Global Class Actions

Data-representative class actions have existed in France for more than nine years now. Initially aimed at obtaining injunctive measures only, their scope was extended in 2018, 18 months after their introduction into French law, when France adopted the Data Protection Act in light of the GDPR, to allow redress measures.

Despite the growing importance of data protection and security concerns in our society, only two data class actions have been brought so far. One of these class actions was declared inadmissible in late 2024 by the Paris Judicial Court, which held that the association did not represent a class of data subjects in a similar situation.

How to explain this? Class actions are a very long route to obtain injunctive relief, while consumer associations may lodge complaints before the French Data Protection Authority, CNIL, on behalf of data subjects to that very end.

Compensation issues may have also hindered the introduction of data class actions. As reflected by the decisions of the Court of Justice of the European Union (CJEU) handed down in 2023 and 2024 on the right to compensation under the GDPR, the compensation regime and compensable losses were tricky issues. The CJEU has answered some questions, clarifying that any non-material damage may be compensated, whatever its degree of seriousness, provided it is proven, but its case law is still in development.

As our world has grown more connected and digitalized, smart, data-driven devices –  including those that form the Internet of Things (IoT) –  have become more prevalent. In parallel, cyber threats have escalated in scale and complexity. To address this, the EU legislator started factoring the cyber and AI-related risks into its product-related pieces of legislation, and late 2024/early 2025 was a very prolific period in that respect. The increased liability risks that the reshape of the applicable legal framework has created are accentuated by the fact that EU Directive 2020/1828 is now transposed into French law, making it possible for consumer associations to initiate a cross-border representative class action on related topics. To mitigate risks, businesses should take proactive and well-documented steps to ensure compliance with data, AI, and cybersecurity-related regulations. This may serve as critical evidence to show that due diligence was exercised throughout the product’s lifecycle and facilitate defense. 

2024 saw a continuation of the key structural issue going to the heart of Data Security class actions: how can they proceed proportionately when the value of individual claims is low? 

English court rules provide two main class action frameworks: an ‘opt out’ structure (the “representative claim”) and an ‘opt-in’ structure (the “group litigation order” or “GLO”). Both have been dealt difficult blows in 2024. 

Down and out for opt-out claims

Another potential door for mass opt-out claims was slammed shut in 2024 with the Court of Appeal’s decision in Prismall v Google. 

Against the background of the Supreme Court’s seminal Lloyd v Google decision, data-related representative claims faced an uphill battle. An alternative claim for ‘misuse of private information’ seemed to provide a way of sidestepping that decision. In Prismall, however, the Court of Appeal commented that “a representative class claim for misuse of information is always going to be very difficult to bring”. Even in Prismall, involving alleged misuse of medical data — data that most people generally consider private — a key flaw in the claim was that medical data is not necessarily private in all cases. These issues require individual assessment; and such assessment is fundamentally incompatible with an ‘opt-out’ claim. 

These issues pose particular problems for would-be claimants, as representative actions offer the best potential economic returns for claimant-side funders and firms, since individuals do not actively need to sign up to the claim. It is now difficult to see how such claims can continue. 

A no-go for GLOs:

The alternative structure — an ‘opt-in’ GLO — has seen its own difficulties too. This structure is built for testing common issues across numerous individual claims. It comes with a procedural framework that can assist claimants, e.g. around selecting a lead law firm, establishing a group register, and publicizing the group action. 

However, the track record of cases going through the courts has shown that GLOs are difficult to pursue in the data context, where claims are generally brought for distress and therefore involve very individualized issues and low levels of damages. Group litigation involves significant upfront costs to establish the group structure, the register of individual claims, etc., which raises real proportionality concerns. 

Opt-in claims: a way through? 

The trend of data class actions going through the English courts over the last year or so has shown a move away from the structured GLO approach, in favor of claims brought simply as a combination of individual claims without any formalized structure, often with a sample of individuals chosen as ‘lead claimants’ whose claims will be tested first to provide guidance for the remaining cohort (the ‘lead claimant model’). That approach has been used in other contexts for many years, and we now see it making headway in the Data Security landscape. 

Even in those cases, however, it remains difficult for claimants to apply the necessary elements of a data claim across the group – as the High Court’s February 2024 decision in the Equiniti litigation showed. The High Court struck out the overwhelming majority of the claims on the basis that they had no prospect of establishing the necessary aspects of the claims for GDPR breaches and misuse of private information. 

