The High Court has dismissed an attempt to bring a claim for misuse of private information as an "opt-out" representative action under CPR 19, where the representative claimant was seeking damages based on a "lowest common denominator" of the claimant class: Prismall v Google UK Ltd [2023] EWHC 1169 (KB).
A representative action under CPR 19 can only be brought if the represented class has the "same interest" in the claim. In its high profile decision in Lloyd v Google [2021] UKSC 50 (considered here), the Supreme Court found that a claim for compensation for alleged breaches of data protection legislation could not get round this hurdle by disclaiming any reliance on class members' individual circumstances, as such claims require proof of damage and cannot be brought for the mere loss of control of data.
Following that decision, it was thought that a claim framed in the tort of misuse of private information might have more success as a representative action, since it is well-established that damages for that tort can be awarded for the loss of control of data. However, the current decision suggests that representative actions for misuse of private information will also face significant hurdles.
In Lloyd v Google, the Supreme Court stated that, even if damages could be awarded for the unlawful processing of data, the court would need to consider the extent of the unlawful processing in the individual case to be able to conclude that the damage was more than trivial. A claim based on the "lowest common denominator" of the claimant class therefore could not succeed.
The current decision adopts the same approach in striking out the claim for misuse of private information. The claim failed because, if assessed on an irreducible minimum basis, it could not be said that every class member had a viable claim. But conversely, if individual circumstances were taken into account, that would mean that the "same interest" test was not met. Either way the claim was bound to fail. The same reasoning seems likely to apply to other attempts to bring claims in misuse of private information as representative actions, unless perhaps the data in question is so sensitive and the interference so extreme that, even on an irreducible minimum basis, it is clear that all class members' claims are viable and non-trivial.
The decision refers in passing to the recent High Court decision in Commission Recovery Ltd v Marks & Clerk LLP [2023] EWHC 398 (Comm) (considered here), in which a claim in respect of secret commission was allowed to proceed as a representative action. The judge noted that that case suggests, consistent with comments in Lloyd v Google, that the existence of a defence which applies to only some class members does not preclude the “same interest” test being met, so long as there is no conflict of interest. However, the judge said, the current case did not involve a potential defence available to a subset of class members; rather, it was simply not possible to ascertain whether any given class member had a viable claim. Despite these comments, it is not easy to reconcile the court's willingness in Marks & Clerk to allow the representative action procedure to be used where there were potentially significant differences between claimants' individual circumstances with the recognition in the present case (and in Lloyd v Google) that a need to take account of individual circumstances would be inconsistent with the "same interest" requirement.
Background
The claimant sought to bring a representative action against the defendants under CPR 19.8 (formerly CPR 19.6) on behalf of some 1.6 million people claiming damages in the tort of misuse of private information. The action related to the transfer of certain medical records held by the Royal Free London NHS Foundation Trust and its predecessors (together, the "Royal Free") to the second defendant, which was involved in the development and operation of an app known as Streams: a clinical system designed to assist clinicians at the Royal Free to identify and treat patients potentially suffering from acute kidney injury.
The claim did not concern the use of patient data on Streams in treating patients once the app became operational in February 2017. Rather, it was alleged that the defendants' misuse consisted in obtaining and storing patient-identifiable medical records before that point, when the defendants had a contractual entitlement to use the data for purposes wider than direct patient care and/or the Streams project, and using the records in the research and development of the Streams app and/or to prove their general capabilities with a view to enhancing their future commercial prospects.
CPR 19.8 provides that a representative claimant may bring a claim on behalf of any other persons who have the "same interest" in the claim. Here the represented class was identified (in broad terms) as those who had presented for treatment at any Royal Free hospital or clinic in the five year period to 29 September 2015, or were included in the Royal Free's radiology patient or blood sample records in that period, and whose patient-identifiable medical records were included in the records collected and/or stored by the defendants as referred to above.
In an effort to meet the "same interest" requirement, the claimant confined the claim to "lowest common denominator" damages, ie damages calculated by reference to the irreducible minimum harm suffered by all members of the class. Any class member who wished to seek additional compensation, based on their own individual circumstances, would need to opt out of the class and bring their own claim.
The defendant applied to strike out the claim under CPR 3.4 (on the basis that the claim form and particulars of claim disclosed no reasonable grounds for bringing the claim) and/or summary judgment under CPR 24.2 (on the basis that there was no real prospect of success and no other compelling reason why the case should be disposed of at trial). It argued (in summary) that:
- the claimant had no real prospect of establishing that all of the represented class had a viable claim for misuse of private information (and therefore that all had the "same interest" in the claim); and
- even if a "lowest common denominator" approach was permissible, a claim brought on that basis did not show that any of the class had a viable claim for more than trivial damages.
Decision
The High Court (Mrs Justice Heather Williams DBE) struck out the claim.
Misuse of private information: The principles
The principles relating to liability for misuse of private information were not in dispute. As was common ground, there is a two-stage test:
- Whether the claimant has a reasonable expectation of privacy in the relevant information. This is an objective test, based on the expectation of a reasonable person of ordinary sensibilities placed in the same position as the claimant and faced with the same publicity. It takes into account all the circumstances of the case, including for example the extent to which the information is already in the public domain. There is a de minimis threshold which must be overcome.
- Whether that expectation is outweighed by a countervailing interest of the defendant. The balancing exercise involves an intense focus on the comparative importance of the specific rights claimed, and the justifications for and proportionality of any interference or restriction of those rights.
