Google’s AI division, DeepMind, has emerged victorious once again as a London court dismissed a class-action lawsuit filed against the tech giant. The lawsuit, which sought compensation for the misuse of National Health Service (NHS) patients’ medical records, highlights the challenges faced by privacy-related class-action claims in the UK.
The claimant aimed to bring a representative action on behalf of approximately 1.6 million individuals whose medical data had been shared with DeepMind without their knowledge or consent. The data was provided by the Royal Free NHS Trust for the development of an app to detect acute kidney injury. However, the UK’s data protection watchdog later determined that the Trust had not met the legal requirements for such data processing.
In the ruling issued by the Royal Courts of Justice, Justice Heather Williams concluded that the case did not meet the necessary criteria for a representative action. To qualify, the claim should be based on general circumstances applicable to the entire class rather than individual circumstances. The court found insurmountable challenges in establishing a viable claim due to significant variations among class members, making it difficult to identify common circumstances.
The claimants attempted to overcome this hurdle by seeking “lowest common denominator damages” for each class member, representing the minimal harm suffered by all. Nonetheless, the court found numerous relevant variables and deemed it impractical to redraw the class in an attempt to establish a viable claim. Justice Williams emphasized the inherent difficulty in identifying a viable claim for class members based on common circumstances.
The law firm representing the claimant has not provided a response or comment regarding the ruling at the time of writing.
A spokesperson from Google DeepMind welcomed the court’s decision, asserting that the claim was baseless and lacked merit.
This is not the first instance where a class-action privacy damages claim against Google has faltered in the UK. In 2021, the Supreme Court blocked another representative action relating to Google’s alleged circumvention of iPhone users’ privacy settings in Apple’s Safari browser. The recent dismissal follows an earlier attempt by the claimant to bring a representative claim under UK data protection law, which was abandoned following Google’s Supreme Court victory.
Unfortunately, pursuing individual legal claims for damages remains prohibitively expensive, leaving limited options for UK citizens seeking redress for data misuse. The absence of a clear and low-risk route for class-action litigation over privacy breaches creates significant challenges for individuals to hold entities accountable for data misuse.
In contrast, the European Union is introducing legislation to empower consumers in seeking collective actions and pursuing damages for breaches of their rights. The Collective Redress Directive, set to take effect soon, aims to bolster consumer rights and enable representative actions. Additionally, upcoming changes to EU product liability rules will facilitate claims for damages caused by software and AI systems, including privacy breaches. Recent judgments by the Court of Justice of the EU also establish that breach compensation claims do not require a specific harm threshold within the EU’s data protection framework.