Is this the end of the road for data privacy class actions in the UK?
In Andrew Prismall v Google UK Limited and Deepmind Technologies Limited and LCM Funding UK Limited  EWHC 1169 (KB), Mrs Justice Heather Williams DBE granted an application to strike out and for summary judgment in the misuse of private information claim on the basis that the representative claim had no prospect of succeeding.
The future of representative actions for data privacy claims in England has been uncertain since the judgment of Lloyd (Respondent) v Google LLC (Appellant)  UKSC 50 in 2021, with many such claims for breaches of data protection legislation being discontinued. The Prismall v Google judgment is the most recent decision highlighting the difficulties for claimants seeking to bring 'opt out' claims in relation to privacy through a representative action under CPR 19.8 (previously 19.6).
This article looks at the case and asks what next for class actions in the UK.
Key take-away issues
- Following the Supreme Court judgment in Lloyd v Google, the court struck out an opt-out claim brought by Mr Prismall against Google on behalf of approximately 1.6 million patients of the Royal Free London NHS Foundation Trust
- The court found that the "same interest" test could only be met when the claims were assessed on a "lowest common denominator" approach and, in doing so, held that it would not be possibly for every member of the class to demonstrate that they had a viable claim for more than trivial damages
- The existence of a defence which applies only to some members of a class does not preclude the same interest test from being met, provided there is no conflict of interest within the class
- Despite these recent judgments striking out CPR 19.8 representative actions, and the discontinuance of other such privacy claims (for example, claims against YouTube and Tik Tok), group litigation continues apace in the English Courts and shows no sign of abating in part fuelled by the ever-growing litigation funding market.
PRISMALL V GOOGLE
Royal Free London NHS Foundation Trust transferred certain patientidentifiable medical records to DeepMind (part of the Google group of companies) in connection with DeepMind's development and operation of an app known as Streams; a clinical system designed to assist clinicians at the Royal Free to identify and treat patients potentially suffering from acute kidney injury.
A one-off transfer of historical data took place in October 2015 and a live data feed was established at around the same time in respect of subsequent medical records. The nature of the data varied considerably and, in some cases, only the person's name and a partial address would have been included in the data transferred, with a very generalised or no specific reference to the medical treatment that had prompted their attendance at the hospital.
Mr Prismall sought to bring a claim on behalf of approximately 1.6 million individuals alleging that the transfer and use of the data in Streams without specific patient consent was a misuse of their private information (MOPI). He claimed damages for loss of control of that data. Mr Prismall had initially brought a representative claim in relation to the same events and same claimant group which sought damages for breach of data protection legislation. Following the Supreme Court decision in Lloyd v Google, he discontinued this action and brought the claim in relation to MOPI.
In bringing the application for strike-out/summary judgment, Google argued that not all members of the class would have the "same interest" in the litigation within the meaning of CPR 19.8, as their circumstances were so varied, such that Mr Prismall had no real prospect of establishing that the tort of MOPI had been committed against all members of the class. Google further argued that a "lowest common denominator" approach (i.e. that compensation should be calculated by reference to the irreducible minimum harm suffered by all members of the class), if adopted, would not assist as it could not be said of all individuals in the claimant group that they had a viable claim for more than trivial damages.
Mr Prismall argued that the "same interest" test was met, as despite the varied circumstances (and the fact there may be a defence to some of the claims), there was no conflict of interest between the members of the class. He acknowledged that recovery of individualised damages could not be pursued as a representative action, and therefore advanced the claim on the basis of the "lowest common denominator" approach, arguing that all of the class had a claim for non-trivial damages.
Mrs Justice Williams DBE ruled that the claim should be struck out and summary judgment entered for Google on the basis that:
- There was a minimum severity threshold that applied to claims based on MOPI, and the mere fact that the data included medical data did not mean every claim would pass that minimum level. Further, some individuals within the class had put information about their medical treatment into the public domain themselves
- The members of the class must have the "same interest" as the representative bringing the claim. The claimants pursued their claim on the basis of the "irreducible minimum harm" suffered by every member of the class, or the "lowest common denominator". The court therefore had to assess a claim in which very limited information was transferred and stored; although health-related, the information was anodyne in nature; the information was held securely and not accessed by anyone during the storage period; some of the information was already in the public domain; and there was no impact on the claimants other than a loss of control over their information. The members of the class did not all have a realistic prospect of establishing a reasonable expectation of privacy in respect of their relevant medical records
- Any damages would be trivial – when approaching matters on a lowest common denominator basis, it could not be said that any member of the class had a viable claim for an entitlement to more than trivial damages.
- There was no other compelling reason to allow the claim to progress.
