Data Class Actions ' An Alternative Basis For An Opt-out Representative Action Failed

• Published date: 17 July 2023
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Privacy Protection, Class Actions
• Law Firm: Norton Rose Fulbright
• Author: Ruth Cowley, Charlie Weston-Simons and Gill Davy

Prismall v Google UK Ltd & Anor [2023] EWHC 1169 (KB)was a further attempt to bring a group action for breaches of data privacy requirements. Following the high profile Supreme Court decision in Lloyd v Google LLC [2021] UKSC 50 which held that a claim for breach of the Data Protection Act 1998 could not be brought as an "opt-out" representative action, the claimant sought to bring a tort claim for misuse of private information as a representative action. The claim was struck out. The judgment illustrates the challenges that will be faced by claimants in bringing these group actions successfully.

Representative actions

Under CPR 19.8, a representative claimant can bring a claim on behalf of the represented class if they all have the "same interest" in the claim. This requirement ensures the representative claim can sensibly resolve the issues in dispute and there are no conflicts of interest between class members. Representative actions can be a useful tool, for example where there are a large number of potential claimants who have each suffered modest losses and so there may be little incentive for claimants to 'opt-in' and participate directly in the litigation.

The challenge with using CPR 19.8 in a claim for damages is that it is usually necessary to assess each claimant's individual losses which will of course differ and therefore claimants will not have the required "same interest". The claimant in Lloyd v Google sought to avoid this difficulty by limiting the claim to uniform per capita damages for loss of control of their data, i.e. a lowest common denominator basis which sought to compensate the irreducible minimum harm suffered by every member of the class. The principal reason the Supreme Court rejected this approach was because damage under the Data Protection Act 1998 is limited to material damage (e.g. financial loss, physical injury etc) rather than mere loss of control of data.

In the current case, the claimant framed the claim in the tort of misuse of private information because it is well established that damages for the tort can include compensation for the loss of control of data. It therefore had potential to satisfy the "same interest" requirement for a representative action.

Background

The claim concerned the transfer of certain medical records held by a London hospital trust to the second defendant for the purpose of developing and then operating an app called 'Streams' and also potentially for wider commercial purposes. The app...