No opt-out collective redress route for data protection breaches

openclaimed ·shipped ·
What is missing

The UK never implemented UK GDPR Article 80(2) (non-profits complaining/litigating without named claimants); the 2021 DCMS review declined, citing Lloyd v Google, which the Supreme Court then shut down, ruling representative damages claims need individual proof of loss. The DUAA 2025 did not revisit it. Competition law has opt-out actions at the CAT; data protection has nothing. ORG has campaigned for implementation; AWO and claimant firms can only run costly opt-in group actions.

Why it matters

Mass-scale unlawful processing (RTB, mega-breaches) produces per-person harms too small to litigate individually, so it goes unremedied and undeterred. With the ICO declining systemic enforcement, private enforcement is the only backstop, and the UK has structurally disabled it.

What would fill it

Legislation creating an opt-out representative action regime for data claims (Article 80(2)-equivalent or CAT-style certification), allowing authorised non-profits to bring complaints and damages claims on behalf of affected classes.

// State-led: Instrument: primary legislation creating an opt-out representative-action regime.

Why urgency 3

Sub-litigable per-person harms from mass unlawful processing go unremedied while the ICO declines enforcement; an opt-out redress model exists to copy, but requires legislation Parliament just declined to revisit.

ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.
One gap, several dossiers: entries folded into this one (1)

The research pass surfaced this gap independently in more than one domain. Those entries are merged here so the map counts it once: the same statutory opt-out route for data claims; the litigation-side first artefact lives with the litigation-fund and noyb-UK entries.

75 · No collective redress route for mass data and surveillance harms (Surveillance)

Lloyd v Google (UKSC 2021) closed off opt-out representative actions for data claims, and the UK has never implemented Article 80(2) UK GDPR, which would let public-interest bodies complain to the ICO or courts without individual mandates; the government reviewed under s.189 DPA 2018 and declined in 2021, and the DUAA 2025 did not revisit it. The ICO complaint route is the fallback, but enforcement has collapsed (70+ organisations demanded an inquiry in November 2025) and its public-sector approach substitutes reprimands for fines. Partial coverage: ORG has mapped Art 80(1) opt-in actions; the Competition Appeal Tribunal opt-out regime covers competition claims only.

Its fill: Legislative implementation of Article 80(2)-style NGO-initiated complaints plus an opt-out collective action regime for data claims modelled on the CAT competition regime. A concrete, drafted-before amendment; a founder/funder could also build the litigation-vehicle infrastructure (claimant firms plus funders) that would use it.

Distinct but adjacent

More in Privacy

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2026-10-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.