Google has prevailed against another U.K. class-action style privacy lawsuit after a London court dismissed a lawsuit filed last year against the tech giant and its AI division, DeepMind, which had sought compensation for misuse of NHS patients’ medical records.
The decision underscores the hurdles facing class-action style compensation claims for privacy breaches in the U.K.
The complainant had sought to bring a representative claim on behalf of the approximately 1.6 million individuals whose medical records were — starting in 2015 — passed to DeepMind without their knowledge or consent — seeking damages for unlawful use of patients’ confidential medical data. The Google-owned AI firm had been engaged by the Royal Free NHS Trust which passed it patient data to co-develop an app for detecting acute kidney injury. The U.K.’s data protection watchdog later found the Trust had lacked a lawful basis for the processing.
In a judgement issued today by the Royal Courts of Justice in London, Justice Heather Williams dismissed the case on the grounds that it did not meet the bar for bringing a representative action, which requires the claim to be based on general circumstances that apply to the entire class rather than on individual circumstances, finding therefore that the claim would be bound to fail.
The complainants had attempted to scale this legal wall by seeking only “lowest common denominator damages” for each member of the claimed class — meaning they were suing for compensation calculated by considering “the irreducible minimum harm” suffered by all members.
However even this lowered bar did not pass muster, as the justice identified “many relevant variables” between members of the class and judged there to be overwhelming challenges to any attempt to redrawn the class to try to establish a viable claim — concluding there is “a fundamental and inherent difficulty in identifying a viable claim for any class members if this claim is brought as a representative action on the basis of common circumstances”.
The law firm representing claimant, Andrew Prismall, was contacted for comment but at press it had not responded.
A Google DeepMind spokesperson sent this statement welcoming the ruling: “We are pleased that the Court has decided to put an end to these proceedings. As we have argued, this claim is unfounded and without merit.”
This is not the first time a class-action style privacy damages claims against Google has run aground in the U.K. Back in 2021, the Supreme Court definitively blocked another representative action which had been brought by a consumer rights campaigner in relation to a workaround Google had allegedly applied to override iPhone users’ privacy settings in Apple’s Safari browser between 2011 and 2012.
An earlier attempt by Prismall to bring a representative claim against Google and DeepMind under U.K. data protection law was abandoned following Google’s aforementioned Supreme Court win. He then went on to refile the claim, under the common law tort of misuse of private information, only for that case to be dismissed today.
While a class action lawsuit filed in recent years against TikTok, alleging abuse of children’s data, was also withdrawn last year in the wake of Google’s Supreme Court win. The claimant in that case was reported as saying the decision had created an enormous amount of legal uncertainty around privacy class actions, leading to cost risks that the litigation funders and insurers were no longer willing to bear — which meant parents would have been exposed if they’d chosen to go ahead (hence they did not).
Bringing a legal claim for damages as an individual also remains prohibitively expensive. So the lack of a clear (low risk) route for U.K. citizens to pursue class-action style litigation over privacy harms means there are very limited options for them to obtain redress for misuse of their data.
Back in 2017, the UK’s data protection watchdog did not even issue a financial penalty for the NHS Trust it found had unlawfully passed patients’ records to DeepMind. Nor was the tech giant ordered to delete patients’ data. And while Google subsequently went on — in 2021 — to decommission the app, DeepMind had been able to ink deals with a number of NHS Trusts to use a piece of software developed using unlawfully processed personal data. So complaining to the national privacy regulator in the hopes it will meaningfully sanction rule breakers is no sure-fire route to successful outcomes for Brits either.
It’s an increasingly different picture in the European Union where a Collective Redress Directive was passed back in 2020 that’s due to enter into force next month. This law is aimed at bolstering consumer rights by making it easier for the bloc’s citizens to bring representative actions and sue collectively over breaches of their rights.
Add to that, another incoming change to EU product liability rules is intended to make it easier for people to sue for damages caused by software and AI systems, including for breaches of fundamental rights like privacy.
A recent judgement by the Court of Justice of the EU also established that the bloc’s data protection framework does not set a threshold for harm for a breach compensation claim.
This report was updated with details of the TikTok lawsuit