Global Class Actions

Data-representative class actions have existed in France for more than eight years now. Initially aimed at obtaining injunctive measures only, their scope was extended in 2018, 18 months after their introduction into French law, when France adopted the Data Protection Act in light of the GDPR, to allow redress measures.

Despite the growing importance of data protection and security concerns in our society, only two data class actions have been brought so far. One of these class actions was declared inadmissible in late 2024 by the Paris Judicial Court, which held that the association did not represent a class of data subjects in a similar situation.

How to explain this? Class actions are a very long route to obtain injunctive relief, while consumer associations may lodge complaints before the French Data Protection Authority, CNIL, on behalf of data subjects to that very end. 

Compensation issues may have also hindered the introduction of data class actions. As reflected by the decisions of the Court of Justice of the European Union (CJEU) handed down in 2023 and 2024 on the right to compensation under the GDPR, the compensation regime and compensable losses were tricky issues. The CJEU has answered some questions, clarifying that any non-material damage may be compensated, whatever its degree of seriousness, provided it is proven, but its case law is still in development.

The aforementioned CJEU case law, combined with the fact that data has become one of the most valuable assets and data security one of the major concerns for many economic operators, might make 2025 and beyond crucial years for data security class actions. This might indeed have a windfall effect on the Plaintiffs' bar and consumer associations, especially in a context where EU Directive 2020/1828, the transposition of which into French law is currently being discussed in Parliament, has introduced cross-border class actions.

2024 saw a continuation of the key structural issue going to the heart of Data Security class actions: how can they proceed proportionately when the value of individual claims is low? 

English court rules provide two main class action frameworks: an ‘opt out’ structure (the “representative claim”) and an ‘opt-in’ structure (the “group litigation order” or “GLO”). Both have been dealt difficult blows in 2024. 

Down and out for opt-out claims

Another potential door for mass opt-out claims was slammed shut in 2024 with the Court of Appeal’s decision in Prismall v Google. 

Against the background of the Supreme Court’s seminal Lloyd v Google decision, data-related representative claims faced an uphill battle. An alternative claim for ‘misuse of private information’ seemed to provide a way of sidestepping that decision. In Prismall, however, the Court of Appeal commented that “a representative class claim for misuse of information is always going to be very difficult to bring”. Even in Prismall, involving alleged misuse of medical data — data that most people generally consider private — a key flaw in the claim was that medical data is not necessarily private in all cases. These issues require individual assessment; and such assessment is fundamentally incompatible with an ‘opt-out’ claim. 

These issues pose particular problems for would-be claimants, as representative actions offer the best potential economic returns for claimant-side funders and firms, since individuals do not actively need to sign up to the claim. It is now difficult to see how such claims can continue. 

A no-go for GLOs:

The alternative structure — an ‘opt-in’ GLO — has seen its own difficulties too. This structure is built for testing common issues across numerous individual claims. It comes with a procedural framework that can assist claimants, e.g. around selecting a lead law firm, establishing a group register, and publicizing the group action. 

However, the track record of cases going through the courts has shown that GLOs are difficult to pursue in the data context, where claims are generally brought for distress and therefore involve very individualized issues and low levels of damages. Group litigation involves significant upfront costs to establish the group structure, the register of individual claims, etc., which raises real proportionality concerns. 

Opt-in claims: a way through? 

The trend of data class actions going through the English courts over the last year or so has shown a move away from the structured GLO approach, in favor of claims brought simply as a combination of individual claims without any formalized structure, often with a sample of individuals chosen as ‘lead claimants’ whose claims will be tested first to provide guidance for the remaining cohort (the ‘lead claimant model’). That approach has been used in other contexts for many years, and we now see it making headway in the Data Security landscape. 

Even in those cases, however, it remains difficult for claimants to apply the necessary elements of a data claim across the group – as the High Court’s February 2024 decision in the Equiniti litigation showed. The High Court struck out the overwhelming majority of the claims on the basis that they had no prospect of establishing the necessary aspects of the claims for GDPR breaches and misuse of private information. 

These developments in 2024 show that Data Security class actions in England & Wales continue to be difficult ground for would-be claimants. 

Building on our 2024 takeaways, 2025 is likely to see alternative approaches to get Data Security claims off the ground. It is helpful here to distinguish two broad types of data claims: (1) complaints about business-as-usual processing being in breach of data laws or other private rights; and (2) claims arising out of specific events, such as cyberattacks or other security incidents. 

General processing claims 

Even the alternative combined claims approach / lead claimant model we have described above requires large numbers of individual users/consumers to sign up for the claim and assert damages they have suffered by the relevant processing (generally: distress). We expect to see claimants approaching these types of claims, in particular, in novel ways, using different legal rights and mechanisms to air these issues. 

One such example is the competition law angle. True opt-out class actions are permitted under English law for competition law claims (and, as things stand, for competition law claims alone). Collective claims in the Competition Appeal Tribunal have seen a big uptick in recent years and show no signs of slowing down, not least because the opt-out structure is the most beneficial for claimant firms and funders. There are some early indications of attempts to use this more well-established route for Data Security class actions, and that may well continue into 2025. Such claims would involve abuses of dominant market position, which is more likely to impact larger data controllers where such dominance will be easier to establish, but there could well be similar issues in smaller, more specific markets with major operators. Any organization that might face these types of allegations should prepare by being aware of the competition law context in which it operates and considering data security issues holistically as part of its overall compliance and risk mitigation approach.   

