The pendulum swings: Reassessing data breach liability in the post-Lloyd era (UK)

Since the landmark Supreme Court’s decision in Lloyd v Google [2021] it has been widely assumed that large-scale data breach claims in England and Wales are procedurally possible but economically fragile. That fragility largely reflects the requirement for claimant-specific proof of damage under Article 82 UK GDPR, which limits the availability of uniform, class-wide damages and undermines the funding economics of large-scale claims.

That proposition remains broadly right, but the reasons have narrowed and become more technical. The courts have not retreated from Lloyd’s core point that 'loss of control' is not, by itself, compensable damage under Article 82 UK GDPR. However, recent appellate authority has clarified that an infringement can be established without proof of third-party access, that Article 82 UK GDPR does not impose a separate, free-standing 'seriousness' threshold as a precondition to compensation, and that fear or distress can be actionable where it is objectively well-founded on the facts. These developments do not make group claims easier to win, but they change the reason why they are won or lost.

This article addresses two issues. Section 1 explains how compensation claims under Article 82 UK GDPR are being shaped by evidential requirements and early-case filtering. Section 2 explains why collective redress remains procedurally constrained notwithstanding the recent developments on infringement and non-material damage.

Section 1: Compensation and evidence in data breach claims

This section considers (1) what the courts now require to establish ‘material’ and ‘non-material’ damage under Article 82 UK GDPR, and (2) how defendants can still dispose of weak claims early through orthodox procedural tools.

What counts as ‘damage’ after Farley

The legal position begins with a settled distinction. An infringement of the UK GDPR is not, without more, sufficient to ground a claim for compensation. Article 82 UK GDPR confers a right to compensation only where the claimant has suffered material or non-material damage, and section 168 of the Data Protection Act 2018 gives that right domestic effect. The right is remedial, not punitive.

The Court of Appeal’s decision in Farley v Paymaster [2025] refines how that distinction operates in practice. The High Court had struck out the claims on the basis that there was no evidence that personal data, sent to incorrect addresses, had been opened or read by third parties. The Court of Appeal rejected that approach. It held that an infringement does not depend on proof of third-party access: the act of misdirection itself constitutes processing for UK GDPR purposes and and may amount to an infringement irrespective of whether the recipient opened or read the material.

That clarification matters procedurally, but it does not collapse infringement into compensation. On the compensation issue, the Court drew a careful line. It accepted in principle that fear of what might happen as a consequence of an infringement can amount to non-material damage. However, such fear must be objectively well-founded. Fear that is hypothetical, speculative, or disconnected from the facts of the incident will not suffice. Nor will fleeting irritation or unevidenced anxiety.

Two points follow. First, Farley does not create an automatic route to damages where misuse cannot be proved. It refocuses the dispute. The question becomes whether the claimant can show a concrete, objectively justified reaction to the incident. Second, evidence assumes central importance at an early stage. Generic assertions of distress, unsupported by incident-specific facts or contemporaneous material, remain vulnerable to challenge.

Permission to appeal has been granted. Unless and until the Supreme Court rules otherwise, Farley represents the governing appellate framework for non-material damage in misdirection and comparable accidental disclosure data breach cases claims where the alleged infringement arises from the breach event itself rather than from proven downstream misuse.

Legal grounds for filtering weak data breach claims

Alongside Farley, earlier authorities continue to perform a critical filtering function. They do not contradict Farley; they operate at a different analytical level.

Rolfe v Veale Wasbrough Vizards [2021] remains the clearest statement of the court’s intolerance for trivial claims. The case confirms that where no credible damage is pleaded at all, the claim may be struck out as an abuse of process. The court’s concern is not the seriousness of the infringement, but the absence of any real damage flowing from it. That principle remains intact after Farley.

Warren v DSG Retail Ltd [2021] addresses a different risk: the inflation of data breach claims through parallel common-law causes of action. The Court of Appeal made clear that, absent a positive act of misuse by the controller, claims in misuse of private information or breach of confidence will not succeed. Nor can negligence be used as a proxy to sidestep the statutory structure of the UK GDPR. Warren therefore limits attempts to convert a security incident into a multi-headed tort claim where the pleaded facts do not support it.

