Data class actions: An alternative basis for an opt-out representative action failed
Prismall v Google UK Ltd & Anor [2023] EWHC 1169 (KB) was a further attempt to bring a group action for breaches of data privacy requirements. Following the high profile Supreme Court decision in Lloyd v Google LLC [2021] UKSC 50 which held that a claim for breach of the Data Protection Act 1998 could not be brought as an “opt-out” representative action, the claimant sought to bring a tort claim for misuse of private information as a representative action. The claim was struck out. The judgment illustrates the challenges that will be faced by claimants in bringing these group actions successfully.
Representative actions
Under CPR 19.8, a representative claimant can bring a claim on behalf of the represented class if they all have the “same interest” in the claim. This requirement ensures the representative claim can sensibly resolve the issues in dispute and there are no conflicts of interest between class members. Representative actions can be a useful tool, for example where there are a large number of potential claimants who have each suffered modest losses and so there may be little incentive for claimants to ‘opt-in’ and participate directly in the litigation.
The challenge with using CPR 19.8 in a claim for damages is that it is usually necessary to assess each claimant’s individual losses which will of course differ and therefore claimants will not have the required “same interest”. The claimant in Lloyd v Google sought to avoid this difficulty by limiting the claim to uniform per capita damages for loss of control of their data, i.e. a lowest common denominator basis which sought to compensate the irreducible minimum harm suffered by every member of the class. The principal reason the Supreme Court rejected this approach was because damage under the Data Protection Act 1998 is limited to material damage (e.g. financial loss, physical injury etc) rather than mere loss of control of data.
In the current case, the claimant framed the claim in the tort of misuse of private information because it is well established that damages for the tort can include compensation for the loss of control of data. It therefore had potential to satisfy the “same interest” requirement for a representative action.
Background
The claim concerned the transfer of certain medical records held by a London hospital trust to the second defendant for the purpose of developing and then operating an app called ‘Streams’ and also potentially for wider commercial purposes. The app was intended to assist doctors to identify and treat patients suffering from acute kidney injury. The alleged misuse by the defendants consisted of them obtaining and storing patient-identifiable medical records for purposes wider than direct patient care without the patients’ knowledge or consent. The representative class was 1.6 million people who had presented for treatment at certain hospitals in the relevant period and whose medical records were included in the records collected and stored by the defendants.
To satisfy the “same interest” requirement, the claimant first had to establish that all of the represented class had a viable claim for misuse of private information, i.e. all could establish a reasonable expectation of privacy in the relevant information which was not outweighed by a countervailing interest of the defendant. A reasonable expectation of privacy is an objective test, based on the expectation of a reasonable person of ordinary sensibilities placed in the same position as the claimant and faced with the same publicity. All the circumstances of the case are taken into account.
Secondly, in terms of the damages claimed, in order to meet the “same interest” requirement, the claimant limited the damages claim to loss of control damages only, being the irreducible minimum harm suffered by all members of the class. If a class member wished to claim additional damages based on their own circumstances, they would need to opt out of the group action and bring a separate claim.
The defendants applied to strike out the claim and/or for summary judgment on the basis that the claimant could not establish that all of the represented class had a viable claim, and that even on the “lowest common denominator” approach to damages, the class did not have a viable claim for more than trivial damages.
Court’s decision
In light of the way the claim was framed, the judge concluded that she must proceed on the basis of an irreducible minimum scenario that was common to all members of the class. This assumed, for example, only one attendance at the hospital, limited information was included in the data transferred, information relating to the hospital attendance was already in the public domain (e.g. because the attendee posted the information on social media), and the data was transferred and stored securely for up to 12 months. On the basis of the minimum scenario, the judge held that the claimant did not have a realistic prospect of establishing a reasonable expectation of privacy for all class members in respect of their relevant medical records, or of crossing the de minimis threshold in relation to such expectation. This was, in particular, because: very limited information was transferred and stored; although health-related, the information was anodyne; it was already in the public domain; it had been securely stored and not generally accessed and there was no impact other than the loss of control itself.
The Judge also concluded that for similar reasons, there was no realistic prospect of more than nominal or trivial damages being awarded for loss of control.
The claim was struck out.
Key takeaways
These claims are of interest and concern to organisations that hold and process personal data, including those that use technology to develop new products and rely on data to build and test the product. If a group action for breach of data protection and privacy requirements can be brought successfully, the risk of a large damages award increases significantly: the likely number of claimants increases and the claims become attractive to litigation funders. However, this judgment illustrates the difficulty faced by claimants in bringing a successful group claim for misuse of private information – if claims are brought on an irreducible minimum basis to satisfy the “same interest” requirement, they will struggle to demonstrate that every class member has a viable claim. Conversely, if individual factors are taken into account to support an expectation of privacy, the “same interest” test will not be met. Either way the claim will fail. This difficulty is likely to apply to other attempts to bring a representative action for misuse of private information.