Oliver Dent, partner in Kennedys’ cyber and data risk team, discusses this landmark judgment and how the claim was dismissed by the UK Supreme Court on the basis that the claimants would need to “demonstrate material damage in order to satisfy the principles under the Data Protection Act 1988”.
What will it mean for data controllers and insurers? - Lloyd V Google 
Collective proceedings orders and the 'representative action' system, which is available for any type of civil claim, are the closest the UK has to a US-style class action regime, where eligible claimants are automatically assumed to be part of the class unless they actively elect to opt out.
The ability for these regimes to be used more widely to facilitate large opt-out group actions in the UK has recently been considered by the UK Supreme Court in the case of Lloyd v Google [10.11.2021].
Ultimately, the court ruling proved great news for data controllers and their insurers but following the judgment there are two key points to note. First of all, the claim was not brought under the more recent General Data Protection Regulation of 2018 which could open up the decision to challenges.
Secondly, the court suggested that theoretically future claims could be brought forward on a two-stage basis, but this could result in an even more complex routine for claimants to go down.