10/11/21
LLOYD v GOOGLE LLC [2021] UKSC 50
A claimant cannot recover damages under Data Protection Act 1998, s.13 for loss of control of their data without proving pecuniary loss or distress. In s.13 damage means financial loss or physical or psychological injury and distress. The court also gave guidance on the conduct of representative actions under CPR r.19.6.
1/4/20
W M MORRISON SUPERMARKETS PLC v VARIOUS CLAIMANTS [2020] UKSC 12
An employer was not vicariously liable to employees whose personal confidential information had been misused by being disclosed on the web by the criminal act of an employee (S) who had a grudge against the employer. For vicarious liability, the test was whether disclosure of the data was so closely connected with acts S was authorised to do, that the wrongful disclosure may fairly and properly be regarded as done by S while acting in the ordinary course of his employment [32]. The mere fact that the employment gave S the opportunity to commit the wrongful act was insufficient [35]. On the facts S was not engaged in furthering his employer’s business but pursuing a personal vendetta, so he could not fairly and properly be regarded as having been acting in the course of his employment [47]. In principle, however, the Data Protection Act 1998 does not exclude the vicarious liability of an employer for misuse of private information or breach of obligations at common law or in equity by an employee [55].
2/10/19
LLOYD v GOOGLE LLC [2019] EWCA Civ 1599
A claimant can recover damages for loss of control of their data under section 13 of Data Protection Act 1998 without proving pecuniary loss or distress.
22/10/18
W M MORRISON SUPERMARKETS PLC v VARIOUS CLAIMANTS [2018] EWCA Civ 2339
An employer was liable in damages to employees whose personal confidential information had been misused by being disclosed on the web by the criminal act of an employee (S) who had a grudge against the employer, where disclosure was in breach of statutory duty under s 4(4) of the Data Protection Act 1998 and in breach of confidence. The employer had no direct liability because only S had been the data controller in respect of the information, only S had disclosed and misused the information, and he had done so without the employer’s authority. But the DPA did not exclude the vicarious liability of an employer for misuse of private information or breach of confidence by an employee.