Taken together, these cases define the current early-case battleground. Defendants can no longer rely on the absence of evidence of access as a complete answer. But they can, and should, require claimants to articulate with precision what damage is said to have been suffered, why that damage is objectively justified on the facts, and how it was caused by the infringement. Where that is absent, strike-out and summary judgment remain available to defendants to dispose of claims at an early stage.

Section 2: Collective redress and data reach claims

This section considers (1) why representative actions remain constrained by the ‘same interest’ requirement, notwithstanding recent developments on infringement and non-material damage, and (2) why opt-in mechanisms remain the more workable route where claims proceed at scale.

The ‘same interest’ constraint in data breach claims

A representative action can be brought under CPR 19.8 by a single claimant as the representative of a much wider group, provided they demonstrate that they have the ‘same interest’ as the rest of the class of claimants. Lloyd v Google remains the anchor authority because it confirms that representative actions cannot be used to obtain damages where the assessment of harm is inherently individual and cannot be awarded on a lowest-common-denominator basis.

The practical difficulty for UK GDPR breach claims is that compensation usually turns on claimant-specific facts. Even where the alleged infringement is common, damage frequently is not. That problem is sharper, not weaker, after Farley: if a claimant relies on fear or distress, the question becomes whether that reaction is objectively well-founded and proven. That is typically an individual inquiry.

Prismall v Google UK Ltd and Deepmind Technologies Ltd [2024] is a modern illustration of the court’s approach to CPR 19.8 and class cohesion. Where success depends on individualised circumstances, meeting the ‘same interest’ test becomes more difficult as the proposed class can be quite heterogeneous. For data breach claims, that is usually apparent in the remedy claimed and proof of damage, even if infringement is common across the class. In practical terms, Prismall underlines the difficulty of maintaining ‘same interest’ where the pleaded case ultimately turns on claimant-specific exposure, reaction and damage.

In practice, this is why opt-in proceedings, most commonly through Group Litigation Orders (GLOs), which are used for multiple claims giving rise to common or related issues of fact or law) remain the more workable route for mass claims. They can accommodate staged determination of common issues while recognising that compensation evidence is claimant-specific.

The practical boundary on representative actions and GLOs

The continued difficulty with representative actions does not mean that large-scale data breach claims are impossible. It does mean that they are usually pursued through opt-in structures that can accommodate individual variation between the claimants.

GLOs remain the most realistic and commonly used procedural mechanism where data breach claims proceed at scale, although courts may also adopt bespoke group case-management orders with similar features. They allow common issues, such as whether there was an infringement, to be determined once, while preserving individual assessment of the claimants’ damage. The cost and administrative burden of GLOs is significant, but they remain a familiar tool for managing large cohorts of claims and are familiar to the courts. 
 
The practical result is that collective redress in data breach claims remains constrained not by hostility to such claims, but by the structure of compensation under Article 82 and the procedural limits of the CPR. In practice, the number of data protection-related GLOs since the introduction of the UK GDPR has been limited. High-profile claims such as Weaver v British Airways [2024] remain the exception rather than the norm, and many large data breach claims proceed without a formal GLO or fall away before reaching that stage. 

Conclusion

Data protection breaches are no longer just a regulatory or reputational risk for businesses. They can increasingly lead to high-value claims before the courts, resulting in significant financial exposure for businesses having to allocate resources and costs to defend large scale claims, sometimes spanning several jurisdictions. 

Claimant law firms are marketing and recruiting claimants for data breach claims in a way that mirrors established mass tort tactics. Businesses should therefore assume that some data breach claims in the future will be tested not only before the ICO but also through coordinated civil claims. They should expect sustained claimant activity in this area, particularly where a data breach can support pleaded non-material damage across a cohort.

Since Lloyd v Google, the UK courts have maintained a clear distinction between infringement and compensation. Recent authority has clarified that an infringement may be established without proof of third-party access and that non-material damage may include objectively well-founded fear or distress. Those clarifications affect how claims are pleaded and defended. They do not alter the underlying architecture of collective redress.

Data breach claims continue to succeed or fail on evidence of damage and procedural cohesion. Where compensation depends on claimant-specific proof, representative actions remain structurally unstable. That remains the defining feature of the post-Lloyd landscape.