Recent judgments have demonstrated the difficulties for claimants in sustaining mass opt-out claims against tech giants for data misuse. However, AI may offer a solution.
Under CPR 19.8 a claim may be pursued on an opt-out basis by a representative who has the same interest as the other claimants. Any judgment is then binding on all parties represented. The difficulty lies in showing that the representative has the ‘same interest’ as the rest of the group. In recent years, the appellate courts have twice engaged with representative claims for data misuse, with both cases resulting in victories for tech companies.
In Lloyd v Google the Supreme Court considered allegations that Google had tracked the activity of millions of iPhone users without their consent. The claimants said that Google had breached its duties under the Data Protection Act 1998. The Supreme Court held that the lowest common denominator between the claimants would have been an iPhone user who had clicked on a relevant website on a single occasion but had received no targeted advertisements as a result. It was impossible to characterise such damage as more than trivial. Refusing permission for the representative claim to proceed, the Supreme Court held the mere fact of data misuse did not give rise to damages.
In Prismall v Google, the Court of Appeal dealt another blow to representative claims. The claimants sought damages under the tort of misuse of private information for transfers by a hospital of patient medical data to Google and DeepMind. Again the appeal depended on whether there was a lowest common denominator of harm between the 1.6 million potential claimants. The Court of Appeal found that the claimants had no shared expectations of privacy. Indeed some within the class of claimants had publicly shared their medical data on social media. The claim was struck out.
The outcomes in Lloyd and Prismall emphasise just how difficult it is for a representative data misuse claim to succeed. The damages are likely to be related to distress or inconvenience, and their assessment seems to depend on circumstances individual to each litigant.
Under the Consumer Rights Act 2015 the above problems are avoided: competition law claimants can be awarded aggregate damages without the need for proof of individual loss. This feature may encourage litigants to shoehorn their causes of action into competition law ones but plainly this will not be possible for every situation.
There may be another way through.
Read more
An AI system could be trained on the data of claimants to provide an individualised rating and valuation for the damage caused by the relevant data misuse. The lowest common denominator between such claimants need not therefore be an arbitrary figure of the type rejected by the Supreme Court in Lloyd.
How would the AI system work? The technology involved would likely comprise a purpose-built ‘discriminative classifier’, which sorts and scores existing data, rather than a ‘generative model’, which creates new output. Consequently, it is unlikely that the AI systems envisaged here would be subject to the type of hallucination errors for which generative AI is known.
There would need to be relatively uniform data for each claimant, relevant to the harm said to have been suffered. Fortunately, for mass claims arising from data misuse, this step ought not to be particularly difficult: the misused data which is subject to the claim could provide the training data for the claimants’ own AI system. Such data must be of predictive value – otherwise the tech companies would not have taken it in the first place. For the initial group of claimants that data could be obtained at no cost via a subject access request under the GDPR.
Once the claimant data has been gathered, the AI system would need to be trained on different types of claimant in order for the gravity and effect of misuse to be calibrated. A human-led assessment and scoring metric could be applied to a sample of the claimant data, which might then be used to create a model capable of predicting values for new, unseen data.
Finally it would be necessary to plead a representative claim with sufficient specificity so as to include only the class of claimants whose claims overcome a scoring threshold established by the deployers of the AI system, whether in terms of the sustainability of the cause of action, viability under CPR 19.8, or for any higher economic threshold determined by the group’s funders.
There is precedent for AI systems being employed by claimants to generate evidence of wrongdoing and harm: in Allianz Global Investors & Others v Deutsche Bank & Others, a multibillion dollar follow-on damages claim arising from an alleged forex cartel. Possibly for the first time in any civil litigation, the claimants sought to plead and prove their case using an AI system. They claimed to have trained a machine learning algorithm based on around 500 alleged ‘known instances’ of wrongdoing. The author of this article acted for a group of the defendant banks. The claim settled in early 2023 so we do not know what the outcome would have been but as a proof of concept it remains important, and could well be of wider significance.
We generate a wealth of data each time we use our phone or web browser, enabling tech companies to build extraordinarily detailed profiles, developing insights about aspects of our behaviours that we may not have known ourselves. The data collected is the product of billions of dollars of investment. Why not leverage that same information to facilitate legal claims where the data is misused?
Ironically, the same AI technology which is now frequently the cause of mass data misuse may also provide a solution for litigants.
Jacob Turner is a member of Fountain Court Chambers. He is the author of Robot Rules: Regulating Artificial Intelligence
No comments yet