Lead Article - From Selling Fruit in Covent Garden to Screening Kidneys by Google Deepmind: The Latest in Non-Competition Opt-Out Class Actions in England

Class actions are a well-established part—if not one of the most sensationalized and globally recognized features—of American litigation. Since Rule 23 of the Federal Rules of Civil Procedure was promulgated almost 90 years ago, class actions have become a staple of US civil litigation, touching on all facets of private and public life from securities to mass torts to civil rights and discrimination litigation, with well-developed case law defining the contours of all aspects of class action proceedings from certification to settlement approval, notice, and distribution.

    However, despite considerable similarities in legal and sociopolitical heritage, England has never adopted a similar regime for collective redress. It was not until the Consumer Rights Act 2015 that “opt-out” collective actions created a mechanism for bringing opt-out collective actions for (only) competition claims. Even then, case law in England has been slow to develop—the Competition Appeal Tribunal (the specialist tribunal set up as the first instance court for such claims) certified its first case in August 2021 in claims against Mastercard for anti-competitive conduct in relation to interchange fees (Merricks v Mastercard Incorporated & Ors, [2021] CAT 28). The first settlement was not approved until December 2023 for certain (lesser-involved) defendants in vehicle shipping cost claims (Mark McLaren Class Representative Limited v MOL (Europe Africa) Ltd & Ors, [2023] CAT 75). And the first (and to date, only) liability trial did not take place until 2024 for claims against BT (the British telecommunication group), which were dismissed (Le Patourel v BT Group PLC & Anor, [2024] CAT 76). It is noteworthy the English courts did reach across the Atlantic for jurisprudential inspiration in adopting Canadian case law on the approach to assessing certification, such as the test for commonality—see Mastercard v Merricks, [2020] UKSC 51, applying Pro-Sys Consultants Ltd v Microsoft Corpn [2013] SCC 57. But unlike in Canada, where provincial class proceeding statutes set out rules similar to those in Rule 23, nothing analogous exists in England.

    This has not stopped claimants (and their funders) in England from trying to achieve classwide relief [?], and the English courts have had to contend with numerous attempts to bring collective opt-out actions under long-standing civil procedure rules in England created over a century ago. This article takes a look at recent attempts to use centuries-old procedural rules to support class actions arising from modern life, particularly claims in the data breach and privacy area, and identifies areas of risk and potential developments for these claims in England.

CPR 19.8 – Representative Actions.
There is no equivalent to Rule 23 in England. The closest to an opt-out class action is Rule 19.8 of England’s Civil Procedure Rules. Rule 19.8 provides for “representative actions.” The rule does not set out any prescriptive test, requirements, or detailed procedural framework. CPR 19.8 states in relevant part: “19.8 (1) Where more than one person has the same interest in a claim –(a) the claim may be begun; or (b) the court may order that the claim be continued, by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.”

    The rule has existed in largely the same form since the time of Queen Victoria (mid- to late 1800s), when it was formulated as follows: “Where there are numerous parties having the same interest in one action, one or more such parties may sue or be sued, or may be authorized by the court to defend in such action, on behalf or for the benefit of all parties so interested.” Judges wrestled for the better half of a century over whether this rule can be used for claims in common law (e.g., a tort) and equity (e.g., asserting a beneficial or proprietary right). The question was mostly settled in 1901 (answer: yes, it can). Six individuals sued the Duke of Bedford, who owned Covent Garden Market in London, “on behalf of themselves and all others the growers of fruit, flowers, vegetables, roots or herbs” to enforce rights under the Covent Garden Market Act 1828 to stalls in the market and sought declarations and injunctions. Lord Macnaghten (of Salomon v A Salomon & Co Ltd. fame) confirmed that the rule remains “very much as it was a hundred years ago . . . a simple rule resting merely upon convenience” and “it was better . . . to go as far as possible towards justice than to deny it altogether” as those suing on behalf of themselves and all others were “in a sense . . . before the court”. Similarly, in Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC 426, 443, Lord Lindley declared that “[t]he principle is as applicable to new cases as to old, and ought to be applied to the exigencies of modern life as occasion requires.”

    Yet English judges continued to find difficulties dispensing justice en masse, with a particular reluctance to award damages (an ad personam right) on a representative claim because of the requirement to assess damages individually. As Fletcher Moulton LJ expressed in Markt & Co Ltd v Knight Steamship Co Ltd [1910] 2 KB 102, “no representative action can lie where the sole relief sought is damages, because they have to be proved separately in the case of each plaintiff, and therefore the possibility of representation ceases.”

