Counsel to claimants against Morrisons has told the Court of Appeal of England and Wales that a data leak by a rogue employee falls under common law rather than data protection statute, as the supermarket was not the data controller when the conduct occurred.