Today the Supreme Court has handed down the much-anticipated judgement in WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent). In a decision that will clearly be welcomed by Morrisons and employers more generally, the Supreme Court concluded that, on the facts, Morrisons was not vicariously liable for the acts of a disgruntled employee who had unlawfully disclosed payroll data relating to over 100,000 colleagues. In doing so, it gave clear and helpful guidance on the scope of vicarious liability (and narrowed the approach taken by the Court of Appeal in these proceedings that had troubled many employers).
From a data privacy perspective however, the results are more mixed for controllers and employers. The Supreme Court’s view is that the Data Protection Act 1998 (and by extension the GDPR as well) is not an all-encompassing regime that excludes other forms of liability and claims.
In particular, a data controller’s compliance with its obligations does not automatically exclude a claim for vicarious liability. That means employers and controllers more generally will still need to manage both their wider fault-based obligations under the GDPR and the Data Protection Act 2018 and strict vicarious liability under the common law or equity. Perhaps unsurprisingly given Morrisons had already established that it had not breached its obligations under the Data Protection Act 1998, the Supreme Court decision doesn’t provide any real guidance on this particular area. However, other cases and decisions have and will likely prove useful, in particular the ICO’s Dixons fine (January 2020) and the British Airways and Marriott final penalty notices, now due on 18 May and 1 June respectively.