Mishcon de Reya page structure
Site header
Main menu
Main content section

Supreme Court rules Morrisons was not liable for 2014 data breach

Posted on 1 April 2020

In a landmark decision today, the United Kingdom Supreme Court has overturned previous rulings, and held that Morrisons was not vicariously liable for the actions of a member of staff who unlawfully disclosed the personal data of thousands of the company's other employees. In siding with Morrisons, the Supreme Court has not given as much attention as one might expect to the underlying data protection law, but focused on the more general issues relating to the law of vicarious liability. The Court held that the wrongful conduct of the employee in question was not so closely connected to the acts he was authorised by Morrisons to do, that those acts could be said to be done by him in the course of his employment.

Commenting on the case, Partner Adam Rose, said "With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees. They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim".

Related coverage:
IT Pro
Decision Marketing

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else