Skip to content
Hendersons - Barristers' Chambers
Articles Group Actions 23rd Dec 2024

Alerter by Thomas Evans – Representative actions for mis-use of private information: “very difficult to bring”

Prismall v Google [2024] EWCA Civ 1516

Click here to download this Alerter by Thomas Evans.

The Court of Appeal has upheld the striking out a representative action for misuse of private information.  The judgment confirms the correct approach to identifying whether all claimants have the necessary ‘same interest’ in order to pursue a representative action.  It highlights the risk that stripping back a claim to its lowest common denominator so as to satisfy the ‘same interest’ requirement may result in the pared down claim having no real prospect of success.  Indeed, the Court of Appeal concluded that “a representative class claim for misuse of private information is always going to be very difficult to bring”.

INTRODUCTION

The Royal Free London NHS Foundation Trust transferred the medical records of 1.6m identifiable patients to Deepmind Technologies Ltd (part of the Google group). The data, which was transferred without explicit consent, was used by Deepmind to develop a machine learning application for assisting in identifying and treating acute kidney injuries.

Supported by litigation funders, one such patient – Andrew Prismall – issued a representative claim on behalf of all 1.6m affected patients, alleging that the transfer, storage and use of their medical records constituted the tort of misuse of private information (MOPI).

To be pursued as a representative action, it was necessary that all 1.6m Claimants shared ‘the same interest’ within the meaning of CPR r19.8(1), and that each claim had a realistic prospect of success.

Adopting the approach taken by the Supreme Court in Lloyd v Google [2021] UKSC 50, the case was pleaded on the basis of the ‘irreducible minimum harm’ common to all Claimants, or the ‘lowest common denominator’. There was no claim for damages for distress, which would have given rise to differences between Claimants.  Instead, the claim was limited to damages for loss of control of personal information on a per capita basis, which, it was said, could be asserted uniformly by all Claimants.

However, therein lay the same tension which was evident in Lloyd v Google. If a representative claim is pleaded on too broad a basis, there is a risk of differences emerging between Claimants, such that they do not genuinely share the same interest.  But if, to overcome this problem, the claim is reduced to its lowest common denominator, the contrary risk can arise, with the claims, when properly analysed, being so narrow that they have no real prospect of success.  This dilemma is perhaps most acutely faced where the representative action procedure is put to “unusual and innovative use[i] in an attempt to mirror, in effect, a class action regime which otherwise does not exist in England and Wales (save in the limited context of competition law).

The Judgment at first Instance

The Defendants’ application came before by Mrs Justice Heather Williams DBE ([2023] EWHC 1169 (KB)) who analysed whether the Claimants all had the same interest.

Difficulties arose in that the facts varied greatly between the 1.6m Claimants. For example, significant volumes of data would have been transferred in respect of some patients (those with acute conditions who attended hospital frequently), but very limited information would have been transferred in respect of others (for example, those who attended A&E only once and left before giving meaningful details or being seen (see [163]).  In addition, others will have placed details of the medical conditions and hospital visits on social media, thus meaning that they may have had no reasonable expectation of privacy (see [135]-[136]).

It therefore appeared that the Claimants did not all have the same interest. In some cases, the Claimants would have had a reasonable expectation of privacy, but not in others.  To try to overcome this problem, two arguments were advanced:

  1. Although the information transferred varied between Claimants, it was all, by its nature, intrinsically private information protected by the tort of MOPI; and
  2. The claim, even if reduced to its lowest common denominator, still had a real prospect of success.
The doctor-patient relationship: always a reasonable expectation of privacy?

The Representative Claimant sought to distinguish, as a subset of medical information, a special category of data generated in the course of the doctor-patient relationship. Such information, it was argued, is private by its very nature (see [77]).  Accordingly, the apparent difficulty created by the fact that different information was transferred in respect of different Claimants was illusory.  It was not necessary to consider the specific facts of each case as the transfer of any medical information from the doctor-patient relationship was sufficient.

The Court rejected this argument ( at [124]-[133]). Information generated within the doctor-patient relationship may be private, but is not necessarily and inherently private.  The tort of MOPI, which derives from the Article 8 right to privacy, arises only when a threshold of seriousness is crossed following an analysis of all the facts.  It does not apply to categories of information per se, and to apply it as such, without an assessment of the facts, would result in liability arising for trivial breaches.  Further, information generated within the doctor-patient relationship may already be in the public domain (where, for example, a patient tweets on the way to hospital that they have fractured their ankle) and it is difficult to see why such information, subsequently generated within the doctor-patient relationship, should be private if it has already been made public.

At the irreducible minimum core, was there a real prospect of success?

As the information transferred in respect of all 1.6m Claimants was not inherently private, it became necessary for the Court to consider whether every Claimant had a reasonable expectation of privacy, notwithstanding the fact that, in each case, different information would have been transferred. The Court approached this task by identifying “the basic circumstances that would apply to each member of the Claimant Class” whilst discounting examples of cases in which “highly personalised and substantial medical information was transferred” (at [121]-[122]).  In essence, the task was to describe the characteristics of the weakest Claimant in the group and to test his or her case.  If that case had a real prospect of success, then so would every case; but if it did not, then the Claimants would not all share the same interest and it would be a case of ‘one out all out’.

The Court considered the witness evidence and identified that the lowest common denominator was that, in outline, each Claimant attended hospital only once, that the information sent to Deepmind did not include information of particular sensitivity, contained only limited demographic information, that no upset or concern was caused, and that the only adverse effect was the fact of the sheer loss of control of the data (at [166]). The Court also assumed that, in the case of the lowest common denominator, the medical records in question would contain information already in the public domain at the time of transfer, as patients would have posted details of their medical history on social media.

