All SA 218 (GSJ)).
These instances accordingly mark the intersection between workplace law and cyberspace law. This (established relationship between cyber law and workplace law), however, is rather gradually strengthening along with risks that companies or corporations may inevitably endure. For an example, an employee who commits criminal or delictual conduct(s) (such as defamation or unlawful processing of personal information) online against a party other than the employer, could put his or her employer at a very precarious position.
Moreover, delictual claims or damages arising from that specific conduct may be attributable to the employer under the common law doctrine of vicarious liability. This developing trend is seen in English case law, which is the point of departure for this paper. Brief recommendations are made at the end of this paper in order to protect employers.
Breach of data protection: The United Kingdom’s approach
- Various Claimants v Wm Morrisons Supermarket PLC  EWHC3113 (QB)
In the United Kingdom, Andrew Skelton, a Senior IT Auditor in Morrisons’ employment, was arrested and charged with an offence under the Computer Misuse Act 1990 both of fraud and under s 55 of the Data Protection Act 1998 (DPA), tried at Bradford Crown Court in July 2015, and convicted (Wm Morrisons Supermarket at para 8). Skelton had posted a file containing personal information of 99 998 employees of the defendant (Morrisons) on a file sharing website (Wm Morrisons Supermarket at para 2). Morrisons’ head management was later alerted to the disclosure and within a few hours, they had taken steps to ensure that the website had been taken down (Wm Morrisons Supermarket at para 4. For a take-down notice in South Africa, see s 77 of the Electronic Communications and Transactions Act 25 of 2002). Claimants, however, sought the court to hold Morrisons vicariously liable under s 4(4) of the DPA, at common law for misuse of private information and for breach of confidence (equitable claim) (at para 9).
Section 4(4) reads:
‘Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.’
To clear any confusion, Langstaff J explicitly outlined that ‘duties under section 4, and generally within the Act, are imposed upon a data controller, even if a third party may be guilty of a criminal offence under section 55 of the Act as was Skelton here’ (at para 44). In determining who the data controller is, the court relied on paras 70-71 made by Lewison LJ in Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd  EWCA Civ 121. The paragraphs read as follows:
‘70. A data controller is a person who makes decisions about how and why personal data are processed. It is clear from the terms of section 7(1)(a) that the data controller is responsible for persons who process data on his behalf. Thus, it follows that a person who processes data as agent for a data controller is not himself a data controller in respect of those data. Even where decisions about data are taken by natural persons, they will not themselves be data controllers if those decisions are made as agents of a company of which they are directors: Re Southern Pacific Personal Loans Ltd  EWHC 2485 (Ch);  Ch 426 at .
- On the other hand, if they are processing personal data on their own behalves they will be data controllers as regards that processing and those data. The question may then arise whether they are entitled to one or more exemptions under the DPA.’
Langstaff J continued to say that the DPA ‘imposes liability on a data controller not only for those breaches it has authorised or facilitated … but also for those it has neither facilitated nor authorised’ (at para 49). Along the same lines he adds:
‘If a corporation (or individual) is to be liable for breaches which it is in no sense responsible for either authorising or requiring, but which are committed by employees acting in contravention of its wishes, that liability may be established vicariously – but not directly’.
In his verdict, Langstaff rejected the argument that the DPA does not hold Morrisons vicariously liable in actions for misuse of private information or breach of confidentiality (at para 197). Leave to appeal was granted and the matter was not contested.
South Africa’s (SA) approach
In 2013, SA enacted the Protection of Personal Information Act 4 of 2013 (POPIA) with the aims of protecting personal data and holding liable parties responsible for breaching data protection provisions. Section 99(1) reads as follows:
‘A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.’
According to Millard and Bascerano, the term ‘responsible party’ is ‘undoubtedly a synonym for “employer” in this context’ (Daleen Millard and Eugene Gustav Bascerano ‘Employers’ statutory vicarious liability in terms of the Protection of Personal Information Act’ (2016) 19 PER 1). This is undisputedly an accurate definition of ‘responsible party’, which rightly emulates the court’s approach in the Morrisons case as discussed above. From this perspective, employers remain vulnerable to lawyers who may exploit this new phenomenon to the detriment of employers’ business.
Another statutory provision that provides vicarious liability is s 60(1) of the South African Schools Act 84 of 1996. The section unambiguously reiterates that ‘[t]he state is liable for any delictual or contractual damage or loss caused as a result of any act or omission in connection with any school activity conducted by a public school’. Although the Act does not define ‘any school activity’, the term should be understood to extend to activities performed in cyberspace, whether through social media accounts or e-mails.
Accordingly, where there is no explicit statutory provision providing for vicarious liability, the common law doctrine of vicarious liability applies. Understood in the context of cyberspace, this means that where an employee posts defamatory statements or hate speech through his social media account, which may give rise to delictual claims, in the ‘“ … course and scope of employment”, the employer can be held vicariously liable’ (Susan Abigael Coetzee ‘A legal perspective on social media use and employment: Lessons for South African educators’ (2019) 22 PER 1 at 9).
Implications of the POPIA
Although the POPIA does not explicitly contend provisions in respect of indirect liability, the implication is that, as stated above, the terms ‘responsible party’ will in all probability be construed and interpreted to refer to an employer. Such interpretation carries with it harsh penalties in the form of a fine and/or imprisonment for a period not exceeding ten years, as provided by s 107 of the POPIA. This denotes that while a company may be fined, its responsible employee may serve up to ten years in prison on the same set of facts. However, s 106 has the effect that a company is not liable for an unlawful conduct by its employee on cyberspace, if such employee fails to prove that they acted in the reasonable belief that they would have had the consent of the company, and if such employee has no other defence.
To minimise exposure to risks posed by negligent or wrongful use of cyberspace by employees, it is advisable that employers exercise the following recommendations:
- Research customs practiced by companies or corporations in protecting personal and organisational data and regulating use of electronic facilities at work.
- Incorporate the findings of your research in your Code of Conduct.
- Monitor any disruptive incoming and outgoing correspondences and behaviour by employees and respond immediately thereto, without violating the right to privacy.
- Establish a culture of cybersecurity, a strict work-related use of electronic facilities by educating employees on the value of your company’s data, and the failure to utilise electronics for employment responsibilities.
- Ensure strict adherence to provisions of POPIA and other relevant provisions providing recourse of vicarious liability.
- Limit personal and organisational data to those trusted employees who need access to that specific data in order to carry out their employment duties.
- Prepare an action plan to safeguard against any internal or external cyber-attacks.
Overall, although the use of cyberspace undoubtedly simplifies work for both employers and employees, it however, equally poses risks to employers who unfortunately have to deal with consequences of their employees under the doctrine of vicarious liability. The conclusion reached in this advocacy, that employers can be held vicariously liable for their employees’ conduct on cyberspace, is supported above by academic literature and an international case law. Employers can minimise exposure to liability by exercising the recommendations provided in this paper.
Source: De Rebus 1 August 2021 : By Luphumlo Mahlinza (Luphumlo Mahlinza LLB (UFH) is a candidate legal practitioner at Mankayi-Masoka Attorneys in King William’s Town.)