In November 2021, we wrote about the Supreme Court’s decision in Lloyd v Google  UKSC 50 to allow Google’ s appeal on the basis that a representative claim under the Data Protection Act 1998 could not succeed because it necessitated individualised assessment of damages.
In Prismall v Google UK Limited and Deepmind Technologies Limited  EWHC 1169 (KB), a new claimant tried a new approach. Where the claim in Lloyd had failed because although the Court could “see no legitimate objection to a representative claim brought to establish whether Google was in fact in breach of the DPA 1998” (para 84) the Claimant sought damages for each class member on what was described as a “uniform per capita basis” (para 86), by which he meant that an award could be made to reflect the seriousness of the breach, without the Court hearing evidence of each individual’s lack of consent or knowledge or the effect on each individual. However, the Court noted that it is not enough under the 1998 Act to prove a breach by a data controller. Rather, an individual must suffer damage, or in some circumstances distress, as a consequence of the breach of duty. Needing evidence from each individual, the representative claim necessarily failed.
Mr Prismall on the other hand did not bring a statutory claim. Rather, he advanced a claim for misuse of private information:
“the loss of control over their private information is common across the entire Claimant Class such that the Representative Claimant and each other member of the Claimant Class accordingly have the same interest for the purposes of loss of control damages”
The Court noted that it is well established that there is a de minimis threshold which must be overcome before liability for misuse of private information can arise (para 69). Furthermore, for the tort of misuse of private information to be established, subject must have a reasonable expectation of privacy which depends on many factors including whether something is already in the public domain (para 68). In the context of medical information, as was the case in Prismall, “the nature of the medical information in question will impact upon the level of appropriate compensation” (para 76).
The Court held that loss of control damages did not inevitably involve individualised assessment, but that in many cases the damages would be below the de minimis threshold.
The Court concluded that “approaching matters on a lowest common denominator basis and leaving the individualised factors out of account, it cannot be said of any member of the Claimant Class that they have a viable claim for an entitlement to more than trivial damages” (para 176). Accordingly, the claim was struck out.
A monthly data protection bulletin from the barristers at 5 Essex Chambers