Strike-out of data class action against Google and DeepMind

The Court has struck out Andrew Prismall's representative claim brought on behalf of a class of c.1.6 million NHS patients (see our earlier article here). The claim, issued as a representative action under CPR 19.8(1), arises from the transfer of alleged patient identifiable medical records held by the Royal Free London NHS Foundation Trust to Google UK Limited and its subsidiary DeepMind Technologies Limited ("DeepMind").

The decision is significant because the claim was seen as a potential way to circumvent the implications of the decision at the end of 2021 in Lloyd v Google which effectively prevented data subjects from bringing mass claims for alleged breach of data protection legislation without proof of actual loss (see our earlier article here). Instead, Mr Prismall's claim was brought under the common law tort of misuse of private information ("MOPI").

However, Mr Prismall's representative claim was unsuccessful and struck out. The Court found that, to satisfy the "same interest" requirement of CPR 19.8(1), the claim could only be pursued on a "lowest common denominator" approach, which required the Court to boil down  the variables in the patients' circumstances to an "irreducible minimum". Once that had been done, the only common adverse allegation over DeepMind's processing was the "sheer fact of the loss of control" over the patients' data. Mr Prismall had no realistic prospect of establishing that such loss satisfied the requisite limbs of a MOPI claim, or that the data subjects suffered anything more than trivial damages.

CPR 19.8(1) and the Claim

CPR 19.8(1) is seen as a potentially powerful tool to obtain collective redress for data subjects that may not individually have the resources to pursue legal action following a data breach. It requires each member of the claimant group to share the "same interest".

DeepMind was involved in the development of an app for the NHS called Streams; it received a one-off transfer of data from the NHS in connection with that project. The data transfer itself was not impugned. Instead, Mr Prismall alleged that Google/DeepMind had wrongfully interfered with patient information, including by storing the medical records prior to Streams becoming operational and using the data to prove DeepMind's general capabilities and/or enhance its future commercial prospects.

In order to establish his CPR 19.8(1) MOPI claim, Mr Prismall therefore had to demonstrate that Google / DeepMind had unlawfully interfered with the same reasonable expectation of privacy that he and the 1.6 million NHS patients shared over their data.  Had Mr Prismall been successful, any MOPI decision that he obtained against Google / DeepMind would have been binding and enforceable by each of the 1.6 million NHS patients.

Google / DeepMind's application to strike out the claim

Google / DeepMind applied to strike out the claim on the basis that:

• the circumstances of the class members were so varied that there was no real prospect of establishing the "same interest" requirement of CPR 19.8(1) representative actions; and
• even if all individualised aspects of the case were removed to identify a "lowest common denominator" between the claimants, the claim was not viable. It could not be said that any individual suffered any more than trivial damages so as to found an actionable claim.

The Judgment

The judge largely agreed with Google / DeepMind. It became common ground in the hearing that the CPR 19.8(1) "same interest" requirement could only be satisfied if the claim was pursued on the "lowest common denominator" approach given the variance in circumstances alleged by the patients. Therefore, any individual variables that increased the strength of the case against Google / DeepMind had to be discounted by the Court, but the Court had to factor in any variables that decreased it.

Using this guide, the Court constructed an "irreducible minimum scenario" that could be said to apply to each member of the class but, as a consequence, involved relatively anodyne processing of their data. The Court found that the only common adverse effects were that the data was stored (securely) for 12 months before being used for the Streams project, and patients were not aware and had not consented to its (otherwise anodyne) processing.  

The Court therefore found that each member of the claimant class did not have a realistic prospect of establishing a reasonable expectation of privacy (i.e. that their medical records would not be used in the way that they were), or of crossing the de minimis threshold in relation to such an expectation. Mr Prismall therefore could not satisfy the cause of action for a MOPI claim on behalf of the represented group.

The Judge also commented that, while Lloyd v Google had established that "loss of control" damages were in principle actionable, once the judge had reduced the alleged circumstances of the case to its "irreducible minimum", Mr Prismall had no realistic prospect of demonstrating more than nominal damages for each member of the class.

The judge therefore concluded that not every member of this class had a realistic prospect of establishing a MOPI claim on the non-individualised basis. As the claim could not easily be amended to cure this "fatal" flaw, and there was no other compelling reason for it to proceed, the Court held that it must be struck out.

Conclusion

The decision demonstrates the ongoing challenges to bringing mass data claims in a way that is both comprehensive (collective action) and effective. Indeed, this case suggests, somewhat counterintuitively, that the greater the number of data subjects potentially affected by an event and represented in a group, the more likely the claim will be reduced to a toothless minimum: the volume of individual potentially downward-pulling factors increase.  

The case highlights that legislative reform may be necessary if loss of data in and of itself is to be attributed a value. Until then, mass data claims likely will continue to struggle to get off the ground.

As a firm, we have experience in advising on data breaches and mass claims, and offer an experienced team of legal experts to respond quickly in the face of data or cyber-attacks. Visit our Data Protection and Privacy page to learn more.