It had originally been thought that the answer might be a representative action; an “opt-out” procedure enabling a single claimant to bring proceedings on behalf of all members of the affected class with the “same interest”, as required by CPR r 19.8. In contrast to “opt-in” possibilities such as a Group Litigation Order or lead claimant model, a representative action is less costly to bring (because it avoids the need to advertise for and marshal individual claims) and potentially more lucrative (because a successful judgment can be enforced on behalf of all affected class members, not just those who opted in). As individual data misuse claims are typically low-value and therefore unprofitable unless they can be efficiently aggregated en masse, these factors caught the interest of external litigation funders, prompting a proliferation of claims following data incidents.
In 2021, the music stopped when, in Lloyd v Google, the Supreme Court determined that the representative action was not appropriate for data protection claims. That was essentially because of two factors: (i) under English law it is not possible in a data protection claim for a data subject to recover damages from a data controller for the fact of loss of control of their data, and (ii) the extent of any non-financial damage (i.e. distress) suffered is specific to each individual claimant and therefore the “same interest” requirement is not met. This reasoning did not directly map across to claims in tort for misuse of private information (MPI) where loss of control damages are available, meaning that (perhaps) the same challenges would not apply to this type of claim. However, following a judgment given by the Court of Appeal in December 2024, this possibility has now been firmly rejected.
Background
The claimant commenced a representative action against Google and DeepMind claiming damages on behalf of approximately 1.6 million patients whose medical records had been transferred to the defendants between 2015 and 2017. The substance of the claim for MPI was that those companies had used the data for their own commercial purposes. The claim was struck out at first instance and summary judgment entered for the defendants. The claimant appealed.
The judgment
The central issue on appeal was whether each member of the represented class had a realistic prospect of establishing a reasonable expectation of privacy in their medical records. As a representative action may only proceed if each class member has the “same interest” as all other members, and as there are variations of experience and loss across a large class of individuals, this required a close analysis of the “lowest common denominator” claimant – in other words, the notional claimant in the class of 1.6 million members whose claim epitomised the minimum or lowest scenario which every member had in common.
The Court of Appeal identified two related, insurmountable difficulties:
- Public sharing: the defendants were able to point to news articles in which individual patients had placed their medical information in the public domain. This illustrated their point that certain class members would not be able to demonstrate to a reasonable expectation of privacy. As that is a key requirement for MPI, so it followed that the lowest common denominator claimant would not have a viable claim for MPI.
- Minimum threshold: for a reasonable expectation of privacy to arise, the information must overcome a “threshold of seriousness”. That threshold would not be met at the level of the lowest common denominator because, in some cases, the affected medical information would be utterly trivial or freely disclosed in the public domain.
These difficulties were fatal to the claimant’s ability to meet the “same interest” test.
Comment
Following this judgment, MPI claims have gone the same way as data protection claims, in that it is now extremely hard (if not impossible) to see how a representative action can be made to work. This outcome is also reflected in the Court of Appeal’s observations that “a representative class claim for misuse of private information is always going to be very difficult to bring” because “relevant circumstances will affect whether there is a reasonable expectation of privacy for any particular claimant, which will itself affect whether all of the represented class have ‘the same interest’”.
It should be stressed that there are still procedural routes available to claimants who wish to claim compensation, whether for MPI or data protection issues. However, the low value of these claims makes them far less appealing to pursue or fund, either individually or on an “opt-in”, collective basis. Absent a dramatic development which breathes new life into English mass data claims, it therefore seems unlikely that data “events” will generate anything approaching the level of claims and litigation experienced prior to Lloyd v Google.
