Building upon the previous English High Court judgment, the Court of Appeal in Prismall v Google UK Ltd and DeepMind Technologies Ltd, has reinforced the challenges claimants face when seeking to bring representative (opt-out) actions for misuse of private information. In this blog, we build on our previous analysis of the High Court's decision, now examining the Court of Appeal's ruling and its implications for the future of data breach class actions.

Recap of the Case

As we set out in our previous blog, the claim was initially brought by Richard Prismall against Google UK Ltd and its subsidiary company, DeepMind Technologies Ltd on behalf of approximately 1.6 million patients. The claim stemmed from allegations that the defendants unlawfully processed personal health data through a partnership with the Royal Free London NHS Foundation Trust. Mr Prismall sought to pursue an “opt-out” representative action on the ground of misuse of private information. At the heart of the claim was the assertion that the defendants failed to secure adequate consent or lawful justification for the data processing, thereby infringing the rights of all affected individuals making up the group.

At first instance, the High Court threw out the claim, as it emphasised the need for all class members to share a realistic prospect of establishing a reasonable expectation of privacy and showing that the impact was not insignificant.

The Court of Appeal’s Decision

The Court of Appeal has upheld the High Court’s decision to dismiss the representative action, principally because of the failure to establish that the "lowest common denominator claimant has a real prospect of succeeding in a claim for misuse of private information".

While there is usually an overall reasonable expectation of privacy in medical information, there is a "threshold of seriousness" which must be overcome. The Court said that a number of different factors would need to be taken into account to determine if that threshold was met for example information considered trivial or already in the public domain might not warrant privacy protection.

It was therefore not possible to establish the tort of misuse of private information because it had not been shown that all of the group had "the same interest". Variations in the sensitivity of the data and the circumstances of its disclosure meant that the claims lacked the uniformity required for a representative action.

Comment

This case once again highlights the continued challenges for data subjects attempting to bring mass data breach actions.

As noted in our previous blog, the hurdles established in Lloyd v Google—particularly the need to prove actual loss in data protection claims — remain a significant barrier to representative actions, even when reframed under misuse of private information claims. Mr Prismall’s attempt to navigate these obstacles serves as a further example of the difficulties inherent in pursuing such collective actions.

From a procedural perspective, the Court’s emphasis on the necessity for individualised assessments of harm underscores the incompatibility of opt-out mechanisms with claims rooted in personal and context-specific circumstances. This case demonstrates that when individualised factors are central to the core of a claim, collective redress mechanisms like representative actions under the court rules are likely to fail.

As with Lloyd, the Prismall decision leaves litigators and claimants grappling with the question of how best to pursue collective data breach actions although they do provide helpful valuable clarity on the procedural hurdles such claims must overcome.

While group litigation orders and settlement schemes provide alternative avenues, the practical and financial feasibility of these mechanisms remains to be seen. This case also serves as a reminder to businesses handling sensitive data to remain vigilant in their compliance efforts, as the risk of regulatory scrutiny and litigation persists despite the procedural hurdles for claimants – which can still cause reputational and financial implications.

Ultimately, Prismall reinforces the limitations of the representative action framework for data breach claims, further narrowing the scope for collective redress in this area. The evolving landscape of data privacy litigation will require innovative approaches to balance the need for accountability with the procedural constraints of the law.

Contributors

Martin Sloan

Partner

Craig Watt

Partner & Solicitor Advocate

Rachel Lawson

Associate

Steven Pears

Trainee