Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.