If Lloyd v. Google closed one door for data protection class actions, Prismall v. Google and DeepMind has left another faintly ajar. Whether a suitable claim exists that could fit the narrow gap is another matter.
The decision follows another recent case in which the court gave a wider interpretation to the test for a representative claim. The case law in this area will be closely watched as part of a wider trend in group actions, ranging from environmental mass tort claims to consumer claims and ClientEarth's climate change-related derivative action against Shell's directors, alongside a variety of data privacy claims.
The dispute in this case related to a collaboration between DeepMind, the artificial intelligence laboratory owned by Google, and the Royal Free London NHS Foundation. The NHS Trust gave DeepMind access to a substantial amount of patient records, for the purpose of developing a clinical system to help the Trust's doctors identify and treat patients with acute kidney injuries.
Mr Prismall brought proceedings as a representative claimant on behalf of approximately 1.6 million people, under the tort of misuse of private information. The essence of that tort is that the defendant has wrongfully interfered with information to which the claimant had a reasonable expectation of privacy. In the present case, Mr Prismall alleged that Google and DeepMind had done so by obtaining and using their patient records for purposes other than their direct treatment.
To bring a claim under the representative action mechanism (CPR 19.6), a claimant needs to show that the proposed class of claimants has the '"same interest'". In the recent case of Commission Recovery v. Marks & Clerk, the court confirmed that this test could be satisfied even if there were some differences between the claimants' positions, so long as their interests were not in conflict.
In that case, there existed a common set of facts on which breach could be judged, and a ready method for quantifying damages without the need to assess individual circumstances. In other cases, the nature of the alleged breach and damages available will differ depending on the specific facts for each claimant. For a large class of relatively low- value claims, the need to consider each claimant separately can render the litigation uneconomic.
Lowest common denominator
This was at the heart of Lloyd v. Google, which was framed as a breach of data protection legislation rather than in the tort of misuse of private information but faced similar hurdles. In that case, the claimants attempted to pursue a claim based on the minimum harm that would have been done to a person who fell within the prospective class of claimants. The Supreme Court was prepared in principle to proceed on this '"lowest common denominator'" method, but found that on the facts, the minimum harm caused would fall below the threshold needed to establish an entitlement to damages.
The claimant also attempted to pursue the lowest common denominator method in Prismall, but although the facts and basis of claim were different, the claim failed for similar reasons. The judge found that a reasonable expectation of privacy did not arise in every instance involving patient records. There was a spectrum, with '"minor or anodyne'" material, particularly that already in the public domain (for example because the patient has tweeted about the injury sustained) falling below a required threshold of seriousness. Wrongful interference also depended on factors such as whether the records were being used for the treatment of the relevant patient.
Since the claim was advanced on a '"global irreducible basis'", the court had to consider each element of the tort at the lowest end of the spectrum: a patient who had only visited the hospital once, in relation to a condition that was not sensitive, with only limited information collected, which was in the public domain and was used to treat the patient. The judge found that this hypothetical patient would not have a reasonable expectation of privacy and their information would not have been wrongfully interfered with.
In Lloyd v. Google and the cases that have followed, the courts have expressly allowed for the possibility of representative actions in claims such as this, including potentially on an opt-out basis. The claimant's dilemma is that the only way to avoid having to assess the facts for each individual is to proceed on a lowest common denominator basis. But as this case illustrates, this can leave a weak claim that is not enough to satisfy the requirements for a claim either for misuse of private information or for breach of data protection legislation. One solution could be to define the class of claimants more restrictively, but this would reduce the size of the potential claim (and payout for funders and claimant lawyers).
It remains to be seen whether and when a claim will be brought that can tread this tightrope and set a precedent for opt-out privacy or data breach claims. What is clear is that the case law and the industry for group claims are developing rapidly across a range of fields, representing a significant risk for corporates.