A UK law firm, Mishcon de Reya, announced Thursday that it is bringing a representative suit against Google’s artificial intelligence (AI) subsidiary DeepMind Technologies over breach of data protection laws arising from DeepMind’s data-sharing arrangement with the Royal Free London National Health Service (NHS) Foundation Trust.

In 2015, DeepMind and the NHS announced a collaboration for developing an app for clinicians treating kidney disease. The idea was to streamline alerts and access to patient data for a faster and more accurate prognosis of acute kidney injury (AKI) by doctors and nurses.

However, when the data-sharing agreement was made public, it was revealed that DeepMind was gaining access to a wide-ranging scope of data including admissions, discharge and transfer, accidents, emergencies, critical care, pathology and radiology data. The NHS, which operates three hospitals in the UK and covers up to 1.6 million patients, would be sharing access to five years’ worth of historical medical records of patients without obtaining their knowledge or informed consent.

The UK data protection regulator, the Information Commissioner’s Office (ICO), in 2017 sanctioned the NHS for failing to comply with the country’s Data Protection Act. Although the app was employed by NHS royal trusts in the years since 2015, it was been discontinued over time. In August, Google announced that it will be decommissioning the app.

Mishcon’s representative suit is similar to a class-action lawsuit in the US and will have important ramifications for large scale access and use of health data by tech companies in a post-pandemic, post-Brexit UK. Ben Lasserson, the lead partner on the case, stated:

This important claim should help to answer fundamental questions about the handling of sensitive personal data and special category data…It comes at a time of heightened public interest and understandable concern over who has access to people’s personal data and medical records and how this access is managed.