Written by privacylawbarrister

Data Protection and Privacy Class Action Lawsuits in the UK: the Damages Conundrum

The majority of class action lawsuits in privacy and data protection in the United Kingdom (“UK”) have not succeeded. This may appear surprising, given the breadth of data rights found in the UK GDPR,[1] the Data Protection Act 2018, and the development of the tort of misuse of private information. This article shall review the cases to date, including the most recent attempt in Prismall v Google UK Limited [2023] EWHC 1169 (KB), and examines why class action lawsuits – generally referred to as ‘group litigation’ in England – have failed to provide results for individuals whose data and information has been misused or inadequately protected.

To bring a group action in the UK outside of competition law claims, there are two possible procedural routes: a Group Litigation Order (“GLO”) or a representative action. A GLO involves a selection of one or more claims to be tried as test claims.[2] This route is more costly and difficult where there are very large numbers of claimants because each must ‘opt in’ to the litigation and each claim has to be assessed individually for merits. The low amounts usually awarded in data protection claims means the GLO route is a less attractive proposition for litigation funders and makes it more difficult to persuade potential claimants to join the group. In addition, the cost of advertising to notify potential claimants of the GLO is not recoverable against the defendant.[3]

In a representative action however, anyone within the class of litigants is automatically joined to the group. Anyone who does not want to be part of the litigation must actively ‘opt out’. This approach is akin to what is readily understood by the term ‘class action’ lawsuits and has been particularly successful in the United States (“US”), including in data protection.[4] However, in the UK, there are particular requirements for a representative action found in the Civil Procedure Rules (“CPR”). According to CPR rule 19.8, each individual member of the class must have “the same interest in a claim”. This means that each member of the class must claim damages that are equal. 

Lloyd v Google: Data Protection 

The first attempt to bring a representative action in data protection was in 2018 when Mr Richard Lloyd, a former consumer watchdog executive, tried to sue Google LLC (“Google”) for tracking the Internet use of Apple iPhone users, without their knowledge. Google had placed its DoubleClick Ad cookie on iPhone users’ Safari web browsers to collect information about users’ web browsing habits. Analysing this ‘browser generated information’ (“BGI”), Google would infer information about the user and create a profile, which was then sold to subscribing advertisers to target their advertisements.

In the US, a class action lawsuit had been brought on behalf of American citizens who had been tracked in this way, and Google had agreed a settlement of $17 million.[5] Mr Lloyd was bringing the representative action in the UK on behalf of all iPhone users with the Safari workaround, amounting to some 4 million people. With a claim for £750 per person, the total amount of damages sought was £3 billion.[6] Google resisted the claim and the Supreme Court ruled in Lloyd v Google [2021] UKSC 50 that the claimants could not bring a group claim because they failed to meet the procedural requirement of showing the ‘same interest’. 

The difficulty of claiming damages in a representative action was acknowledged by the Supreme Court, noting that it is the nature of the remedy of damages in the common law that is the problem.[7] Damages are awarded to put a claimant in the position that he or she would have been in had the ‘wrong’ not occurred. Combined with the necessity of a uniform loss, this meant that the claimants in Lloyd not only had to have been affected by Google’s tracking, but they also had to have been affected in equal measure. 

To meet this requirement of an equal effect, it was argued that it was possible to establish a uniform per-capita loss by two methods, either on the basis of ‘loss of control’ of personal data, or on the basis of ‘user damages’. The loss of control proposition relied on the finding in Vidal-Hall v Google Inc [2015] EWCA Civ 311 that it is possible to claim for non-financial damage in data protection, coupled with the approach to the calculation of damages in Gulati v MGN Ltd [2015] EWCA 1482 (Ch)

Gulati arose from a newspaper scandal in the UK where it was discovered that some newspapers had published articles using private information illegally obtained from the voicemail accounts of celebrities and well-known individuals. The victims used a relatively new cause of action – misuse of private information – to claim against the Mirror Group Newspapers. To succeed in such a claim, a claimant must show that he or she has a ‘reasonable expectation of privacy’ in the relevant information and that the information has been misused.[8] A ‘reasonable expectation of privacy’ is established where Article 8 of the European Convention on Human Rights is engaged.

Liability was accepted in the phone-hacking scandal and the judgment in Gulati concerned the damages to be awarded to the victims of the phone hacking. To date, these awards remain the highest ordered by a court in a privacy claim in the UK, reaching as much as £260,000. In Gulati, the judge decided that the claimants could be compensated not just for the distress caused by the misuse of their private information, but also for the loss of control of that private information. This approach was upheld by the Court of Appeal.[9]

The Supreme Court in Lloyd concluded that section 13 of the Data Protection Act 1998 (“DPA 1998”) required damage, even non-financial damage, to have a cause and effect.[10] The consequence of this was that to claim loss of control, it was still necessary to show that the data protection infringement had led to a loss of control that in turn had had an effect on the individual. This would require proving that every claimant had not only used the appropriate version of Apple’s Safari browser but had also accessed at least one website that was using Google’s DoubleClick advertising services.[11]Further, some impact would need to be proven, to establish how the individual felt about the tracking and if they had an adverse impression of it. For the opt-out approach of CPR rule 19.8, this could not work, as it required an assessment of each claimant’s case. 