The judge noted that the European Court of Human Rights has emphasised the importance of the right to respect for private life in the context of medical information, but said it is also well-established that not every disclosure of medical information will give rise to a reasonable expectation of privacy and/or involve an unlawful interference. The context is all important. For instance the judge doubted whether the mere fact of attendance at A&E would constitute private information, whereas attendance at a clinic from which the nature of an illness could be readily inferred might do so. Further, information obtained in a medical context might attract the operation of the de minimis principle. The nature of the medical information in question would affect the level of appropriate compensation, if the tort was established.
It was common ground that damages can be recovered in misuse of private information for the loss of control of data, as established by the Court of Appeal in Gulati v MGN Ltd [2015] EWHC 1482 (Ch). The judge rejected the defendants' submission that the assessment of loss of control damages must necessarily be assessed on an individual basis. However, the claimant would have to establish that class members had a viable claim for more than de minimis damages for the loss of control.
Reasonable expectation of privacy / unlawful interference
The judge noted that, as the current action was pursued purely on the basis of the lowest common denominator for the whole class, the court had to disregard individual circumstances that might give rise to a stronger claim for some individuals. Further, in light of the "same interest" requirement, the question was whether every class member had a viable claim; accordingly, circumstances that pointed against a reasonable expectation of privacy for some class members should be taken into account.
Against that background, the judge concluded that she should proceed on the basis of an irreducible minimum scenario involving only one attendance at a Royal Free hospital, which did not concern a medical condition involving any particular sensitivity or stigma, where limited demographic information and only generalised reference to the medical condition was included in the data transferred (eg because the person registered with hospital reception but left without being seen by a clinician), and where information relating to the hospital attendance was otherwise in the public domain (eg because the attendee posted the information on social media). It was assumed that there was a realistic prospect of showing that the data was transferred and stored securely for up to 12 months, in circumstances which went beyond direct patient care as the defendants’ intended purposes for the data related both to the Streams app and to a wider collaboration with the Royal Free that would be financially beneficial to the defendants, but the information was not in fact used in that broader way. It was also assumed that, while the subject of the data was not aware of the defendants’ use of the data and had not consented to it, it did not cause upset or concern, ie the only adverse effect was the sheer fact of the loss of control over the data.
The judge did not take into account that some of the claimant class subsequently benefitted, in terms of medical care, from an alert triggered by Streams after it was operational. She considered that there was force in the claimant's point that, if a cause of action exists at the time of the alleged interference, it is not negated by later events of this nature, although these might affect an individualised assessment of damages.
Taking into account the above, the judge concluded that the claimant did not have a realistic prospect of establishing a reasonable expectation of privacy for all class members in respect of their relevant medical records, or of crossing the de minimis threshold in relation to such an expectation. This was in particular because, on the scenario identified: very limited information was transferred and stored; although health-related, it was anodyne in nature; it was held securely and not accessed by anyone during the storage period; it was already in the public domain; the alleged acts of interference outside of patient direct care were limited to the transfer of the data and to its secure storage for up to 12 months; and there was no impact other than the loss of control itself.
Accordingly, a claim based on the lowest common denominator could not succeed. Conversely, if individualised factors were taken into account to establish a reasonable expectation of privacy in particular situations, that would mean the “same interest” test was not met. Either way the claim was bound to fail.
If (contrary to the above) it could be said that all class members had a reasonable expectation of privacy, the question remained as to whether the clamant had a realistic prospect of establishing, on the irreducible minimum scenario, that the defendants' actions were not justified so as to outweigh that expectation. The scenario and factors were as identified above, save that the defendants could place a more general reliance on the objective of the Streams app and its beneficial outcomes. Accordingly, the claim would fail at this hurdle as well.
Loss of control damages
Given the conclusions above, the judge did not need to address the question of whether loss of control damages could be sought for the whole class on a lowest common denominator basis, but she nevertheless explained her conclusions on the point. Like the Supreme Court in Lloyd, she assumed, without deciding, that it was in principle possible to bring a representative action on this basis - despite the lack of authority from class members to waive or abandon what might be the major part of their damages by disavowing reliance on their individual circumstances.
The judge said that the irreducible minimum scenario she had identified in considering whether there was a reasonable expectation of privacy was also relevant to the question of loss of control damages. The only potentially significant difference was that, in considering the extent of the loss of control, it would be appropriate to take into account the fact that transfer and storage of the data would in any event be required before the app became operational, so the only compensatable loss of control element would be for the months during which the data was stored by the second defendant before it was needed for use with the app.
Taking into account all of these circumstances, the judge concluded that there was no realistic prospect of more than nominal or trivial damages being awarded for loss of control.
No other compelling reason
The judge rejected the claimant's submission that, even if it appeared at this stage that the claim had no realistic prospect of success, it should be permitted to proceed given the areas of evidential uncertainty. That did not, in the judge's view, provide a “compelling reason” in the circumstances.
Uncertainty as to the number of people affected made no difference, as the court had to consider whether every class member had a viable claim. Uncertainties as to the time period in question and the content of the records transferred also made no difference, given the need to assess the claims based on an irreducible minimum scenario. As for the lack of clarity as to when the intended use of data was narrowed to focus only on the Streams app, the judge had proceeded on the basis of assumptions favourable to the claimant, so the position was unlikely to be significantly improved by proceeding to trial.
Note: The Court of Appeal has upheld the High Court's decision. Read our blog post on the Court of Appeal decision here.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.