A Data Deep Mine: Mishcon de Reya takes on Deepmind

October 14, 2021

2 min read

Sign up to our mailing list! 👇

What's going on here?

Law firm Mischon De Reya leads a class-action against Deepmind for its mishandling of NHS data.

What does this mean?

In 2015, the Royal Free NHS Trust partnered with Google’s sister company, DeepMind Technologies (DeepMind), to develop Streams, an app to alert clinicians to cases of acute kidney injury (AKI). Streams was an immense success, significantly cutting short the time needed to make AKI diagnoses.

In February 2016, however, a report by the New Scientist revealed that Streams had unlawfully provided DeepMind the confidential data of over 1.6 million patients, prompting a formal inquiry by the Information Commissioner’s Office (ICO). The ICO found that the trust did not adequately protect its patients’ privacy in the app’s development. Patients were not informed of the collaboration and the use of the data. The trust had no legal basis to provide patients’ sensitive information to the tech company under the Data Protection Act 1998. The ICO ordered the trust to better protect its patients’ privacy.

While the trust was subject to inquiry, no action was formally taken against DeepMind or Google on the matter until late September of this year. Mishcon de Reya (MdR) announced that it has filed a class-action suit against the two companies, a representative action made on behalf of its lead claimant, Mr. Andrew Prismall, and the 1.6m individuals affected. They claim the tech companies breached data protection law in receiving their confidential medical records.

What's the big picture effect?

In an era where personal data is a valuable commodity and tightly regulated, the fact that a giant technology company can obtain the data of 1.6m people without their consent or knowledge is alarming. Especially considering that the pandemic has made people keenly aware of and sensitive to matters concerning health, and given that the recent HSE ransomware attack in May has heightened public insecurities around medical confidentiality.   

The claim will also lead the way for class actions in consumer privacy protections as a viable means to redress victims of future breaches, particularly against powerful organisations. At the very least, how seriously technology companies take their responsibility in personal data protection can be scrutinised. It may lead to more control measures being necessary either internally or externally. Other companies could now look to strengthen their technological and organisational security measures to protect themselves from liability.

As for the 1.6m victims, there is presently uncertainty on whether compensation can be awarded in cases where little financial loss or distress is suffered – otherwise known as cases of “minor data protection breach”. MdR’s claim may provide justice in terms of compensation, but this is yet to be decided.

Ultimately, whatever the outcome of the claim may be, Mischon De Reya hopes it will answer “fundamental questions about the handling of sensitive personal data” within the UK.

Report written by Johan Faisal

Share this now!

Check out our recent reports!