1. The global surge in data privacy mass claims
Data law trends 2026
In brief
Navigating the complex landscape of data-related litigation has never been more critical. Across major jurisdictions – including Germany, the Netherlands, England and Wales, and the US – the rules of engagement are changing rapidly. What were once straightforward claims are now sophisticated collective actions and bundled proceedings, driven by new regulation and innovative funding models.
Businesses face a heightened risk of multi-pronged attacks seeking not only large damages, but also injunctions that can disrupt core operations. Understanding these shifting trends is essential for proactive risk management, robust defense strategies and limiting legal exposure.
The global picture
Few threats have escalated with the speed, scale and financial menace of mass data privacy litigation. Once a niche concern, collective privacy claims have become a primary driver of complex, high-stakes legal battles – threatening not just balance sheets but entire business models, as individually low value claims by thousands or millions of data subjects can quickly turn into millions or billions in potential damages.
This development reflects a convergence of factors, including:
- an expanding patchwork of laws codifying enforceable data rights for individuals (e.g. under the EU General Data Protection Regulation (GDPR), UK GDPR and various US state laws);
- the emergence of a sophisticated and well-capitalized ecosystem of claimant law firms and third-party litigation funders;
- increased public awareness and concern regarding data rights;
- new collective action mechanisms, such as the Netherlands’ Act on Collective Damages Claims (WAMCA) and the EU’s Representative Actions Directive (RAD); and
- the rise of ‘non-attack’ claims – lawsuits arising not from breaches but from routine data processing activities such as the use of ad-tech and tracking cookies.
This chapter focuses on four high-risk jurisdictions: Germany, the Netherlands, England and Wales and the US.
Germany: A new era for collective actions
Germany is experiencing a rise in collective actions, particularly in GDPR and technology-related claims. Consumer organizations are not only seeking damages, but also pursuing injunctions to halt data processing activities – forcing businesses to mount rapid and robust defenses. While legal insurers remain cautious about funding individual claims, a trend toward higher GDPR damage awards may change that. Litigation funders are also entering the field, acquiring claims from thousands of individuals and pursuing them in bundled proceedings, often through special purpose vehicles (SPVs).
At the same time, defendants are developing novel strategies to challenge the standing of consumer organizations and SPVs, offering new options to manage business-critical litigation risks.
A key issue to watch is the Court of Justice of the EU’s (CJEU) guidance on whether ‘loss of control’ constitutes a basis for damages under the GDPR.
Its clarification will shape both the prerequisites for and the quantum of damages, with major implications for corporate risk management.
Practical implications: Businesses must be prepared for multipronged attacks – claims for damages and injunctions, brought, often in parallel, by consumer organizations, commercial SPVs and individual claimants. A robust response strategy is crucial to minimize risk and operational disruption. Monitoring CJEU developments is equally critical.
In Germany, legal strategy is no longer just about defending against damages – it’s about disrupting professional plaintiffs’ business models to guard against an increasingly aggressive data litigation landscape.
Martin Mekat, Partner
The Netherlands: The go-to jurisdiction for mass claims
The Netherlands remains a magnet for class actions, with nearly 100 active cases on the docket. The Dutch WAMCA is widely regarded as claimant- and funder-friendly, offering an opt-out system and monetary damages. Success fees for litigation funders – sometimes up to 25 percent of a claim’s value – make the regime especially attractive.
That said, legal uncertainties remain. The interplay between WAMCA and the EU RAD is unresolved, and questions around additional national admissibility rules and opt-out damages under the GDPR are before the CJEU in a major case against Amazon. Recent judgments suggest closer scrutiny of claimant organizations, but pending legislative amendments may tilt the balance back toward plaintiffs.
Practical implications: The Netherlands remains a high-risk jurisdiction for data and tech businesses. Because of the opt-out mechanism, a single action can create massive exposure. Businesses should closely monitor forthcoming CJEU decisions and the legislative review of WAMCA to anticipate shifts in the legal landscape.
The Netherlands consolidates its position as a premier venue for mass claims in the EU. The key challenge for defendants is the sheer scale and financial exposure that the WAMCA’s opt-out system brings.
