The death-knell for privacy class actions? Case against Google and DeepMind fails

Insight

25.05.2023

On 19 May 2023, the English High Court delivered its judgment in the case brought by Andrew Prismall against Google and DeepMind Technologies.

We wrote about this case in our recent article on the Österreichische Post (OP) decision of the CJEU which you will find here. As we explained, the Prismall case was set to determine whether framing a data privacy claim as one for misuse of private information (MPI) means that it can be brought as a representative (opt-out) claim.

In a further blow to potential claimants wishing to bring such claims, the English High Court has now struck out and granted summary judgment on Mr Prismall’s claim. The reasoning echoes that set out in the UK Supreme Court’s decision in Lloyd -v- Google when it struck out a representative claim brought for breaches of data protection laws.

So, we again see that the English courts are making it very difficult for claimants to recover compensation when data privacy rights are infringed and there is no evidence relied upon to show substantial harm or distress. We set out below the background to the Prismall case and why the Judge struck it out.

Background

Andrew Prismall brought a representative action on behalf of 1.6 million patients against Google and DeepMind Technologies. The case concerns patients’ records transferred by a hospital to DeepMind Technologies in relation to the development and testing of an app used for the detection, diagnosis and prevention of kidney disease.

In 2017, the UK data protection regulator (the Information Commissioner) described this transfer as a misuse of patient data. However, the High Court representative action brought by Mr Prismall did not proceed as a breach of the patients’ data protection rights (the type of claim which failed in Lloyd -v- Google and which we wrote about here). Instead, it was framed as a Misuse of Private Information (MPI) claim. Mr Prismall asserted on behalf of the 1.6 million patients that the mere “loss of control” over their private information (comprising medical records) attracted compensation. This was based on an earlier decision in the MPI case of Gulati v MGN Ltd [2015] EWHC 1482 (arising out of the phone hacking cases). Mr Prismall argued that all of the class he was representing had lost control over their private information at least to some extent when it was handed over to DeepMind. Therefore, he argued that compensation should be calculated by reference to this minimum harm without proving anything more. In this way, Mr Prismall said the “same interest” test necessary to bring a representative claim was satisfied.

The MPI claim is rejected

In analysing whether all members of the claimant class had the same interest, Mrs Justice Williams discussed the need for all members of that class to have a realistic prospect of establishing a reasonable expectation of privacy in the relevant data and demonstrating that the impact is above a de minimis threshold.

The Judge focused on the lowest common denominator element of the claim by describing what that lowest common denominator might look like (ie describing the harm that all members of the class had to have suffered, but not examining the greater levels of individualised harm that could have been caused to some of them). This analysis involved considering a hypothetical example of what such a patient might have experienced. The Judge gave an example of what the lowest common denominator of the class might look like, including: that the patient attended the hospital once; their medical condition did not involve any particular sensitivity or stigma; there was limited demographic information about them being shared with the Defendants; no further record relating to them had been generated by the Defendants; and the data subject had put into the public domain that they had attended the hospital concerned (there were examples of patients who would have fallen into the claimant class expressing their gratitude in the media).

Based on this scenario, the Judge determined that the action was unsustainable in its current form. Approaching matters on this lowest common denominator basis, and leaving individualised factors out of account, it could not be said that any member of this claimant class had a reasonable expectation of privacy. Various factors contributed to this decision, including that (at the lowest common denominator level) the supposedly private information was in fact likely be anodyne and because they had to be regarded as having placed their information into the public domain (which inevitably undermines the argument that there is a reasonable expectation of privacy). For similar reasons, it was concluded that there was not a viable claim for an entitlement to more than trivial damages, so that the de minimis threshold was not satisfied either.

If the damages were approached by looking at the harm suffered by each member of the claimant class individually, the claim could not constitute a representative action as the class no longer satisfied the same interest test. These flaws meant that the claim should not proceed.

Comment

This case again demonstrates the difficulties faced by claimants seeking to bring claims for compensation for breaches of data privacy rights. The strictness of the “same interest” test largely precludes a representative action and bringing claims on an individual basis is likely to be uneconomic in the vast majority of cases, given the legal costs involved. Opt-in Group claims might still be brought, but claimants’ lawyers and litigation funders have struggled to persuade impacted individuals to positively join in such proceedings. The options available for such claims continue to narrow to the point where they are beginning to appear largely unviable. That will at least give defendants some comfort in a week when Meta has been fined €1.2 Billion by EU data protection regulators (which we have written about here).

Given the decisions in Lloyd and now Prismall, it seems likely that the only route to a viable regime for opt-out class actions in the context of data privacy will be if the government creates a bespoke regime (as is the case in competition law). The government has previously declined to take such a step (which it could do pursuant to the provisions of Article 80(2) of the UK General Data Protection Regulation), but it remains a possibility now that the door appears to have been largely closed under the current representative claim regime.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.