The Supreme Court acknowledged that a ‘bifurcated’ process was possible. That is, Mr Lloyd could first have sought, using the representative procedure, a declaration that Google had breached the DPA 1998 and owed compensation to those who had suffered damage as a result of the breach(es). Then as a subsequent stage, there could be an assessment of the amount in damages to be awarded to each individual.[12] However, as the court recognised, it is unlikely that it would have been possible to attract litigation funding for this approach. This is because there is no financial return at the first stage, and then there would be the difficulties of the ‘opt-in’ requirement at the second stage.[13]

The argument put forward in Lloyd for a calculation based on user damages was also unsuccessful. It was suggested that an amount in damages could be calculated by assessing what a reasonable person would have paid for the right for Google to use their BGI in the way that it was (wrongfully) used.[14] The Supreme Court agreed that a person’s BGI is a commercially valuable asset and that the “underlying reality” of the case is that Google was allegedly able to substantially profit by tracking and collecting that information to sell to advertisers.[15] There was no difficulty, in principle, with the contention that an individual could be awarded compensation based on the commercial value of the exercise of the right to control private information.[16] However, even if the principle of loss of control were extended to data protection and it were accepted that damages could be claimed without proof of damage, the Claimant would still need to establish the extent of the ‘wrongful use’ of the personal data by Google and its commercial gain.[17] Once again, an individualised assessment would be required, making a group action under CPR rule 19.8 impossible.

Prismall v Google: Misuse of Private Information

Given the clear acknowledgment by the Supreme Court in Lloyd that loss of control damages could be applied in misuse of private information claims, in Prismall, rather than relying on data protection, misuse of private information was pursued instead. Andrew Prismall was the representative claimant for the class of some 1.6 million litigants who had been patients at a hospital or clinic of the Royal Free London NHS Foundation Trust (“the Trust”) between 2010 and 2015. In October 2015, the Trust transferred historical patient data to DeepMind Technologies Limited (“DeepMind”) to develop an application called ‘Streams’.[18] Streams was a clinical system designed for the Trust’s clinicians to identify and treat patients who were potentially suffering from acute kidney injury. At the same time as the historical transfer, the Trust established a live feed of data to DeepMind for the application. 

In Prismall, it was argued that as medical records are private and confidential, the transfer of medical records to DeepMind could not have reasonably been expected by patients of the Trust. The patients had not consented to the transfer of their medical records. It was pointed out that the Defendants had obtained the medical records in a contract with the Trust that also entitled them to use the medical information for purposes other than the Stream’s project, and that the use of patients’ medical information with a view for future commercial financial gain was a wrongful interference with their right to privacy.[19]

Damages for ‘loss of control’ of private information was sought in the claim, as had been used in Gulati, described as ‘lowest common denominator damages’ or the minimum harm suffered by each claimant to meet the requirement of CPR rule 19.8.[20] The UK data protection regulator, the Information Commissioner’s Office, had investigated the Streams project and concluded that the Trust had failed to comply with the requirements of the DPA 1998 and had breached its common law duty of confidence to its patients.[21]

However, a data protection claim was not relied on. Instead, it was argued that health information falls within a special category of private information, where the nature of the relationship between patients and health professionals is such that there will always be a reasonable expectation of privacy and a de minimis threshold would not be relevant.[22] This latter proposition was an important point, because if accepted, it would mean that each claimant’s individual situation would not need to be examined and they would have the requisite ‘same interest’ in the action.

This argument was rejected by the judge, who concluded that not all patient-related information inevitably gives rise to a reasonable expectation of privacy.[23] There were a number of reasons given, including the fact that Article 8 requires a fact-sensitive analysis to examine whether or not it is engaged before a claim can be brought. Cases before the courts have supported the principle that there is a spectrum in relation to medical affairs, ranging from information that has not been made public and is serious (for example an HIV diagnosis) to information that is trivial, or already in the public domain (a photograph of sunburn).[24] The Claimant’s approach would also mean that health information that is publicly available would become private, without further assessment.[25] Some individuals had in fact posted on social media that they were grateful for the treatment they had received following the use of Streams, which had identified they had acute kidney injury.[26]

In a misuse of private information claim, the purposes for which the information is obtained is a relevant factor in the analysis of whether there is a reasonable expectation of privacy. In the present case, the Claimant argued that one of the ‘misuses’ was the enhancement of the Defendants’ commercial positions.[27] However, it was accepted by the judge that the Defendants had not used any patient-identifiable data for other projects, stating that “where an intended use of data did not in fact materialise post-transfer, then this would bear on the overall extent of the interference and the loss of control”.[28] The remaining ‘misuses’ cited by the Claimant were as follows: obtaining medical records where there was a contractual entitlement to use them for purposes other than direct care; storing them prior to the operation of Streams; and using them to research and develop Streams.[29]

