Clifford Chance

The English Court of Appeal has dismissed an application to reinstate a representative action under CPR 19.8 alleging the tort of misuse of private information ("MOPI"), reaffirming the challenges of pursuing class action claims in the realm of data privacy.

In December, 2024, the Court of Appeal delivered its highly anticipated judgment in Prismall v Google and DeepMind [2024] EWCA Civ 1516. The case centred on allegations that the defendants unlawfully collected, stored and processed patient-identifiable medical records, amounting to a misuse of private information. The claim was brought on behalf of an estimated 1.6 million claimants.

For more background and details about the facts of the case, refer to our previous briefing and blog post.

Prospects of success of the "lowest common denominator" claimant

The appeal primarily focused on the prospects of success of the (hypothetical) "lowest common denominator" claimant, who would serve as the benchmark for damages across the entire claimant class.

A MOPI claim typically requires an individualised assessment to determine whether a claimant had a reasonable expectation of privacy and whether that expectation was outweighed by a countervailing interest of the defendant.

However, both parties agreed that an individualised assessment of the elements of MOPI was impractical and unsuitable for a class action. Accordingly, consistent with the approach in Lloyd v Google [2021] UKSC 50, it was accepted by the parties that liability would need to be evaluated by reference to the lowest common denominator claimant's claim – essentially, the person within the claimant class whose claim represents the "irreducible minimum scenario", or the least harm/loss suffered.

The Court of Appeal agreed with the lower court's assessment that the lowest common denominator claimant's claim was unlikely to succeed on the basis that the data pertaining to that claimant was either too trivial to cause harm or was already in the public domain (e.g. via newspaper publications or social media), thus negating the expectation of privacy. Consequently, the lowest common denominator claimant's claim, and therefore the entire claimant class, was unlikely to succeed (or at best achieve only nominal damages).

The public domain issue

It is notable that the court criticised Google's reliance, in support of its strike-out application, on the altruistic behaviour of two patients who had shared details of their treatment in the newspapers in support of public health campaigns. The court described this strategy as "not an attractive one" which highlights the difficulties of "coming at justice in a digital case involving numerous potential claimants."

However, the court also clarified that the publication of certain patient-identifiable information does not preclude a claim from arising in respect of other categories of patient-identifiable information for which the claimant might retain a reasonable expectation of privacy. This suggests that the framing of the class and the claim significantly impacts the viability of such actions.

CPR 19.8 "same interest" requirement

The Court of Appeal emphasised that for opt-out claims, the "same interest" requirement under CPR 19.8(1) means that each member of the class must have a realistic prospect of establishing MOPI. It noted that "a representative class claim for misuse of private information is always going to be very difficult to bring. This is because the relevant circumstances will affect whether there is a reasonable expectation of privacy for any particular claimant, which will itself affect whether all of the represented class have "the same interest"".

In relation to medical records, the court stated that the starting point is that such data commands an expectation of privacy. However, it added that this expectation does not automatically extend to every medical note. The specific circumstances of each claimant will influence whether there is a reasonable expectation of privacy for that individual. Consequently, it cannot be stated that all members of the class share the "same interest".

The court acknowledged that some claimants within the class were likely to have valid claims and that "such claims might be brought and might succeed" if pursued individually. However, the issue before the court was not about the prospects of success of individual claimants, but whether the claim had a realistic prospect of succeeding as a representative action.

Implications for Class Action Litigation

The Court of Appeal's judgment in Prismall v Google underscores the procedural challenges inherent in UK class action litigation, particularly in the context of data privacy claims. The English courts have now rejected data privacy group actions under the statutory route (Lloyd v Google) and tort law (Prismall v Google) on similar procedural grounds.

It is important to emphasise that the Prismall decision was not about the merits of individual claims in relation to patients whose medical records were transferred by the Royal Free Trust to Google and DeepMind. Indeed, a number of claimants within the class might have successfully pursued individual claims. The core difficulty in this case was the formulation of the class and the procedural form of the claim as an opt-out group action, requiring all claimant's to share the "same interest".

The judgment highlights the difficulties associated with representative actions for MOPI. The Court of Appeal noted that a representative claim for MOPI is inherently challenging due to the diverse circumstances affecting whether there is a reasonable expectation of privacy for any particular claimant. This difficulty is compounded by the need to assess the claim based on the "lowest common denominator" claimant, whose circumstances may not reflect those of the broader claimant class.

Despite these challenges, the Court of Appeal alluded to the possibility that the case might have proceeded to trial if certain procedural aspects had been handled differently, such as defining the claimant class more narrowly or proposing a bifurcated trial. However, having already withdrawn and reissued his claim once, Mr Prismall was not permitted a third attempt to formulate his claim.

Against that backdrop, future claimants seeking redress for data privacy violations on a collective basis may seek instead to use the procedural mechanism of Group Litigation Orders, as they allow for a more tailored assessment of each claimant's circumstances. But, being an opt-out mechanism, they also require the identification of each prospective claimant (rather than the class – as for opt-in representative actions), making them less attractive to litigation funders. We may also see claimants seek to re-position their claims for damages to assume a minimum value attributed by all class members to their right to control their personal information, characterised as user damages, as opposed to loss of control damages. User damages are compensatory damages based on a fee that would have reasonably been agreed by the claimant to allow the defendant to use their data.

In any event, this is unlikely to be the last attempt to use the representative action procedure, or to bring a data privacy claim in relation to use of medical data. 

Notably, the UK Government has just announced the creation of a National Data Library for building artificial intelligence models, as part of its AI action plan. The library will comprise state-controlled data with at least five “high-impact” public datasets being compiled. The prime minister, Keir Starmer, has indicated that patient data from the National Health Service could be one of the data sets. See our briefing here for more detail.