Google has prevailed against another British class action-style privacy lawsuit after a London court last year dismissed a lawsuit brought against the tech giant and its AI division, DeepMind, seeking compensation for misuse of NHS medical records patients.
The decision underscores the hurdles facing class action-style compensation claims for privacy breaches in the UK.
The complainant had attempted to bring a representative action on behalf of the approximately 1.6 million individuals whose medical records had – as of 2015 – been passed on to DeepMind without their knowledge or consent – seeking damages for misappropriation of patients’ confidential medical records . The Google-owned AI company was hired by the Royal Free NHS Trust, who passed on their patient data to co-develop an app for detecting acute kidney injury. Britain’s data protection watchdog later found that the Trust had no legal basis for the processing.
In a judgement issued today by the Royal Courts of Justice in London, Judge Heather Williams dismissed the case on the grounds that it did not meet the requirements for a representative action, which requires the claim to be based on general circumstances that apply to the whole class rather than to individual circumstances, and therefore ruled that the claim was doomed.
The plaintiffs had attempted to scale up this legal wall by seeking only “lowest common denominator damages” for each member of the claimed class – meaning they were suing for compensation calculated by taking into account “the irreducible minimum damages” suffered by all members.
But even this lowered bar didn’t pass the test, as the judge identified “many relevant variables” between members of the class and ruled that there are overwhelming challenges to any attempt to redraw the class to try and establish a viable claim – concluding that there is “a fundamental and inherent difficulty in identifying a viable claim for class members if that claim is made as a representative claim based on common circumstances”.
The law firm representing the plaintiff, Andrew Prismall, was contacted for comment but did not respond to the press.
A Google DeepMind spokesperson sent this statement welcoming the ruling: “We are pleased that the court has decided to end this proceeding. As we have argued, this claim is baseless and baseless.”
This isn’t the first time a class action-style privacy damage claim against Google has stalled in the UK. In 2021, the Supreme Court finally blocked another representative action brought by a consumer rights campaigner related to a workaround that Google allegedly applied between 2011 and 2012 to protect iPhone users’ privacy settings in Apple’s Safari browser. to ignore.
A previous attempt by Prismall to bring a representative action against Google and DeepMind under UK data protection law was abandoned following Google’s aforementioned Supreme Court victory. He then re-filed the claim, under the common law tort of misuse of private information, only to have that case dismissed today.
Filing a legal claim for damages as a private individual remains prohibitively expensive. So the lack of a clear route for UK citizens to bring class-action-style lawsuits over privacy damage means that there are very limited options for them to seek redress for misuse of their data.
In 2017, Britain’s data protection watchdog didn’t even issue a financial penalty to the NHS Trust for finding that patients’ data had been illegally passed on to DeepMind. Nor was the tech giant ordered to delete patient data. And while Google subsequently – in 2021 – retired the app, DeepMind could have struck deals with a number of NHS Trusts to use a piece of software developed using unlawfully processed personal data. So complaining to the national privacy regulator in the hope that it will punish rule breakers meaningfully is not a safe path to successful results for the British either.
The picture is changing in the European Union, where a directive on collective redress was adopted in 2020 and will enter into force next month. This law aims to strengthen consumer rights by making it easier for the bloc’s citizens to bring representative actions and collectively sue for violation of their rights.
Add to that a new change to EU product liability rules that aims to make it easier for people to recover damages caused by software and AI systems, including for violations of fundamental rights such as privacy.
A recent judgment by the Court of Justice of the EU also found that the bloc’s data protection framework does not set a threshold of harm for a claim for damages for infringement.