In the circumstances, these were all rejected as being capable of being a ‘misuse’ for the purposes of a misuse of private information claim, because the evidence did not support the contention that these actions were not for the purposes of direct patient care.[30] The only scenario where the representative action could potentially succeed on a misuse claim, was for the individuals whose medical records were accessible during the Streams clinical safety testing phase, but where they were not used to treat the individuals.[31] However, on the evidence, only the medical records of those patients who required treatment were accessed via the pre-launched Streams app.[32]

The judge concluded that there was not a realistic prospect of any member of the group action establishing a reasonable expectation of privacy in the use of their medical records, and further that it was not possible to find a ‘same interest’ for the claimants in the circumstances, or that a ‘misuse’ had occurred in relation to the medical records of every claimant in the group.[33] The claim was stuck out and summary judgment entered in favour of the Defendants, bringing the action to an end.

The requirement for a ‘same interest’ in representative actions in the UK has created a damages conundrum in data protection and privacy claims. The decision of the Supreme Court in Lloyd led to other group actions being abandoned, notably, the litigation brought by the Children’s Commissioner for England against TikTok Inc.[34] Other attempts to bring misuse of private information claims for large-scale data protection breaches have not succeeded.[35] The introduction of the GDPR does not change this position, given that it is meeting the procedural requirement that has posed the greatest challenge. Whether or how a measure of damages can be established that satisfies the test for uniformity in data protection litigation is unclear, and as yet, it appears to be only regulatory action that can hold those unlawfully using personal data to account. 

This article first appeared in the January 2024 issue of Business Law International (Vol 25, No 1), and is reproduced by kind permission of the International Bar Association, London, UK. © International Bar Association.

If you are interested in any further information or advice, please contact my clerks on 0203 179 2023 or clerks@millenniumchambers.com

This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Copyright © 2016-2026 Melissa Stock. All rights reserved.

[1] General Data Protection Regulation (EU) 2016/679 (‘GDPR’); the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020.

[2] The GLO procedure was used to pursue a group claim against British Airways Plc for a data breach in 2018, which occurred as a result of a cyberattack. The GLO is available here: https://www.judiciary.uk/wp-content/uploads/2022/07/Weaver-ors-v-British-Airways-PLC-sealed-order-1.pdf (accessed 27 September 2023).

[3] See Weaver & Others v British Airways Plc [2021] EWHC 217 (QB).

[4] For example, TikTok Inc settled a class action lawsuit for $92 million for collecting biometric data and using facial recognition data in its algorithms without consent from users. See the Plaintiff’s motion for preliminary approval of the class action settlement, available here: https://www.documentcloud.org/documents/20491862-plaintiffs-motion-for-preliminary-approval-of-class-action-settlement (accessed 27 September 2023).

[5] Paragraph 13 of Lloyd v Google [2018] EWHC 2599.

[6] Paragraph 6 of the judgment.

[7] Paragraphs 50, 58 and 80 of the judgment.

[8] The tort was established in Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22. The factors that the court will consider when assessing a reasonable expectation of privacy were set out in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 and are often referred to as “the Murray Factors”.

[9] See Gulati & Ors v MGN Ltd [2015] EWCA Civ 1291. The Supreme Court refused an application from MGN Ltd for permission to appeal.

[10] The tracking took place before the General Data Protection Regulation ((EU) 2016/679) had taken effect and so the claim was based on the data protection legislation in effect at that time.

[11] Paragraph 150 of the judgment.

[12] Paragraphs 81 and 84 of the judgment.

[13] Paragraph 85 of the judgment.

[14] Paragraph 140 of the judgment.

[15] Paragraph 141 of the judgment.

[16] Paragraph 143 of the judgment.

[17] Paragraphs 144 to 148 of the judgment.

[18] DeepMind is owned by Google UK Limited.

[19] Paragraph 3 of the judgment. 

[20] Paragraph 7 of the judgment.

[21] Paragraph 55 of the judgment. The Defendants did not agree with the ICO’s conclusions, see paragraphs 56 to 58 of the judgment.

[22] Paragraph 77 of the judgment.

[23] Paragraph 133 of the judgment.

[24] Paragraph 133 (iv) of the judgment.

[25] Paragraph 133 (vi) of the judgment.

[26] Paragraph 135 of the judgment.

[27] Paragraph 3(iv) of the judgment.

[28] Paragraphs 139 and 140 of the judgment.

[29] Paragraph 3(i) to 3(iii) of the judgment.

[30] Paragraphs 141 to 144 of the judgment.

[31] Paragraph 158 of the judgment.

[32] Paragraphs 150 to 153 of the judgment.

[33] Paragraphs 169 and 171 of the judgment.

[34] The applications made in SMO v Tik Tok Inc [2022] EWHC 489 (QB) outline the details of the attempted claim.

[35] See the cases Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) and Graeme Smith & Others v TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB) in the High Court.