The High Court has dismissed a claim against Google and its subsidiary DeepMind for damages for misuse of private information.
In October 2015, the Royal Free London NHS Foundation Trust transferred patient-identifiable medical records, without the patients’ knowledge, to DeepMind to develop an app to assist clinicians with detecting and treating acute kidney injury.
Mr Prismall brought a representative action under CPR 19.6 (now 19.8) on behalf of 1.6m patients affected. The claim was originally for breach of statutory data protection rights but was reissued following the Supreme Court's decision in Lloyd v Google as a claim for misuse of private information.
As in Lloyd, in order to satisfy the requirement under CPR 19.8 that all members of the class have the “same interest” in the claim, Mr Prismall sought damages on the “lowest common denominator” basis, and only for the loss of control over private information, which he alleged all class members suffered to the same basic degree.
The claim was dismissed for two key reasons.
- There was no commonly held reasonable expectation of privacy across the class.
In order to satisfy the “same interest” requirement, Mr Prismall had to show that every class member had a reasonable expectation of privacy in their information that passed the minimum “seriousness” threshold, irrespective of the expectation that each class member had in their particular circumstances.
Assessing the “irreducible minimum” situation amongst the class members as the basis for the claim, the Court determined that this would include a scenario where, for example, the patient’s information (such as the fact of a hospital attendance) was already in the public domain and no upset or concern was caused by the data transfer and storage. Accordingly, there was no such commonly held reasonable expectation of privacy.
- In any event, there was no realistic prospect of Mr Prismall recovering anything more than nominal or trivial damages on behalf of the class for loss of control over their information (assuming loss of control damages could be claimed at all, which was not an issue the Court addressed).
Again, in order to satisfy the “same interest” requirement, Mr Prismall could not rely on the particular circumstances of individuals to demonstrate that they were likely to recover meaningful damages (because those circumstances did not apply across the class) but on the “irreducible minimum situation” (as above). That meant that he could not show that each individual suffered a meaningful unlawful interference with their right to privacy, meaning the representative action must fail.
The claim reiterates the difficulties faced by claimants looking to use the representative action procedure in CPR 19.8 to seek redress for alleged infringements of their data privacy rights.
The judgment highlights the "inherent difficulties" with bringing claims as representative actions where the components for both liability and the remedy sought would usually be assessed on an individualised basis.
To be potentially viable, any such claims are likely only to be allowed to proceed as representative actions where there is a substantially narrower cohort of individuals represented, with greater commonality of interests and fewer individual characteristics determining the nature and value of their claims, compared to the wide class Mr Prismall purported to represent. However, given the low level of damages each such class member would expect to recover in a data privacy context, that makes such claims significantly less attractive for claimant firms and funders.
The judge reiterated the examples given by Lord Leggatt in Lloyd as to circumstances where representative actions may be more appropriate: where, for example, every member of the class had been wrongly charged the same fixed fee or had acquired the same product with the same defect, reducing its value by the same amount.
She also noted Lord Leggatt’s comments in Lloyd that there may be advantages to a bifurcated process in which claimants seek to determine common issues of fact and law first through a representative claim, with elements requiring individual determination to be dealt with in separate individual claims thereafter. However, as in Lloyd, that process had not been proposed in Prismall and it is unlikely in any event that such an approach would be economically proportionate for many mass data privacy claims.
Overall, while not unexpected following the outcome of Lloyd, the judgment could add to calls by activists and interested parties for the English Courts to offer better means of collective redress. Mr Justice Knowles emphasised earlier this year that the demand for legal systems around the world to modernise and become more flexible in this respect will increase in a complex world.
In a data privacy context in particular, options for claimant groups – even in cases of allegedly serious infringements – are limited given (a) the unsuitability of the group litigation order procedure to such claims (b) judgments like those in Lloyd and Prismall dismissing representative actions, and (c) the Competition Appeal Tribunal’s recent refusal to certify a collective claim against Meta for alleged breaches of competition law related to data privacy issues.