Summary

The Supreme Court considered the question of whether or not a company is vicariously liable for data breaches as a result of illegal acts by employees. It was before Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, and Lord Lloyd-Jones. It was a unanimous decision that overturned the Court of Appeal decision that had found Morrisons liable.

The questions for the Supreme Court were as follows:

• Whether Morrisons is vicariously liable for the employee’s conduct.

• Whether the Data Protection Act 1998 (“DPA”) excludes the imposition of vicarious liability for statutory torts committed by an employee data controller, and for misuse of private information and breach of confidence.

The cases and legislation mentioned in this podcast are:

Mohamud v William Morrison Supermarket Plc [2016] UKSC 11

The Data Protection Directive 95/46/EC 

The General Data Protection Regulation (EU) 2016/679 

Majrowski v Guy’s and St. Thomas’s NHS Trust [2006] 3 WLR 125

Barclays Bank plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 13

The Catholic Child Welfare Society & Ors v Various Claimants [2012] UKSC 56

Armes v Nottinghamshire County Council [2017] UKSC 60; [2018] AC 355