These developments in 2024 show that Data Security class actions in England & Wales continue to be difficult ground for would-be claimants. 

Building on our 2024 takeaways, 2025 is likely to see alternative approaches to get Data Security claims off the ground. It is helpful here to distinguish two broad types of data claims: (1) complaints about business-as-usual processing being in breach of data laws or other private rights; and (2) claims arising out of specific events, such as cyberattacks or other security incidents. 

General processing claims 

Even the alternative combined claims approach / lead claimant model we have described above requires large numbers of individual users/consumers to sign up for the claim and assert damages they have suffered by the relevant processing (generally: distress). We expect to see claimants approaching these types of claims, in particular, in novel ways, using different legal rights and mechanisms to air these issues. 

One such example is the competition law angle. True opt-out class actions are permitted under English law for competition law claims (and, as things stand, for competition law claims alone). Collective claims in the Competition Appeal Tribunal have seen a big uptick in recent years and show no signs of slowing down, not least because the opt-out structure is the most beneficial for claimant firms and funders. There are some early indications of attempts to use this more well-established route for Data Security class actions, and that may well continue into 2025. Such claims would involve abuses of dominant market position, which is more likely to impact larger data controllers where such dominance will be easier to establish, but there could well be similar issues in smaller, more specific markets with major operators. Any organization that might face these types of allegations should prepare by being aware of the competition law context in which it operates and considering data security issues holistically as part of its overall compliance and risk mitigation approach.   

Incident claims 

In the second type of claims above — arising out of specific security incidents — we expect to see more of a push toward informal combined claims bringing together multiple claimants. The combination increases the overall claim value and allows the claims to be brought to the High Court (whereas individual claims on their own would likely be conducted in the ‘small claims’ track where cost recovery — and incentive for claimant firms — is limited).
 
In those situations, identifying individuals who might be willing to bring a claim is easier, as they are the individuals affected by the incident itself. Despite the challenges facing mass data claims generally, claims in this space remain common. Moreover, without the formality of a GLO (which requires court approval and significant start-up cost), it is easier to get these claims started and we could see complaints move more quickly into formal legal proceedings. Claims could also proliferate without one specific claimant law firm leading the charge for a representative claim or GLO. 

However, issues of proportionality and procedural hurdles remain. Any organization faced with such claims should raise any structural and procedural concerns considered early on as part of any defense strategy. 

Funding

No look-ahead to 2025 would be complete without a word on funding. The Supreme Court’s 2023 PACCAR decision looms large over all English class actions; the funding industry continues to face uncertainty, with heralded legislative intervention still awaited. 

The Supreme Court held that a commonly used form of litigation funding arrangement was a damages-based agreement, and thereby needed to comply with relevant rules applying to such agreements — contrary to widely held views across the funding industry. Failure to comply with those rules leaves the funding agreement unenforceable. 

The true impact of this decision on existing funding agreements remains to be seen, with a further Court of Appeal decision on the issue expected later this year, alongside a wide-ranging regulatory review by the Civil Justice Council scheduled for summer 2025. 

2025 highlighted that cyberattack victims face an attendant risk of litigating disputes against multiple types of plaintiffs in multiple venues. Suits brought against cyberattack victims’ customers also highlight the importance of indemnification provisions, clear limitations of liability, and confidentiality provisions in B2B contracts.

In 2025, data breach class actions soared and targeted both cyberattack victims and, increasingly, their downstream customers whose data was impacted. Plaintiffs’ counsel frequently file separate suits on behalf of individuals whose information was purportedly impacted – often within days of initial Notice of Data Breach mailings. Increasingly, plaintiffs’ counsel file in a single federal jurisdiction, resulting in fewer multi-district litigations. Certain plaintiffs filed in state court to avoid related federal litigation, forcing litigation on multiple fronts. A different set of plaintiffs also cropped up: corporate entities claiming their businesses were disrupted and they suffered financial loss following a third-party cyberattack. In re: Change Healthcare Customer Data Sec. Breach Litig., MDL No. 3108 (D. Minn.) (“Provider Track Plaintiffs” alleging damages when Change Healthcare temporarily paused healthcare transaction services after a cyberattack). 

