Court of Appeal upholds strike out of representative action for misuse of private information
In Prismall v Google UK Ltd & Anor [2024] EWCA Civ 1516 the Court of Appeal upheld the High Court’s decision to strike out a claim for misuse of private information which the claimant had sought to bring as a representative action under CPR 19.8.
A representative action will only be permitted where the group of claimants have the “same interest” in the claim. The Court of Appeal noted that a representative action for the tort of misuse of private information is always going to be “very difficult to bring” since the relevant circumstances will affect whether any particular claimant has a reasonable expectation of privacy, which in turn will affect whether all of the represented claimant class have the necessary “same interest”. This decision comes after the Supreme Court decision in Lloyd v Google LLC [2021] UKSC 50 in which the Court refused to allow a group claim for breach of the Data Protection Act 1998. Together, these decisions mean that a group action for breach of data privacy requirements is unlikely to succeed, although it remains to be seen whether a claim based on the GDPR and the Data Protection Act 2018 could be framed in such a way as to avoid the difficulties in these cases.
Background
Further information about the High Court decision is contained in our earlier post here.
In summary, the claim for misuse of private information was based on the transfer of certain medical records held by a London hospital trust to the second defendant for the purpose of developing and then operating an app to assist in the treatment of acute kidney injury and also potentially for wider commercial purposes. The representative class was 1.6 million people who had presented for treatment at certain hospitals in the relevant period and whose medical records were included in the records collected and stored by the defendants.
To satisfy the “same interest” requirement in CPR 19.8, the claimant had to establish that all of the represented class had a viable claim for misuse of private information, i.e. all could establish a reasonable expectation of privacy in the relevant information which was not outweighed by a countervailing interest of the defendant. In terms of the compensation sought, the claimant limited the claim to damages for loss of control of the private information only, being the irreducible minimum harm suffered by all members of the class. In framing the claim in tort in this way, the claimant sought to avoid the difficulties in Lloyd v Google where the Supreme Court held that claims for breach of the Data Protection Act 1998 could not be brought for mere loss of control of data, but required proof of damage and therefore consideration of the class members’ individual circumstances with the result that the “same interest” requirement could not be met.
In light of the way the claim was framed, the judge concluded that she must proceed on the basis of an irreducible minimum scenario that was common to all members of the class, i.e. a lowest common denominator claimant. On the basis of the minimum scenario, the judge held that the claimant did not have a realistic prospect of establishing a reasonable expectation of privacy for all class members in respect of their relevant medical records, or of crossing the de minimis threshold in relation to such expectation. This was because: very limited information was transferred and stored; although health-related, the information was anodyne; it was already in the public domain; it had been securely stored and not generally accessed and there was no impact other than the loss of control itself. The Judge also concluded that for similar reasons, there was no realistic prospect of more than nominal or trivial damages being awarded for loss of control. The claim was struck out and the claimant appealed.
Court of Appeal judgment
The Court of Appeal upheld the High Court decision.
The claimant argued that, contrary to the view of the High Court, the lowest common denominator claimant did have a real prospect of succeeding in a claim for misuse of private information because all patient-related information generated in the course of a patient and healthcare provider relationship gives rise to a reasonable expectation of privacy.
The Court of Appeal disagreed. The Court noted that the starting point is that there will normally be a reasonable expectation of privacy for any patient identifiable information in medical notes. However, in relation to the tort of misuse of private information this will not always be the end point because the tort involves a threshold of seriousness and everything will depend on the particular circumstances of the individual case. The threshold will not always be satisfied. Further, as the Judge at first instance had noted, patients can choose to make their private information public. If they do so, the fact that the information is public and the manner in which it entered the public domain will form part of the relevant circumstances to be considered in deciding whether there was a reasonable expectation of privacy that met the threshold of seriousness. In such a situation, a claim for misuse of private information would not invariably succeed. As such circumstances had to be taken into account in formulating the irreducible minimum scenario, it could not be said that the claimant class met the “same interest” requirement of a reasonable expectation of privacy.
Key takeaways
Following the Supreme Court decision in Lloyd v Google which blocked the attempt to bring a group claim for breach of the Data Protection Act 1998, claimants looked for alternative ways to frame a data class action. This judgment illustrates the difficulty faced by claimants in bringing a successful representative action for the tort of misuse of private information – if claims are brought on an irreducible minimum basis to satisfy the “same interest” requirement, they will struggle to demonstrate that every class member has a viable claim. Conversely, if individual factors are taken into account to support an expectation of privacy, the “same interest” test will not be met. Either way the claim will fail.