Andrew Prismall v Google UK Limited & Anor

The Representative Claimant brought a CPR 19.8(1) representative action for misuse of private information (MOPI) on behalf of a class of approximately 1.6 million patients whose Royal Free medical records were transferred to DeepMind/Google. The Defendants applied to strike out and for summary judgment under CPR 3.4(2)(a) and CPR 24.2.

Legal principles: the tort of MOPI requires (1) a reasonable expectation of privacy and (2) that the expectation is not outweighed by countervailing factors. Representative claims under CPR 19.8(1) require the representative to have the "same interest" as those represented; Lloyd v Google established limits on representative damages claims where the compensatory principle requires individualised assessment.

Key reasons for decision: the claimant pursued a "lowest common denominator" approach confined to non‑individualised, per capita loss of control damages. The court held that, judged on the irreducible minimum circumstances common to every class member (for example a single hospital attendance with only limited/anodyne HL7 data transferred, secure storage, no access and no distress), no member of the class had a realistic prospect of establishing a reasonable expectation of privacy above the de minimis threshold or of obtaining more than nominal loss of control damages. Because liability and the remedy would, in practice, require individualised assessment, the representative route could not succeed. The claim form and particulars were struck out and summary judgment entered for the Defendants.

This claim arose from a one‑off historical transfer (October 2015) and a contemporaneous live feed of Royal Free patient‑identifiable records to DeepMind/Google. The Representative Claimant pleaded misuse of private information arising from obtaining, storing and using the records (including during development and testing of the Streams app) and sought loss of control damages on behalf of a class identified under CPR 19.8(1).

Parties and posture: the Representative Claimant (Andrew Prismall) sued Google UK Limited and DeepMind Technologies Limited; LCM Funding UK Limited was added as interested party for costs. The Defendants applied to strike out the particulars under CPR 3.4(2)(a) and for summary judgment under CPR 24.2; no defence had been filed.

Issues framed by the court:

• whether the statement of case disclosed a realistic prospect of establishing MOPI across every member of the class (reasonable expectation of privacy and unlawful interference) when advanced on a lowest common denominator basis;
• whether loss of control damages could be awarded on a uniform per capita basis without individualised assessment;
• whether any other compelling reason existed to allow the claim to proceed to trial; and
• whether leave to amend to a narrower class should be afforded if the present claim failed.

Court's reasoning (concise): the judge accepted the applicable legal tests for strike out/summary judgment and for MOPI, and considered the effect of Lloyd v Google. The claimant had abandoned any attempt to recover individually differentiated damages and confined the claim to an irreducible minimum common scenario. The court asked whether every represented person, judged on that common minimum, had a realistic prospect of establishing a reasonable expectation of privacy and more than trivial loss of control damages. Applying the Murray factors and taking into account the nature and limited content of HL7 messages, the secure storage, limited or no access prior to deployment, the concept of direct care and the ICO findings, the judge concluded that the common minimum was anodyne and would not cross the de minimis threshold. The compensatory principle therefore prevented the representative damages claim from succeeding. The judge declined to permit further amendment, observing that the difficulties were inherent in the representative approach and that a substantially narrower and different pleadings exercise would be needed. The claim was struck out and summary judgment entered for the Defendants.

Procedural note: an earlier statutory data protection representative claim using the same class had been discontinued following Lloyd.

The claim form and particulars of claim are struck out and summary judgment is entered for the Defendants. The court held that the representative claim could not succeed because, on the irreducible minimum common facts applicable to every class member, no individual had a realistic prospect of establishing a reasonable expectation of privacy above the de minimis threshold or of obtaining more than nominal loss of control damages; consequently the compensatory principle required individualised assessment and the representative route was not available in the form advanced.