Key decisions. Courts allowed certain common-law claims to survive motions to dismiss, while more readily dismissing state statutory claims. See, e.g., Order, Crowe v. Managed Care of N. Am. Inc., 23-61065-CIV (S.D. Fla. Jan. 21, 2025) (denying motion to dismiss certain negligence and contractual claims based on more particularized allegations that defendants failed to safeguard data, after previously dismissing negligence and all statutory claims); MDL Order No. 23, In re MOVEit Cust. Data Sec. Breach Litig., MDL No. 23-md-3083-ADB-PGL (D. Md. July 31, 2025) (denying motion to dismiss negligence, third-party beneficiary contract, and unjust enrichment claims).

Two closely-watched class certification decisions were reversed. In Brinker, the Eleventh Circuit had upheld plaintiffs’ damages model and found that dark web posting established both present and substantial risk of future injury sufficient to confer standing, but it remanded the case to clarify the class definition and predominance analysis.  Green-Cooper v. Brinker Int' l, Inc., 73 F.4th 883 (11th Cir. 2023).  On remand, the district court narrowed the class to only those who “experienced fraudulent charges or had data posted on the dark web in connection with the data breach” – not whose information was merely “accessed.” Theus v. Brinker Int' l, Inc., No. 3:18-cv-6866-TJC-MCR (M.D. Fla. June 27, 2025). It then denied class certification, finding individual questions predominated, including whether each class member experienced fraudulent charges, had their data posted on the dark web, or spent time or money mitigating harm. Id. This decision stresses that (i) the existence of damages – not just their valuation – is an individualized question defeating predominance, and (ii) the presence of information on the dark web could become increasingly important.

In In re Marriott, the Fourth Circuit de-certified damages and issues classes, holding that the class action waiver was not prohibited by Rule 23. Maldini v. Marriott Int' l, Inc., 140 F.4th 123 (D. Md. 2025). The decision underscores the impact of class action waivers and provides language about how narrow, “element-by-element” issue classes will likely fail the superiority requirement.

We expect courts in 2026 will continue to grapple with uncertainty surrounding issues of Article III standing in the data breach context, including at class certification as numerous data breach cases reach that stage. In particular, courts continue to diverge regarding whether data breach plaintiffs can establish standing when they allege only the future risk of identity theft or fraud, but can identify no other harm that might constitute injury in fact. And at the class certification stage in particular, litigants continue to dispute whether a class can be certified that includes uninjured members. Despite this precise question being teed up for resolution in Labcorp v. Davis (a non-data-breach case), in June 2025, the Supreme Court dismissed the case as improvidently granted without further explanation. Lab. Corp. of Am. Holdings v. Davis, 605 U.S. 327 (2025). Only Justice Kavanaugh dissented, noting in a brief opinion that he would have adopted Labcorp’s reasoning that certifying a damages class including both injured and uninjured members would run afoul of Rule 23’s predominance requirement. Id. at 328 (Kavanaugh, J., dissenting).

Second, with the rising tide of matters brought by corporate plaintiffs, we expect courts to begin confronting what duties a company owes to its customers or customers’ customers – be it at common law, in tort, under contract, or pursuant to statutes – after they suffer a data breach. How courts confront this threshold duty question could have a significant impact on whether the plaintiffs’ bar will forge ahead with this theory.

Third, we anticipate that privilege disputes will continue to increase as more data breach cases survive the motion to dismiss stage. In particular, the plaintiffs’ bar has shown an increased tendency to seek to discover work undertaken by outside vendors to investigate the breach in the immediate aftermath of a cyberattack, and resultant privilege disputes are pending and anticipated in several privacy and cyber class action matters. Courts have diverged regarding whether forensic analysis work performed by such vendors qualifies for protection under attorney-client privilege and/or work product protection. Some hold that privilege does not apply where such work was otherwise necessary to investigate the breach and was turned over in full to regulators, see  In re Lakeview Loan Servicing Data Breach Litig., 2025 WL 928716, at *5 (S.D. Fla. Mar. 27, 2025); others look to distinguishing factors such as whether multiple, separate forensic investigations were underway (one for breach response, one for assisting counsel in providing legal advice), see Maldondo v. Solara Med. Supplies, LLC, 2021 WL 8323636, at *3-4 (D. Mass. June 2, 2021). Companies responding to cyberattacks should be increasingly mindful of which documents reflect attorney-client communications and/or are prepared primarily or substantially for the purpose of anticipated litigation, and which are not. “

Finally, in addition to the growth in “greenwashing” claims, we anticipate an increase in “AI washing claims” (that is, claims that a company’s statements regarding its artificial intelligence programs were false or misleading in some way) in 2025, including against financial institutions, whose use of emerging technologies may make them an attractive target for new class claims.