Never Mind: Prismall and privacy representative actions

As Panopticon’s readership will be well aware, last week’s judgment in Prismall v Google UK Ltd and Deep Mind Technologies Ltd [2023] EWHC 1169 (KB) saw Mrs Justice Williams strike out the only live attempt in the UK at an opt-out class action for data misuse. In this post, I’ll summarise the Court’s key reasons.

Mr Prismall sought to claim as a representative claimant under what is now CPR 19.8 – i.e. the opt-out class action vehicle for claimants with the “same interest”, that ran aground in Lloyd v Gogle. The litigation funders, LCM UK Ltd, were joined here as an interested party, for costs purposes.

The envisaged class comprised patients for whom patient-identifiable data was allegedly misused when it was provided to Google/Deep Mind (the distinction doesn’t matter for these purposes) by the Royal Free Hospital over the period 2015-2017, pursuant to an information-sharing agreement and memorandum of understanding. Deep Mind used the data to develop an app, Streams, that was used in the provision of direct care from February 2017. There was no complaint about the use of data as part of delivering direct care (including through the use of the app): the complaint here was about the receipt, storage and use of patient-identifiable data before the app went live.

Why didn’t the judgment in Lloyd automatically kill off this representative action, just like it abruptly killed off other similar claims that were in the pipeline? The answer lies in the cause of action. Lloyd precluded these kinds of actions under data protection legislation (specifically, the DPA 1998), because there was no right to compensation merely for a contravention/loss of control under that legislation; instead, individualised assessment of damage/distress was required, and this doesn’t fit the “same interest” bill for a rep action. But Prismall was not a claim under data protection law. Instead, it was a claim for the tort of misuse of private information (MPI). Loss of control damages can arise for MPI: see e.g. Gulati, and Lloyd itself.

In a nutshell, the argument in Prismall was: this was medical information from a doctor-patient context; that is necessarily private, so its misuse would necessarily found a MPI action – you didn’t need any individualised assessment to get home on entitlement to compensation, albeit that you would need to take a “lowest common denominator” approach to compensation (as per the model attempted in Lloyd).

But, again as per Lloyd, this action was struck out. Here are the main reasons.

  • Medical information is generally private, but not all disclosures of medical information give rise to a reasonable expectation of privacy or to MPI: see e.g. Campbell v MGN.
  • The de minimis principle applies to medical information: even some information from a doctor-patient context can be so trivial that it isn’t actionable: see e.g. Underwood v Bounty.
  • The Court rejected Deep Mind’s submission that loss of control damages in MPI cases inevitably involve individualised assessment (thereby being automatically unsuitable for rep actions). It also rejected the submission that where there will be defences that apply to some claimants and not others, the “same interest” criterion falls away. However, the question remains whether the identified class of proposed claimants have viable damages claims that meet the threshold of seriousness (see [87]).
  • The task is therefore to take the defined class of proposed claimants and ask whether their basic “lowest common denominator” circumstances of each member of the class could arguably found a MPI claim (with a particular focus at this stage of the analysis being on whether there could be a reasonable expectation of privacy). To do that, you have to strip the data fields down to the minimum common fields (which gets you near or into triviality territory) and you face the difficulty that – even with medical information – a reasonable expectation of privacy will fall away for those who have chosen to publicise that information (“For example, an identifiable person who tweets that they have fractured their ankle and are on their way to hospital, before they arrive at the A & E Department with this injury”: that same information doesn’t then become private in nature just by dint of appearing in a medical record).
  • The Court analysed the irreducible minimum/lowest common denominator set of facts (see [166]) and concluded that no rep action was viable: “very limited information was transferred and stored; although health-related, it was anodyne in nature; this information was held securely and not accessed by anyone during the storage period; the information was already in the public domain; the alleged acts of interference outside of patient direct care were limited to the transfer of the data and to its secure storage for up to 12 months; and that this caused no impact other than the loss of control itself” (see [167]).

So, in summary, this proposed rep action was struck out because (a) the lowest common denominator set of facts here wouldn’t meet the seriousness threshold, and (b) in order to meet that threshold there would need to be individualised assessment (which you can’t do under a rep action). Even MPI claims – theoretically viable post-Lloyd – run into quagmire.

Timothy Pitt-Payne KC and Stephen Kosmin of 11KBW, instructed by Mishcon de Reya, acted for Mr Prismall.

Robin Hopkins