The judge said the difficulties she had identified in this claim were "inherent in bringing a representative action in MOPI in this particular context". For this reason, she did not permit Mr Prismall the opportunity to amend his claim.
Following Lloyd v Google (which had considered the availability of representative actions under the Data Protection Act 1998, the predecessor to the UK GDPR), Mrs Justice Williams DBE found that if an individualised assessment of damages is required in relation to members of the proposed class, this would preclude a representative action from seeking damages on behalf of that class. However, she did not accept Google's submission that loss of control damages would inevitably involve an individualised assessment and instead considered whether the class as a whole had a more than de minimis claim for loss of control damages. Ultimately, she held that reducing the claim to the basic common facts or only to damages for loss of control would reduce the amount claimed to a trivial amount, and thus struck out the claim.
Misuse of Private Information
The judge recognised the individualised nature of claims for MOPI (which often require detailed consideration of the complained of information and whether privacy could reasonably be expected). In her view, by removing these more individualised factors and reducing the claim to the lowest common denominators applying to the whole class, there was no realistic prospect of the large class crossing the de minimis threshold for the MOPI claim.
Same Interest / Different Defences
The judge reiterated that parties in a representative action must have the "same interest". A representative cannot advance arguments on behalf of some class members which would prejudice other members of the class. However, she took the view that the existence of a defence which applies to some members of a class (including a limitation defence) does not preclude the same interest test from being met, provided there is no conflict of interest. This point was not determinative in Prismall. However, it is still notable as it appears to draw an artificial distinction between the facts required to establish the ingredients of the claim, and any available defences to that claim. Both, of course, may require individualised assessment or enquiry, in which case CPR 19.8 would not be appropriate.
WHAT NEXT FOR GROUP ACTIONS?
This is yet another blow for those seeking to bring or fund mass data claims in the English courts, following the Lloyd v Google decision.
Following Lloyd v Google and Prismall v Google, it is now clear that any claimant wishing to bring a representative action must either show that the damages suffered by all members of the class, on a lowest common denominator basis, are more than trivial, or the claim must be brought on a bifurcated basis. This would mean that common issues of fact and law could be determined through a representative claim, with the issues requiring individualised assessment (including damages) being dealt with at a subsequent stage. This tends to be practically difficult for economic reasons – success in the first stage would not lead to any financial return for those individuals or entities funding the litigation, and neither Mr Lloyd nor Mr Prismall proposed bifurcated approaches.
The door still remains open for damages to be claimed in some forms of representative actions, with the judge in Prismall reiterating the examples given by Lord Leggatt in Lloyd – if, for example, every member of the class had been wrongly charged the same fixed fee, or had acquired the same product with the same defect, reducing its value by the same amount. Many had thought, post Lloyd v Google, that claims involving medical or biometric data, which is inherently more sensitive, might have a better prospect of proceeding as representative actions. The general nature of the data in issue in Prismall may have hindered this claim. Now, potential claimants will have to show that the data and facts in issue mean that the class as a whole has a more than de minimis claim for loss of control damages. That is most likely where the data is sensitive and/or where there has been more egregious misuse.
However, those wishing to bring mass data actions may seek to turn to the other procedural methods for group actions within English law: group litigation orders or GLOs (an opt-in mechanism under CPR 19.11), the Competition Appeals Tribunal collective proceedings regime (for anti-trust claims), and managed litigation.
That said, these methods present their own challenges for mass data actions. For example, in Bennett & others v Equifax Ltd  EWHC 1487 (QB), the claimants were unsuccessful in seeking a GLO in June 2022 in respect of their data breach claim, with Senior Master Fontaine deferring the decision to a later CMC. The parties were before the court again this month seeking an order for a preliminary issues trial, rather than a GLO (judgment in relation to this has been reserved).
More generally, group litigation continues apace in the English Courts and shows no sign of abating, in part fuelled by the ever-growing litigation funding market.
Further, companies with a presence in Europe may face increasing mass litigation within the European Member States as the Representative Action Directive (the RAD) is implemented into national legislature. The RAD came into force in December 2020 and member states had two years to transpose it into their national legislation. A number of European countries have welldeveloped class action regimes (in particular the Netherlands) but many member states did not meet the deadline by which the RAD should have been transposed into their legislation, and the European Commission has begun infringement proceedings. It remains to be seen how many states will implement an opt-out class action mechanism.
In the context of data claims, the CJEU in case C-300/21 "Austrian Post" has recently clarified that an act of infringement of the GDPR does not automatically give rise to a right of compensation, and claimants must show a causal link to the breach of the GDPR and actual damage. Procedurally, it is for the courts of member states to determine the criteria for damages in such cases. So at least in Europe, there may be further road to travel in data litigation.