Large technological and other corporations now collect and hold personal data on an industrial scale. Recent privacy scandals illustrate that data breaches often arise from systemic failings on the part of data controllers (think Facebook or Google). Such infringements are likely to affect a mass of individuals, be well-publicised, share common issues, and be prohibitively expensive for any individual to prosecute.

They have all the necessary ingredients for group actions.

Benjamin Williams QC and George McDonald examine in this article how aspects of the General Data Protection Regulation (“GDPR”), coming into force on 25 May 2018, have further increased the prospect of group or representative actions for data breaches.

The nature of the claims under the GDPR and the Representation of data subjects

Article 82 of the GDPR provides consumers with a statutory basis for compensation from a controller or processor for any “material” or “non-material” damage.

By Article 80, the GDPR positively encourages representative actions:

“The data subject shall have the right to mandate a not-for-profit body, organisation or association which…has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data….to exercise the right to receive compensation referred to in Article 82 on his or her behalf”.

Not only does Article 80 remove the stress and strains that an individual may face from pursuing litigation, but:

  • Organisations that satisfy Article 80 are likely to have access to a wide audience of individuals who may have similar claims.
  • Article 80 promotes central control of claims by an individual entity.
  • It thus removes some of the complexities that group and representative actions face where there are multiple claimants and potentially multiple solicitors.
  • The organisation itself is likely to be a relatively sophisticated litigant in a strong bargaining position with its legal representatives.

We therefore anticipate that Article 80 can and should be used as a successful vehicle for many claims to be brought by one claimant entity on behalf of many individuals. This would mirror experience in competition law cases, where a number of high profile group claims have been brought by high-profile campaigning groups like the Consumers’ Association.

Further developments arising from GDPR

In addition, Article 33 of the GDPR imposes stringent notification requirements on data controllers. A data controller is obliged to notify the “supervisory authority” of a personal data breach within 72 hours of becoming aware of it. Similarly, by Article 34 the data controller must communicate any personal data breach which is likely to result in a high risk to the rights and freedoms of natural persons to the data subject without undue delay.

These self-reporting obligations should lead to:

  • Potential claimants being informed of data breaches (whereas the past they might have been kept in the dark).
  • Many potential claimants being informed of the breach at roughly the same time, leading to communal action.
  • Combined with regulatory action at a similar time.

If the regulator imposes fines or other sanctions on the data controller, that will give claimants the confidence to pursue a claim for compensation through the courts. These factors are likely to increase the prospect of group or representative actions for data breaches yet further.

Group and representative actions are already on the go

Even before the implementation of GDPR, group and managed claims have proved popular for privacy claims.

In Vidal-Hall v Google [2015] EWCA Civ 311 the claimants sought damages for misuse of their private information as, without their consent, Google had collected private data about their internet usage which was then sold to a third party. The Court of Appeal held that damages could be awarded for the distress suffered by the Claimants. The Vidal-Hall claim is now proceeding as a representative action - the data breaches are said to have affected around 5.4 million people in England and Wales alone.

In Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB), 5,518 claimants pursued a group action against their employer Morrisons. One of Morrisons’ employees had disclosed the personal information of around 100,000 colleagues on the internet. Even though the disclosure had taken place outside of working hours and from the employee’s personal computer, the High Court found that there was a sufficient connection between the position in which he had been employed and his wrongful conduct to render Morrisons vicariously liable. Morrisons’ appeal to the Court of Appeal is pending.


The current climate is ripe for group or representative action for data breaches. Not only is misuse of private information a hot topic both in the press and the legal world, but group and representative claims are being successfully