Data class actions: Court of Appeal upholds decision blocking "opt-out" representative action for misuse of private information

In a decision handed down yesterday, the Court of Appeal has agreed with the High Court that a claim for misuse of private information should not be allowed to proceed as an opt-out representative action under CPR 19.8: Prismall v Google UK Ltd [2024] EWCA Civ 1516.

As explained in our blog post on the first instance decision (here), the representative action procedure can only be used if the claimant and the represented class have the "same interest" in the claim. In its landmark decision in Lloyd v Google [2021] UKSC 50 (considered here), the Supreme Court found that a claim for compensation for alleged breaches of data protection legislation could not get round this hurdle by disclaiming any reliance on class members' individual circumstances, as such claims require proof of damage and cannot be brought for the mere loss of control of data.

The present claim was originally brought as a representative action for breaches of data protection legislation, but that case was discontinued after the judgment in Lloyd v Google and the claim was reformulated as a claim for misuse of private information, where (in principle) damages can be awarded for the loss of control of data. However, as the present decision shows, that does not mean that a representative action for misuse of private information can be brought on the basis of the "lowest common denominator" of the claimant class.

The decision illustrates that, in order to meet the "same interest" requirement, each member of the represented class must have a realistic prospect of establishing their claim, and that is likely to be a very difficult hurdle to meet in a claim for misuse of private information. That is because the question of whether a particular claimant had a reasonable expectation of privacy will depend on all relevant circumstances, including whether and to what extent that claimant had chosen to make the information public.

This appears to bring an end to the run of cases seeking to use CPR 19.8 to bring data class actions, as it shows that the difficulties inherent in the procedure for claims under the Data Protection Act 1998, as established in Lloyd v Google, also apply to claims for misuse of private information. However, there remains an open question as to whether claims based on the GDPR and the Data Protection Act 2018 will suffer the same fate, following the withdrawal of a representative action against TikTok in May 2022 – before resolving the question of whether the Supreme Court's decision in Lloyd v Google could be distinguished in that context.

In Europe, the question of whether or not "loss of control" of data constitutes compensable non-material damage under the GDPR has recently been considered by the German Federal Court of Justice. In that case, the court confirmed that even a "mere and short-term loss of control" of personal data may be sufficient, and an individual is not required to provide evidence that there has been a specific misuse of data to the detriment of the individual as a result of such loss of control. In the event of a UK GDPR case, it will be interesting to see how the courts react to this decision, noting that the German court's decision does not align with Lloyd v Google.

There is also the possibility of bringing a "bifurcated" claim in the English court, as envisaged in Lloyd v Google, in which the representative action procedure is used to determine truly common issues – which could include whether there has been a breach of data protection legislation, or perhaps the facts around the defendant's use of the relevant information – with individual issues left to be determined at a later stage. However, such claims present other challenges, not least as to whether damages can be awarded on a collective basis and whether those who fund the claims can be confident of receiving a share. Those issues were set to be addressed in a trial in Commission Recovery v Marks & Clerk early in 2025, but as that case has now settled they will have to wait for another opportunity.

Background

The background to the case is set out in more detail in our blog post on the High Court's decision, linked above. In brief summary, the representative claimant sought damages on behalf of a class of individuals whose patient-identifiable medical records had been transferred to the second defendant by the Royal Free London NHS Foundation Trust, in relation to the development of an app intended to assist in the identification and treatment of patients potentially suffering from acute kidney injury.

Damages were claimed only for loss of control of the private information. It was said that any claimant who wanted to claim damages on some further basis could opt out of the representative action and bring an individual claim.

The defendant applied to strike out the claim and/or for summary judgment, arguing that the claimant had no real prospect of establishing (as it was required to do) that all of the represented class had a viable claim for misuse of private information, or in any event for more than trivial damages.

The High Court struck out the claim on the basis that a claim based on the irreducible minimum scenario, or lowest common denominator, could not succeed in establishing a reasonable expectation of privacy. But conversely, if class members' individual circumstances were taken into account, that would mean that the "same interest" test was not met.

The claimant appealed.

Decision

The Court of Appeal dismissed the appeal in a unanimous judgment given by the President of the King's Bench Division, Davies LJ and Dingemans LJ.

The court noted that there was no dispute about the elements of the tort of misuse of private information, which involves a two-stage test:

1. The claimant must establish that it had a reasonable expectation of privacy in the relevant information. This is assessed objectively, taking into account all the circumstances of the case, and is subject to a threshold of seriousness.
2. If the first stage is met, the court will balance the individual's right to privacy against the defendant's right to freedom of expression.

There are some categories of information, including patient identifiable information in medical notes, where the starting point is that there will normally be a reasonable expectation of privacy.

However, the court said, that will not always be the end point when it comes to the tort of misuse of private information. That tort involves a threshold of seriousness and everything will depend on the circumstances of the individual case. Consequently, the court rejected the claimant's submission that there would always be a reasonable expectation of privacy in patient-identifiable medical records.

Further, the judge had identified the particular problem that patients can choose to make their private information public, in which case that would inevitably have to be considered in determining whether there was a reasonable expectation of privacy that met the threshold of seriousness. A claim for misuse of private information in those circumstances would not necessarily succeed and, since that possibility had to be taken into account in formulating the irreducible minimum scenario, the "same interest" requirement was not met.

The Court of Appeal commented:

"We consider that a representative class claim for misuse of private information is always going to be very difficult to bring. This is because relevant circumstances will affect whether there is a reasonable expectation of privacy for any particular claimant, which will itself affect whether all of the represented class have 'the same interest'."