    A century later, claimants continue trying to overcome this barrier of individualized damages assessment in representative actions through creative approaches to pleading and refining class definitions. Data protection claims are the latest attempt.

Lloyd v. Google
The first major modern case to test CPR 19.8 in data protection claims is Lloyd v Google. Richard Lloyd brought a claim on a representative basis against Google claiming Google breached section 4(4) of the Data Protection Act 1998 (“DPA”) when its “Safari Workaround” allegedly used its “DoubleClick cookie” to track iPhone users’ activity (browser generated information or “BGI”) between August 2011 and February 2012 without users’ consent, selling that data to advertisers. The purported class was all iPhone users in the U.K. during that period. He estimated that there were 4 million such users.
At the trial court level, the High Court ([2018] EWHC 2599 (QB)) found for Google. In the judge’s view, the claimants in the represented class did not have the “same interest” because the breach and damage for each claimant would vary depending on individual variations, e.g., each user’s volume of activity (and BGI taken) and the categories of data taken.

    The Court of Appeal unanimously reversed the High Court ([2019] EWCA Civ 1599). The Court of Appeal concluded that the trial level judge had applied the “same interest” test too “stringently” and held that it was sufficient that the claimants sought to be represented all had their BGI (i.e., something of value) taken by Google without their consent in the same circumstances during the same period, making the matter “more straightforward.” The represented class members are “all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI.” Importantly, the Court of Appeal noted the claim was formulated in a manner where any individual variation was expressly disavowed—i.e., there was no reliance on unique facts affecting any individual represented claimant. The effect is that the damages claimed for each represented claimant is the “lowest common denominator” across the class. The loss will be small, but not nothing.

    The Court of Appeal further exercised its discretion in favor of the claimant, in part because a representative action was in practice the only way these claims could be pursued and the only way to hold Google accountable for “what looks like clear, repeated and widespread of breaches.” No other remedy was available. This was not disputed.

    At the Supreme Court, Lord Leggatt (writing for the unanimous court) reversed the Court of Appeal and restored the trial level judge’s decision finding against the claimant. The Supreme Court held that a representative claim could not succeed because it was necessary in order to recover compensation to show that an individual had suffered material damage or distress as a result of the unlawful processing of their data. In deciding the quantum of damages, individual evidence would be needed such as how long Google tracked that individuals’ browsing activity, the quantity of data unlawfully processed, whether any of that person’s information was sensitive or private, and what use Google made of it and for what commercial benefit. The claimant’s strategy—of claiming only the “lowest common denominator” and disavowing any individual facts—meant, in the Supreme Court’s view, that the “lowest common denominator” fell too low (i.e., it was zero). That was because, without relying on any individual iPhone user’s facts, the “lowest common denominator” in the class definition was someone whose internet usage – apart from one visit to a single website – was not illicitly tracked and collated and who received no targeted advertisements as a result of receiving a DoubleClick Ad cookie. The court considered it “impossible to characterize such damage as more than trivial.” The court, however, left open the door that in a future suitable claim, damages may well be bifurcated from liability, with liability being determined on a representative basis. But Mr. Lloyd did not pursue his claim that way.

Prismall v. Google & Deepmind
The latest attempt to bring a representative action for data rights violations was by one Andrew Prismall seeking to bring a claim for himself and on behalf of what was said would be over 1.6 million individuals in England. The claims were on behalf of patients at certain hospitals, which had shared patient data under a commercial agreement with Google and Deepmind for the development of the “Streams” health application, which was intended to be used to identify and treat patients suffering from acute kidney injury.

    Unlike the claim in Lloyd, Mr. Prismall’s claim was not based on the data protection statute, but on the tort of misuse of private information. This required the claimant to show that he had, objectively, a reasonable expectation of privacy, taking into account all the circumstances of the case, i.e., the expectation of a reasonable person of ordinary sensibilities placed in the same position as the claimant and faced with the same publicity.

    At first instance, the judge granted Google and Deepmind’s application for strike out and reverse summary judgment and denied Mr. Prismall the opportunity to amend. The judge found that there was no real prospect of success for the “lowest common denominator” claimant, whom the judge described as a patient who attended those hospitals and whose medical data was transferred to Google, but who also published relevant information on social media—and therefore, there was no reasonable expectation of privacy.

