Data Breach Class Actions: Misuse of private information claims are not the answer

While not much has changed on the data privacy representative action front since the Lloyd v Google judgement from 2021, an English High Court decision from 2023 has shown that representative actions are unlikely to operate as a suitable vehicle for 'misuse of private information' claims. In Andrew Prismall v Google and DeepMind Technologies, the English High Court determined that a representative (opt-out) claim for misuse of private information was effectively the same as a representative claim for data protection breach. The case was therefore assessed in the same light as Lloyd v Google and subsequently struck out.

In this blog, we look at the High Court's decision and consider what it means for data breach class actions.

Background

The case involved an action brought against Google and its subsidiary, DeepMind Technologies, by Andrew Prismall on behalf of 1.6 million hospital patients who claimed damages due to a loss of control over their patient data following the transfer of the data from the hospital to Google in 2015. The transfer related to the provision of an app development project by DeepMind which was intended to be used by the hospital to help doctors automatically identify patients that may be suffering from kidney injuries.

Mr Prismall raised his claim under the English common law tort of misuse of private information. Mr Prismall argued that the receipt and use of patients' medical data without their explicit consent resulted in a loss of control of private information and a violation of their reasonable expectation of privacy. The transfer was described by Mr Prismall as a misuse of patient data and was framed as being a claim for the 'misuse of private information' as opposed to a claim for the breach of the patients' rights under data protection law.

With reference to Gulati v MGN Ltd, Mr Prismall argued that the circumstances warranted compensation and that all members of the class had lost control of their private information, at least to some extent, during the transfer. Google argued that the variations between class members' experiences made it impossible to establish misuse of private information for the whole class. Countering, Mr Prismall's position was that compensation could and should be calculated based on a minimum shared harm, being the lowest common denominator shared by all class members, constituting the ''same interest'' needed to bring a representative action.

The decision

In its assessment of Mr Prismall's claim, the court emphasised the need for all class members to share a realistic prospect of establishing a reasonable expectation of privacy, as well as the need to show that the impact was not insignificant. On the lowest common denominator argument, the court considered what the lowest common denominator might look like among patients, on a hypothetical scenario, and determined that the lowest common denominator might not cross the de minimis threshold. For example, there may have been patients that had one single appointment with no significant or sensitive information shared.

The court also found that taking the lowest common denominator approach would suggest that no member of the claimant class could be said to have a reasonable expectation of privacy because the lowest common denominator may be that the patient information contained limited information that could be regarded as having been made public.

Based on these points, the representative action fell because not all class members had experienced the same harm in respect of infringements of their privacy, and individualised assessments of damages would be needed.

Our comments

This case shows the continued difficulty that data subjects will face in attempting to establish a mass data breach action under English law, regardless of how they frame it. Mr Prismall's unsuccessful attempt at bypassing the Lloyd v Google decision, which effectively prevents representative actions for breach of data protection law without proof of actual loss, demonstrates that misuse of private information claims are not an alternative route to mass data breach actions.

From an analytical perspective, we see how easily a claim can fall apart when individualised factors and harm assessments are essential to the core of a claim, but it is assessed through a collective lens. That is because, at their core, some claims are better suited to assessment on an individual basis.

With Prismall demonstrating the limitations of raising a representative data breach action based on the misuse of private information, litigators are yet to determine the most effective approach to pursuing collective data breach actions.