No opt-out collective redress route for data protection breaches
The UK never implemented UK GDPR Article 80(2) (non-profits complaining/litigating without named claimants); the 2021 DCMS review declined, citing Lloyd v Google, which the Supreme Court then shut down, ruling representative damages claims need individual proof of loss. The DUAA 2025 did not revisit it. Competition law has opt-out actions at the CAT; data protection has nothing. ORG has campaigned for implementation; AWO and claimant firms can only run costly opt-in group actions.
Mass-scale unlawful processing (RTB, mega-breaches) produces per-person harms too small to litigate individually, so it goes unremedied and undeterred. With the ICO declining systemic enforcement, private enforcement is the only backstop, and the UK has structurally disabled it.
Legislation creating an opt-out representative action regime for data claims (Article 80(2)-equivalent or CAT-style certification), allowing authorised non-profits to bring complaints and damages claims on behalf of affected classes.
// State-led: Instrument: primary legislation creating an opt-out representative-action regime.
Sub-litigable per-person harms from mass unlawful processing go unremedied while the ICO declines enforcement; an opt-out redress model exists to copy, but requires legislation Parliament just declined to revisit.
One gap, several dossiers: entries folded into this one (1)
The research pass surfaced this gap independently in more than one domain. Those entries are merged here so the map counts it once: the same statutory opt-out route for data claims; the litigation-side first artefact lives with the litigation-fund and noyb-UK entries.
№ 75 · No collective redress route for mass data and surveillance harms (Surveillance)
Lloyd v Google (UKSC 2021) closed off opt-out representative actions for data claims, and the UK has never implemented Article 80(2) UK GDPR, which would let public-interest bodies complain to the ICO or courts without individual mandates; the government reviewed under s.189 DPA 2018 and declined in 2021, and the DUAA 2025 did not revisit it. The ICO complaint route is the fallback, but enforcement has collapsed (70+ organisations demanded an inquiry in November 2025) and its public-sector approach substitutes reprimands for fines. Partial coverage: ORG has mapped Art 80(1) opt-in actions; the Competition Appeal Tribunal opt-out regime covers competition claims only.
Its fill: Legislative implementation of Article 80(2)-style NGO-initiated complaints plus an opt-out collective action regime for data claims modelled on the CAT competition regime. A concrete, drafted-before amendment; a founder/funder could also build the litigation-vehicle infrastructure (claimant firms plus funders) that would use it.