Mark Egeler, Partner
England and Wales: Adapting to new challenges
Following the Supreme Court’s 2021 Lloyd v Google decision, bringing data-related opt-out representative claims in England and Wales has become more difficult: ‘loss of control’ was found not to be enough for a damages claim, and claimants must show actual financial loss or distress.
The Court of Appeal reinforced this in Prismall v Google (2024), reiterating the high threshold for claimants in an opt-out representative claim to meet the ‘same interest’ requirement. In a misuse of private information claim, this meant each claimant had to demonstrate a reasonable expectation of privacy over the affected data.
It is also worth noting the Court of Appeal’s August 2025 decision in Farley and Others v Paymaster, which found no de minimis threshold for data protection claims (as distinct from misuse of information claims). Instead, a claimant must establish that any harm alleged was ‘well-founded’ by reference to the facts known – or that should have been known – to them at the time.
It is clear, therefore, that data mass claims remain a real prospect. Claimant firms continue to advertise that they have recruited thousands of clients after data breaches, while recent high-profile cyberattacks have driven more activity. The Lloyd decision has pushed claimant firms and funders toward Group Litigation Orders and collective proceedings in the antitrust space to bundle claims. Courts are also showing procedural flexibility, including through the use of the ‘lead claimant’ model.
Additionally, the Supreme Court’s 2023 judgment in R (PACCAR) v Competition Appeal Tribunal made litigation funding more difficult, ruling that funding agreements based on a percentage of damages are unenforceable. However, funders are adapting. In July 2025, the Court of Appeal held that ‘multiple of investment’ litigation funding agreements are enforceable, and in August 2025, it overruled a lower court to breathe fresh life into another mass claim – illustrating the fast-moving funding environment.
Practical implications: While the Lloyd v Google ruling made mass data breach claims by way of opt-out representative action more difficult, it did not shut them down. Claimant firms are finding creative paths forward, even where claims are low in value. Businesses should be prepared for more innovative forms of case management and funding arrangements.
Data breach actions remain a focus for claimant firms, with recent rulings driving a push toward more creative forms of case management. There are potential gains to be made by embracing novel approaches that may offer a cheaper and quicker route to resolving mass data breach claims.
Cat Greenwood-Smith, Partner
United States: Expansion of privacy class actions
The US is poised for a surge in data breach class action litigation, driven by three main trends:
First, federal courts are providing expansive interpretations of state privacy laws, particularly the California Consumer Privacy Act (CCPA), allowing lawsuits over common tools such as cookies and pixels. This is a crucial development since the CCPA applies to certain companies, regardless of location, that collect or process California residents’ personal information – and it remains the only comprehensive state privacy law granting a private right of action for data breaches.
Second, healthcare-sector lawsuits are increasingly moving past early dismissal stages, raising settlement pressure given the strong jury appeal of sensitive health data. New state health privacy laws, such as Washington’s, are also creating new avenues for claims, including private rights of action.
Third, recent securities class actions against tech companies have resulted in multimillion-dollar settlements, with plaintiffs alleging failures to disclose – or misleading statements about – data breaches. This trend is reinforced by heightened scrutiny from the US Securities and Exchange Commission (SEC).
Practical implications: Regardless of where they are based, businesses with US customers face risk from the patchwork of state privacy laws. Even everyday web technologies may trigger litigation. Robust data breach response plans and careful disclosure practices are essential to reduce exposure.
In the US, the playbook for data breach litigation is being rewritten. Companies must now look beyond traditional data theft and recognize that even everyday web technologies are being used as a new tool for sophisticated class actions.
Tim Howard, Partner
Looking ahead
The global data litigation landscape is becoming more aggressive and complex. Businesses cannot afford to be reactive – proactive, multi-jurisdictional strategies are essential.
In Europe, forthcoming CJEU rulings on GDPR damages will be crucial. In the US, state laws and expansive court interpretations are rewriting the playbook. Global businesses must monitor these developments closely and build resilient, cross-border strategies to manage the risks.
Our team
