European Privacy Class Actions: A Growing Cyber Insurance Risk

Here’s the theory: A company does something bad to a lot of people, and many individuals are harmed in the same way. The damages suffered by any one individual, however, may not be high enough to encourage that person to seek compensation (or for good lawyers to take the case). Good lawyers are expensive, litigation is unpleasant, and life moves fast. If individuals are left to fend for themselves in individual actions, the story goes, companies may never be held accountable for bad conduct (unless, of course, the government acts).  

When many people suffer the same injury and the total amount of harm is significant, legislators, judges, and lawyers in the United States have historically mostly agreed that there should be a way for them to band together and sue the company that caused the injury. 

In recent years, class actions tied to data privacy and cybersecurity have surged in the United States. Litigation frequently accompanies notable data breaches, and we have seen several nine-figure settlements in privacy and cyber class actions. Non-breach privacy cases—based, for example, on wiretapping theories—have been on the rise.

In the European Union and the United Kingdom, class action-like mechanisms have historically been less widely available, and large private settlements with groups of consumers have been a much rarer bird.

One reason is that, unlike in the United States, plaintiffs in European jurisdictions are often required to bear the costs of unsuccessful actions, which can operate as a strong disincentive against litigation unless it is certain to succeed. This may be changing, however, with potentially seismic implications for data privacy liability and cyber insurance. 

European “Mass” Actions and the GDPR

In 2020, the European Union passed a directive requiring member states to ensure “at least one effective and efficient procedural mechanism for representative actions for injunctive measures and for redress measures is available to consumers.” (From what we can tell, European lawyers seem to prefer the terms “mass,” “collective,” or “representative” action instead of “class” action.) Among other key provisions, the directive authorized cross-border actions and allows for flexible litigation funding arrangements. 

In the following years, several EU countries modified national laws related to collective actions. In 2025, France—Europe’s second-largest economy—passed a new law expanding collective action rights. Mass actions in Portugal—which has a more liberal framework in this space than some other EU member states—have been increasing in recent years. 

Introduced almost a decade ago, the General Data Protection Regulation (GDPR) is the most muscular data privacy law in the world. It authorizes significant penalties—up to 4% of global annual revenue for serious violations—and has been deployed by European data protection authorities to extract large fines from some of the world’s largest (mostly US-based) technology companies.

Private consumer actions under the GDPR have received considerably less attention. In 2022, however, the Court of Justice of the European Union confirmed that consumer groups have the right under the GDPR to bring mass actions (where authorized by national laws) on behalf of groups of consumers. 

Earlier this year, another European court awarded damages to a consumer for non-material violations (i.e., issues with consent and transfer but without any data breach) of the GDPR’s data transfer rules. While the GDPR does not provide for monetary damages absent actual harm, some European courts have been willing to find harm based on “loss of control” of personal data. Lawyers have predicted that these decisions could open the door to high-dollar non-breach privacy mass actions in Europe.

Indeed, news reports and our experience working with clients confirm that European consumer groups have been increasingly investigating and filing collective actions alleging data privacy violations against technology companies. If these claims begin to drive significant losses, the insurance industry will need to increasingly take note. 

Cyber Coverage and Market Implications

While cyber insurance can provide coverage for defense costs and damages arising from class action litigation, it is important to note that not all policies are created equal. For a cyber insurance policy to cover this risk, the policy needs to affirmatively include class action claims, mass arbitration claims (for good measure), and most importantly, specific language providing broad privacy coverage. 

On this last point, there is a critical distinction between data breach liability cover and broad privacy tort coverage. Nearly all cyber insurance policies intend to cover liabilities and claims (including class actions) arising out of a data breach. But the coverage for wrongful collection, invasion of privacy (not arising out of a data breach incident), wiretapping, and other more nebulous legal- and privacy-related concepts known as “non-breach privacy” can vary greatly. With the advent of novel non-breach privacy exclusions working their way through the cyber insurance ecosystem, the devil is in the details—and in this arena, you also get what you pay for.

Another area that insurance buyers should carefully review their cyber insurance policies is within any territorial restrictions and geographic scope of coverage. For example, for US-based cyber insurance policies, the scope of coverage is usually worldwide, which means the policy responds to claims stemming from anywhere in the world unless specifically excluded. These exclusions most often come in the form of Office of Foreign Assets Control (OFAC)-sanctioned entities and/or Treasury Department restrictions and, recently, exclusions for claims and events adjacent to the Russia/Ukraine conflict. There should be no other territorial exclusions on a “standard” US cyber insurance policy.

For cyber insurance coverage purchased in the rest of the world, the scope can be meaningfully different. Most European policies have different limits and deductibles for claims stemming from North America, or may outright exclude them. 

The key takeaway is that it is important to review your own policy and identify privacy exclusions and territorial limits that may void coverage for this up-and-coming loss vector. 

It remains to be seen how much the burgeoning EU privacy class action cottage industry will impact cyber insurance coverage and premiums. But the common sense conclusion, if these cases pick up steam, is to expect higher premiums for insureds with material exposure to EU privacy claims (similar to how underwriters scrutinize US privacy risk more harshly than privacy risk in any other region). It could also result in potentially higher deductibles for class action litigation, and perhaps even a narrowing of coverage around wrongful collection, invasions of privacy, and wiretapping. However, this would be hard to justify as the EU’s GDPR strictly regulates all of these risk points, and thus, a fit-for-purpose insurance policy should continue to respond to these actions.

Note: Walker Newell and David Anderson are Certified Information Privacy Professional/United States (CIPP/US) professionals, in addition to serving as broker/consultant to clients worldwide in the areas of insurance and risk management. 

Disclaimer : The information contained herein is offered as general industry guidance regarding current market risks, available coverages, and provisions of current federal and state laws and regulations. It is intended for informational and discussion purposes only. This publication is not intended to offer financial, tax, legal or client-specific insurance or risk management advice. No attorney-client or broker-client relationship is or may be created by your receipt or use of this material or the information contained herein. We are not obligated to provide updates on the information contained herein, and we shall have no liability to you arising out of this publication. Woodruff Sawyer, a Gallagher Company, CA Lic. #0329598.