Incident claims 

In the second type of claims above — arising out of specific security incidents — we expect to see more of a push toward informal combined claims bringing together multiple claimants. The combination increases the overall claim value and allows the claims to be brought to the High Court (whereas individual claims on their own would likely be conducted in the ‘small claims’ track where cost recovery — and incentive for claimant firms — is limited).
 
In those situations, identifying individuals who might be willing to bring a claim is easier, as they are the individuals affected by the incident itself. Despite the challenges facing mass data claims generally, claims in this space remain common. Moreover, without the formality of a GLO (which requires court approval and significant start-up cost), it is easier to get these claims started and we could see complaints move more quickly into formal legal proceedings. Claims could also proliferate without one specific claimant law firm leading the charge for a representative claim or GLO. 

However, issues of proportionality and procedural hurdles remain. Any organization faced with such claims should raise any structural and procedural concerns considered early on as part of any defense strategy. 

Funding

No look-ahead to 2025 would be complete without a word on funding. The Supreme Court’s 2023 PACCAR decision looms large over all English class actions; the funding industry continues to face uncertainty, with heralded legislative intervention still awaited. 

The Supreme Court held that a commonly used form of litigation funding arrangement was a damages-based agreement, and thereby needed to comply with relevant rules applying to such agreements — contrary to widely held views across the funding industry. Failure to comply with those rules leaves the funding agreement unenforceable. 

The true impact of this decision on existing funding agreements remains to be seen, with a further Court of Appeal decision on the issue expected later this year, alongside a wide-ranging regulatory review by the Civil Justice Council scheduled for summer 2025. 

In 2024, the number of new data breach class actions soared, and litigation targeted not only the corporate cyberattack victims but also their customers or channel partners whose data was impacted. Plaintiffs’ counsel increasingly filed separate suits on behalf of individuals whose information may have been impacted in a single cyberattack, which ultimately resulted in many consolidated class actions or multi-district litigations. While some courts significantly trimmed putative class action complaints at the motion to dismiss stage for lack of standing or failure to state a claim, negligence and contract-based claims often survived, and plaintiffs saw some limited and cabined success at class certification that they will no doubt attempt to use to seek certifications in other cases.

At the motion-to-dismiss stage, negligence and contract-based claims often survived, but at least one court dismissed many claims, including negligence, for failure to sufficiently allege a breach of a duty to safeguard data. Order, Crowe v. Managed Care of N. Am. Inc., 23-61065-CIV (S.D. Fla. Aug. 16, 2024). The Crowe court agreed with the defendants on the first Motion to Dismiss that plaintiffs’ argument — that the data breach was evidence that defendants’ data protection standards were non-compliant with their common law and statutory duties, and thus, defendants must have chosen not to protect plaintiffs’ data — was “conclusory and, in essence, creates a strict liability standard for companies who suffer a data breach.” Id. at 20. Also at the motion-to-dismiss stage, courts have been increasingly willing to hold that receiving spam texts and calls after a data breach is not an injury-in-fact or traceable to defendants, and thus dismiss plaintiffs for lack of Article III standing. See, e.g., Liau v. Weee! Inc., 2024 WL 729259 (S.D.N.Y. Feb. 22, 2024); Logan v. Marker Grp., Inc., 2024 WL 3489208 (S.D. Tex. July 18, 2024). 

Although many data breach actions settled in 2024, several cases proceeded to class certification decisions: two courts certified classes, and one denied class certification. Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661 (W.D. Ky. 2024) (certifying nationwide negligence and breach-of-implied-contract damages classes); Attias v. CareFirst, Inc., 346 F.R.D. 1 (D.D.C. 2024) (certifying breach-of-contract class covering certain residents in three states); In re Blackbaud, Inc., Customer Data Breach Litig., 2024 WL 2155221 (D.S.C. May 14, 2024) (denying class certification due to a lack of ascertain ability).

Article III standing case law in data breach litigation continued to evolve in 2024, and we expect courts will grapple with more nuanced standing arguments in 2025. For example, in Greenstein v. Noblr Reciprocal Exchange, the Ninth Circuit affirmed the dismissal of a class action when plaintiffs failed to plead that their information was actually stolen, leaving them unable to establish injury. 2024 WL 3886977 (9th Cir. Aug. 21, 2024). The Greenstein plaintiffs relied heavily on the defendant’s breach notification letter, but that letter stated only that the plaintiffs’ data “may have been accessed,” exemplifying the importance of precise notification letters. We also expect to see further development regarding whether intangible harms are sufficient to establish Article III standing. There is a growing circuit split regarding TransUnion’s directive that intangible harms may qualify as concrete injuries if they are “a close historical or common law analogue for the[] asserted injury.” TransUnion LLC v. Ramirez, 594 U.S. 413, 424 (2021). In 2024, the Third Circuit followed the Tenth Circuit and adopted the “kind of harm” test, rejecting the more plaintiff-friendly “element-for-element” approach adopted by the Eleventh Circuit. Barclift v. Keystone Credit Servs., LLC, 93 F.4th 136 (3d Cir.), cert. denied, 145 S. Ct. 169 (2024).

In the greatest legislative development affecting data breach class actions since data breach notification laws with private rights of action came to be, three state legislatures passed legislation concerning the threshold for negligence liability arising from a data breach. However, only the Tennessee bill became law; the Florida and West Virginia governors vetoed the bills. The Tennessee law provides that private entities are “not liable in class action lawsuits resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.” TN Code § 29-34-215(b) (emphasis added). So far, the only litigation regarding this law resulted in the courts holding that the law is not retroactive, but litigants who might benefit from this law should keep it top of mind.