Data Breach & Cybercrime

Kingsley Hayes discusses the class action data privacy implications of Prismall v Google in Law360

Partner Kingsley Hayes discusses in Law360 the High Court’s judgment in the Prismall v. Google case and its future implications for data privacy group litigation.

Kingsley’s article was published in Law360, 27 June 2023, and can be found here.

Introduction

On 19 May 2023, judgment was handed down in Prismall v Google UK Limited and DeepMind Technologies Limited (“Prismall”). 1 Whilst, at first instance, the big tech sector (and their legal representatives) may have revelled in the moment of the judgment being handed down, the decision does not spell the end for collective actions in the data privacy sphere. The decision raises issues that litigators may be faced with in the near future and underlines the need for a diligent approach in determining how best to progress claims with many proposed claimants, but the key takeaway is that this decision is very much specific to the facts in the case. There exists a high bar for bringing collective actions on an opt-out basis in England and Wales, especially in the data privacy area, and Prismall should serve as a reminder of this, but that does not mean it is not possible, or indeed suitable, so long as the case is right.

Background

Andrew Prismall brought a representative claim on behalf of, approximately, 1.6 million people (“the Class”) against Google UK Limited (“Google”) and DeepMind Technologies Limited (“DeepMind”), which is part of the Google group of companies. The origin of the claim dates back to 2016, when certain patient-identifiable information held by the Royal Free London NHS Foundation Trust and its predecessors (“Royal Free”) was transferred to DeepMind as part of an app development project without the patients’ knowledge or consent.

The transfer included: (a) a one-off transfer of historical data in October 2015; and (ii) a live data feed established around the same time for subsequent medical records. The transfers of data were performed pursuant to an Information Sharing Agreement (“the Agreement”) that had been executed by Royal Free and Google. The Agreement was considered necessary because of DeepMind’s involvement in the development of the “Streams” application which was being designed to assist clinicians to identify and treat acute kidney injury. Streams was functional and operational in February 2017, and Andrew Prismall’s claim concerned the use of patient data before this date. As summarised by Judge Heather Williams, the complaint related to:

(i) obtaining patient-identifiable medical records in a context where they had a contractual entitlement to use them for purposes wider than direct patient care and/or wider than the Royal Free’s Streams project;
(ii) storing the medical records in such circumstances prior to Streams becoming operational;
(iii) using the medical records in the research and development of the Streams app; and/or
(iv) developing and/or proving their general capabilities by use of the medical records with a view to enhancing their future commercial prospects.

Rather than claiming pursuant to data protection legislation, Andrew Prismall sought to obtain damages the Class by claiming for loss of control damages under the common law tort of misuse of private information (“MPI”), which some perceived to be a method of circumventing the implications of the Supreme Court’s judgment in Lloyd v Google LLC 3 (“Lloyd”).

The claim form and particulars of claim were struck out and Williams J entered summary judgment for the Defendants, thereby putting an end to the only live attempt in England and Wales for an opt-out class action claim in the data privacy sphere.

Implications

There are two important observations that can be made about the wider implications of the decision. First, the decision illustrates the high bar that exists in order to bring a successful action under Civil Procedure Rules (“CPR”) r.19.8(1). The majority of practitioners are not blind to this; the Court of Appeal’s decision in Jalla v Shell International Trading and Shipping Co Ltd 4 set out the need for careful evaluation of the “same interest” criterion. However, it must be remembered that this is not the only procedural mechanism that allows for collective action in the UK.

On that basis, the decision must not be viewed as the “final nail in the coffin” for collective, nor even representative, actions in the data privacy sphere. It should not come as a surprise to any lawyer practicing in this area that an attempt to pursue a representative action would likely fail where the circumstances of the Class are so varied; that very issue runs contrary to the “same interest” requirement. Moreover, Williams J made it clear that if some members of the proposed claimant class are unable to establish a constitutive element of the tort in MPI, then the claim will fail. 5 That is to say, representative actions seeking damages in respect of MPI will only be permissible where all members of the proposed claimant class can satisfy every element of the tort in MPI.

Secondly, litigators will be faced with a very important choice: Should the proposed claimants rely on the tort in misuse of private information or breach of data protection legislation, or even both, when seeking to bring a representative action? Andrew Prismall originally brought the claim seeking damages in respect of breaches of data protection legislation. However, this was abandoned after Lloyd, on the basis that the Supreme Court confirmed that claimants could not recover “loss of control” damages in respect of breaches of data protection legislation. Misuse of private information, on the other hand, does allow potential claimants to claim for “loss of control” damages (i.e., material loss need not be proved). While this appears to be of significant benefit to potential claimants, it does not mean that a claim in misuse of private information is not without significant hurdles.

Williams J commented, at length, on the difficulties of bringing a representative action in misuse of private information. Saliently, with the need for the represented claimant to establish that each individual member of the class had a reasonable expectation of privacy (one of the fundamental elements in an MPI claim), it is often advocated the most pragmatic way of doing so is by setting an “irreducible minimum” threshold. In claims for MPI, this means that the court will need to consider all the proposed claimants’ respective positions, which may mean that some members do not meet the threshold.

Essentially, this means that some of those proposed claimants would not meet the “same interest” criterion; Williams J recognised the “many variables [that] exist between members of the [Class]”. Notwithstanding, this does not mean representative actions in MPI are not viable. The requirements of the tort of misuse of private information are well established and the facts and features of those requirements clearly did not exist in this case. There is a clear and unequivocal analysis of the actual substance of the information at hand in this case and considerable weight is given to the fact that the information used by Google and DeepMind was not information over which the representative claimant, or the Class, had a realistic expectation of privacy. The decision in this case is very much specific to its facts.

Future litigation involving data privacy

A steady stream of judicial decisions since 2021 has certainly raised the bar in terms of what is required to bring a successful data privacy claim – whether that be on an individual or group/collective basis. Lloyd certainly deterred a number of claimants and their representatives from bringing mass actions against wrongdoers and Prismall will likely have a similar effect, too. However, claimants and their representatives have not been easily deterred thus far, and it is unlikely that they will begin now. Claimants and their representatives showed their innovative side post-Lloyd, as they became more creative in attempts to obtain suitable remedies. Prismall does not preclude data privacy cases being brought by way of a representative action. If the requisite criteria are met and it will save cost and court time, there is no reason why claimants and their representatives should not consider using the procedure set out in CPR r.19.8(1).

Maltin PR

Recent Posts

KP Law Highly Commended at the Modern Law Awards 2024

We are very pleased to share that KP Law has been Highly Commended at the… Read More

10 months ago

Keller Postman UK merges with Lanier, Longstaff, Hedar & Roberts to form specialist collective redress law firm KP Law Limited

Today Keller Postman UK Limited and Lanier, Longstaff, Hedar & Roberts LLP announce their merger… Read More

10 months ago

What is group litigation?

Group litigation, also known as class action or group legal action, is a process where… Read More

11 months ago

What’s been happening in January 2024?

What’s been happening in January 2024? In our regular monthly update, we share the latest… Read More

11 months ago

What is talcum powder cancer?

What is talcum powder cancer? Here, we explain what talcum powder cancer refers to and… Read More

11 months ago

Lucy Burrows comments on 23andMe’s response to its data breach in ITPro

Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of… Read More

12 months ago