UK’s Court of Appeal rejects representative data class action

Summary

In Prismall v Google UK Ltd & Anor, the Court of Appeal upheld the strike out of a class action “opt out” data misuse claim on the basis that it failed to meet the “same interest test” and there was no realistic prospect of establishing a “lowest common denominator” scenario where the information is anodyne and/or has been voluntarily placed in the public domain. This case will be of interest to those threatened with “opt out” class actions or data misuse claims.

Background

For some time now, claimant law firms and their funders have been looking to build a sustainable business model for mass claims following data breaches. In principle, there are three options available to them:

1. Individual claims;
2. “Opt-in” claims, where each individual claimant needs to sign up to the claim; and
3. “Opt-out” or “representative” claims, where a claimant seeks to represent an entire class of individuals affected by an issue, unless they opt-out.

Of those three options, it will be no surprise that the third – “opt-out” or “representative” claims – is far more attractive to claimant law firms and funders. Although they may persuade hundreds, or even thousands, of claimants to sign up to an “opt-in” claim, an opt-out claim can be brought on behalf of millions or tens of millions of class members without their individual consent.

There is a catch, however: in the UK, outside of claims in the Competition Appeal Tribunal (which we return to below), the legal test for bringing a representative claim is tightly defined by Civil Procedure Rule (CPR) 19.8: all members of the class (including the representative itself) must have the “same interest” in the claim. If those claims require individualised assessment, they are unlikely to be suitable for the representative procedure.

Data breaches are in principle an attractive target for building a group claim, as they can affect millions of individuals. However, the impact of a data breach on each person is often individual, be it the amount of data compromised, or the potential impact on the individual in the form of financial loss, distress etc. Claimants therefore seek to show that that there is a “lowest common denominator” claimant.

In Lloyd v Google, the Supreme Court rejected the idea of a CPR 19.8 representative claim based on a breach of data privacy legislation (in that case the Data Protection Act 1998). There, the claimant sought to argue that the “lowest common denominator” was damages for the “loss of control” of personal data. The Supreme Court held, however, that in doing so, the claimant had lowered the level of harm suffered by each class member to the point where those damages were so trivial that they did not attract an award of damages: “the fundamental problem is that, if no individual circumstances are taken into account, the facts alleged are insufficient to establish that any individual member of the represented class is entitled to damages” (147).

The facts

Unlike Lloyd v Google, which was based on a breach of data privacy legislation, Andrew Prismall sought to bring a CPR 19.8 representative claim on the basis of the tort of misuse of private information. That requires a claimant to evidence that, viewed objectively, they had a reasonable expectation of privacy in the information, and is subject to a threshold of seriousness and involves a consideration of the particular circumstances of the individual case.

Mr Prismall’s claim was brought on behalf of 1.6 million people, on the basis that their medical data had been transferred, without their consent, by the Royal Free London NHS Foundation Trust to Google and its DeepMind subsidiary, which then used the data to develop an app to identify and treat patients suffering from acute kidney injury along with other commercial purposes.

In May 2023, Mr Prismall’s claim was struck-out by the High Court at first instance. Mrs Justice Heather Williams DBE took a similar approach to that applied in Lloyd v Google, in summary holding that the “lowest common denominator” class member would include, for example, somebody whose information was anodyne, and who had placed their medical information in the public domain. Those claimants would not have a reasonable expectation of privacy in that information, and so their claims in the tort of misuse of private information would fail. If individual circumstances were taken into account, however, the class members would not have the “same interest” for the purposes of the CPR 19.8 test:

“Accordingly, the claim as currently advanced on a global irreducible minimum basis in order to try and meet the “same interest” criterion for a representative action cannot succeed. It cannot be said that every member of the class across the board has a viable claim. Equally, departing from the lowest common denominator scenario and bringing into account individualised factors for the purposes of showing that a reasonable expectation of privacy exists in particular situations would mean that the “same interest” test was not met. Either way the claim is bound to fail.” (169)

Mr Prismall appealed the High Court’s decision.

The appeal

The Court of Appeal was not moved, and upheld the High Court’s decision.

In summary, it held that:

• claims based on the tort of misuse of private information are likely to involve an individualised assessment of whether there is a reasonable expectation of privacy for any particular claimant, and so are unlikely to be suitable for a CPR 19.8 “same interest” representative action
• the Judge at first instance was right to find that there was no realistic prospect of establishing a misuse of private information in a “lowest common denominator” scenario where the information shared is anodyne and/or the individual has placed the relevant information in the public domain

Commentary

The Court of Appeal’s decision is further good news for organisations impacted by data breaches or mass claims relating to their use and sharing of data. Combined with the Supreme Court’s decision in Lloyd v Google, it is currently difficult to see (subject to any appeal) how a CPR 19.8 representative action on behalf of affected individuals could succeed

UK organisations should note, however, that the threat of litigation following a data breach continues to exist in the forms of:

• individual claims, which can be disproportionately expensive and time-consuming to defend
• “opt-in” group claims, in relation to which we are waiting for the Court of Appeal’s decision in Farley v Paymaster, regarding whether a claim for distress under data privacy legislation arises where the breached data was not accessed by a third party
• a two-stage (or “bifurcated”) representative CPR 19.8 procedure, which was suggested by the Supreme Court in Lloyd v Google and highlighted by the Court of Appeal in this case. Under that approach, a funder and claimant law firm would bring a first-stage set of proceedings to resolve issues common to the class (such as liability), with individualised issues (such as quantum) to be resolved at a second stage. The issue with that model is, as the Supreme Court recognised, that it is unclear why a funder would fund the first stage of proceedings without an obvious prospect of return. That was one of the issues to be considered in Commission Recovery v Marks & Clerk, which has now settled. However, it is an important point which is likely to arise in another case in future
• claims in the Competition Appeal Tribunal (“CAT”). Although data-related claims do not obviously fall within the remit of the CAT – which only considers claims based on breaches of competition law – claimant law firms and funders are “reframing” claims, including those relating to the alleged misuse of data, on that basis to take advantage of the CAT’s opt-out regime