Unauthorized Use of Personal Data: Google and DeepMind

ByDeepMind
Unauthorized Use of Personal Data: Google and DeepMind

Misuse of Private Information: The Prismall v Google Case

Overview of the Case

On December 13, 2024, the Court of Appeal delivered a judgment concerning a representative action against Google UK Limited and DeepMind Technologies Limited. The case, Prismall v Google UK Ltd [2024] EWCA Civ 1516, involved a claim made by Mr. Prismall on behalf of approximately 1.6 million individuals regarding the misuse of private information. The main issue was whether the lower court correctly struck out the representative claim for misuse of private information.

Background Details

The claim stemmed from the transfer of patient-identifiable medical records from the Royal Free London NHS Foundation Trust to Google and DeepMind between October 2015 and September 2017. The data was utilized to develop an application known as "Streams," aimed at identifying and treating patients with Acute Kidney Injury. In addition to direct patient care, both companies were permitted to use this data for broader commercial purposes.

Initial Court Findings

The initial ruling indicated that the lowest common denominator member of the class—representing the simplest case for a claimant—did not possess a realistic chance of demonstrating a reasonable expectation of privacy over their medical records. The judge concluded that, for the vast majority of those represented, there was insufficient evidence to suggest that they had a legitimate claim.

Grounds of the Claim

Mr. Prismall’s claim highlighted several key points of misuse of personal information by Google and DeepMind:

  1. Obtaining Medical Records: The transfer of patient-identifiable data took place under an Information Sharing Agreement that extended beyond direct care.
  2. Data Storage: Medical records were stored prior to the operation of the Streams app.
  3. Research and Development: The data was used during the research phase and development of the Streams application.
  4. Commercial Prospects: Medical records were also used to enhance capabilities for future commercial ventures.

The claim sought damages primarily for the loss of control over these private medical records.

Legal Considerations

The tort of misuse of private information involves two critical stages:

  1. Expectation of Privacy: Determining whether a claimant has a reasonable expectation of privacy in the relevant information.
  2. Balancing Interests: Weighing the claimant’s expectation of privacy against the defendant’s legitimate interests.

Drawing on Article 8 of the European Convention on Human Rights (ECHR), which affirms the right to privacy, the case also referenced earlier decisions emphasizing the confidentiality of health data.

Questions Before the Court

The Court addressed several vital questions, including:

  1. Whether the lowest common denominator claimant had a legitimate claim for misuse and reasonable expectation of privacy concerning their medical records.
  2. The appropriateness of the judge’s definition of "direct care."
  3. If the judge correctly identified the lowest common denominator claimant’s situation.
  4. If the inclusion of "upset or concern" was relevant.
  5. Whether Mr. Prismall should have been allowed to amend his statement of case.

Court’s Ruling

Ultimately, the Court dismissed the appeal against the lower court’s decision to strike out the claim. The core requirement for such a representative action, as per Civil Procedure Rules, is that the representative must have the same interest as those they represent. If any member of the class cannot establish a claim, then the collective interest requirement fails.

Significant Findings

  • Expectation of Privacy: While medical information is typically private, the case revealed that not every instance of disclosed medical information inherently carries that expectation. For example, patients may share their hospital visits publicly, which could negate their reasonable expectation of privacy.
  • Threshold for Claims: The Court emphasized the challenges posed by taking collective legal action in privacy cases, citing that not all medical interactions provide grounds for valid claims.

This case illustrates the complexities surrounding the misuse of private information and the legal thresholds required to establish such claims in representative actions. It sheds light on how privacy is safeguarded—or potentially compromised—in the realm of modern healthcare technology and data sharing.

Please follow and like us:
error
fb-share-icon
Tweet
fb-share-icon

Related