The Court ignored the fact some Claimants would have benefitted from the diagnostic and treatment application which was developed, and the 54,000 alerts which it generated (see [54]). Whilst seemingly not determining the point, the Judge accepted that if a cause of action in MOPI existed at a particular point in time, it would not be destroyed by a subsequent event such as improved treatment, albeit that such an outcome would be relevant to any assessment of individual damages (see [167]).

Conclusions at first instance

Having described the case at its irreducible minimum core, the Judge held that not every Claimant had a realistic prospect of establishing a reasonable expectation of privacy in respect of their own medical records or of crossing the de minimis threshold (see [168]). As such, since some claims were bound to fail, the Claimants as a whole did not share the same interest.  Noting the tension between identifying the lowest common denominator and a viable cause of action, the Judge held at [169] that:

“[T]he claim as currently advanced on a global irreducible minimum basis in order to try and meet the “same interest” criterion for a representative action cannot succeed. It cannot be said that every member of the class across the board has a viable claim. Equally, departing from the lowest common denominator scenario and bringing into account individualised factors for the purposes of showing that a reasonable expectation of privacy exists in particular situations would mean that the “same interest” test was not met. Either way the claim is bound to fail.”

Further, the High Court highlighted the fact that some Claimants would have publicised their medical details online as a particular cause of tension between there being an irreducible case common to all Claimants and a sustainable cause of action. At [138]:

“…either the variables inherent in the nature, degree and content of that publicity means that individualised assessment of each claim is required (so that a representative action is not possible), or if the claims are to be advanced on a global, irreducible minimum basis, then that irreducible minimum has to reflect a situation in which the patient identifiable information was already in the public domain in its entirety.”

Similarly, on the basis of the irreducible minimum facts, it was held that even if a cause of action in MOPI could be established, there would be no realistic prospect of each and every Claimant – on the basis of the minimum facts alone – achieving more than nominal damages for loss of control of data (see [175]).

As such, the representative claim had no real prospect of success. The Court considered whether to permit amendments.  However, there was no draft pleading before the court, and the difficulties faced were inherent such that they could not be cured by an amendment (see [181]-[185]).  The claim form and particulars of claim were therefore struck out and permission to appeal was refused.

COURT OF APPEAL

The matter came before the Court of Appeal [2024] EWCA Civ 1516 (Dame Victoria Sharp, Lady Justice Nicola Davies and Lord Justice Dingemans).

The Representative Claimant argued that all 1.6m Claimants had realistic prospect of establishing the tort of MOPI because all patient-related information necessarily gives rise to a reasonable expectation of privacy which is not vitiated by the patient placing details in the public domain.

However, the Court of Appeal disagreed. Whilst the starting point is that there will normally be a reasonable expectation of privacy for any patient identifiable information in medical notes, that is not always the end of the matter.  The information must cross the de minimis threshold and all relevant facts and circumstances must be considered, including whether some of the information has been placed in the public domain.  See [62]-[65].  Indeed, the very concept of a representative action for mis-use of data was questioned at [66]:

“As Lord Leggatt suggested at para 106 in Lloyd v Google when considering why no claim for misuse of private information had been pursued in that representative class, a view may have been taken that to establish a reasonable expectation of privacy, it would be necessary to adduce evidence of facts particular to each individual claimant. We consider that a representative class claim for misuse of private information is always going to be very difficult to bring. This is because relevant circumstances will affect whether there is a reasonable expectation of privacy for any particular claimant, which will itself affect whether all of the represented class have “the same interest”.”

The Representative Claimant also argued that the High Court was wrong when describing the ‘lowest common denominator’ scenario as being one in which the transferred data was “very generalised or [contained] no specific reference to the medical condition that had prompted the attendance”. A new argument was advanced, based on the definition of “data concerning health” in section 205(1) of the Data Protection Act 2018.

However, this did not assist. The very definition of the class set out in the claim form encompassed patients “whose medical records (whether partial or complete) were included in the approximately 1.6 million patient records” transferred to Deepmind.  As such, they necessarily included those who records consisted of generalised data insufficient to establish a reasonable expectation of privacy (see [71]-[74]).

Further, the Representative Claimant argued that the High Court was wrong in finding that a characteristic relevant to the identification of the lowest common denominator was whether or not the loss of data had caused upset.

The Judge at first instance had proceeded on the basis that the lowest common denominator scenario was one in which no such concern or distress had been caused. As pointed out by the Court of Appeal (at [78]), if distress had been a relevant factor, that alone would have caused the representative class to fail because it would have required individualised assessment of damages and a bifurcated process had not been proposed.

Finally, the Court of Appeal considered the refusal to permit an opportunity to amend the Particulars of Claim in order to cure the defects in the action. However, on this ground too, the Court of Appeal upheld the decision of the High Court.  Not only was it a case management decision reached in circumstances in which no proposed amendments had been drafted, but ultimately the amendments formulated for the Court of Appeal did not address the underlying problem of a Claimant having published relevant information on social media (see [80]-[83]).

CONCLUSIONS

This case highlights once again the inherent difficulties of pursuing claims for alleged data breach as representative actions: the need to reduce claims to their lowest common denominator results in claims lacking a realistic prospect of success.

 

Thomas Evans
23 December 2024

This alerter is available to download as a PDF below. 


[i] Lloyd v Google [2019] EWCA Civ 1599 at [7]


To subscribe to Henderson Chambers news, alerters and updates please click here


Download Alerter by Thomas Evans - Representative actions for mis-use of private information

Barristers

Related Areas

Would you like to know more?

If you require help or advice please contact our clerking team

Call - +44 (0)20 7583 9020
or email our clerks

Shortlist close
Title Type CV

Remove All

Download


Click here to email this list.