     The Court of Appeal handed down its judgment on December 11, 2024, unanimously dismissing Mr. Prismall’s appeal. The Court of Appeal held that, in terms of the “lowest common denominator” claimant, there could be a patient who had a medical note containing the characteristics of data concerning health, who then proceeded to share that relevant information on social media, such that there was no reasonable expectation of privacy. The example the court noted was a patient who posted on social media saying, “I went to Chase Farm hospital (the patient had attended a healthcare provider); with a suspected broken leg (the nature of the medical issue); where the doctor examined the leg but it is only bruised (the diagnosis and test); so I was given a painkiller (the treatment carried out).” Google’s counsel pointed, as an example, to Mr. Prismall’s own interview with a newspaper about his kidney transplant to seek support from local football fans to sign up to the organ donor register as an example of how he could not reasonably expect privacy about his medical treatment. The court described Google’s reliance on Mr. Prismall’s “altruistic behavior” as “not attractive,” but the court nonetheless said it, “illustrates the difficulties . . . of coming at justice in a digital case involving numerous potential claimants.”

    The Court of Appeal referred to Lord Leggatt’s statements in Lloyd v Google that a bifurcated process (liability/damages split) was possible. The court expressly noted that such bifurcation was not proposed in Mr. Prismall’s case. The court also alluded to the economic realities of the claim: there may be a sub-group of the class—namely those who attended the radiology departments and those who had blood tests—whose claims may proceed. The court asked claimant’s counsel whether he would continue with only that subset. Mr. Prismall did not seek such an order, and it was suggested by Defendants’ counsel that this was because the smaller class would make the claim economically unviable.

What’s Next?
English courts have commented for over a century that the representative action procedure should be adapted for the realities of the modern information age and used for the convenience of justice. There has been significant development in this area of law from the disgruntled market tenants of Covent Garden. But the practical reality is that the succinctly worded “same interest” requirement (drafted over a century ago), taken literally and strictly, has resulted in a reduction of claims to the “lowest common denominator,” which lawyerly creativity can always use to conjure a hypothetical class member who falls below a trivial level of damages or fails an element of the cause of action. The economic reality that litigation funders in England are generally only permitted to earn a return or multiple of funding provided (as opposed to a percentage of damages)—combined with the absence of jury trials—has also meant that only claims with a sufficiently large base case of likely damages capable of meeting the funder’s multiples requirement (often ranging from 3-8x or more) can get off the ground. A bifurcated process may not be palatable to funders, who must fund and bear the risk of a substantial liability trial only to enter a laborious and uncertain process of individual quantum assessments.

    Absent legislative reform, data rights claims will remain difficult to bring on an opt-out basis in England outside the competition law context (although there are ongoing certified opt-out claims concerning how large technology companies collect and use data in an anti-competitive manner, see e.g., Gormsen v Meta Platforms, Inc. & Ors, [2024] CAT 11).

    The focus is likely to turn to areas where there is significant and readily quantifiable financial harm to a well-defined and limited class. For example, the Court of Appeal has recently found for individual claimants against car dealers who received undisclosed commissions from car finance providers for arranging financing for car buyers (the Supreme Court will hear the appeals in April 2025). If individual claims are upheld, representative actions are a likely vehicle for bringing those claims.

    Another potential area involves shareholders who can bring claims under Section 90A Financial Services and Markets Act 2000 (“FSMA”) against listed companies that publish information to the market (annual reports, press releases) containing misleading statements or omissions. There are also claims available pursuant to Section 90 FSMA against publicly listed companies that make misleading statements or omissions in listing particulars, which have a lower threshold. English claimants and courts may well borrow from US securities class actions in this regard. This may also be an increasingly active area given the increasing trends for London-listed companies to be taken private, often by Asian, Middle Eastern, and North American sovereign wealth funds and private equity. The manner in which such transactions are negotiated and executed will be closely scrutinized. Similarly, claims for misleading representation by funds or companies about “ESG” credentials (e.g., in prospectuses or other marketing documents) may give rise to collective claims with a class that is readily identifiable and with losses that are more readily quantifiable.

    The English class action regime is still in its infancy, although it is arguably approaching adolescence with growing pains. Without any serious legislative efforts on the horizon to create general opt-out class actions, the Victorian “representative action” procedure is likely to continue to be the “shoehorn” for wide-ranging claims from securities class actions to data misuse claims. Given the latest Google cases and market trends, the focus may well turn from data claims to financial markets claims, with English claimants likely drawing inspiration from the US’s deep history and experience. In the class action area, as Oscar Wilde quipped, imitation may well be the sincerest form of flattery.