Dutch GDPR class action against Oracle and Salesforce declared inadmissible

Background

The Privacy Collective (TPC) started a class action on behalf of ten million individuals (all internet users in the Netherlands) against Oracle and Salesforce. TPC claimed that Oracle and Salesforce unlawfully processed personal data, among other things because of their crucial role in the Real Time Bidding (RTB) process. In the RTB process, an internet user’s profile is offered to advertisers in order to show personalised ads on websites. The empty advertisement space on websites is automatically offered as a person is visiting a website, hence the advertisement space is offered in real time. Both Oracle and Salesforce argued that they only offer a Data Management Platform (DMP) service and do not play a crucial role in the RTB process.

Before deciding on the merits, the Court has to assess whether the admissibility requirements for bringing a class action have been met. These requirements mainly relate to good governance, financing and representativeness. TPC had to substantiate how many individuals support the action and thus what the scope of the claim is. The Court ruled that the requirement of representativeness had not been met.

Ruling

TPC failed to demonstrate that its claims are sufficiently supported. TPC argued "that in view of its statutory objective, its constituency is formed by (in principle) all natural persons in the Netherlands who use the internet". TPC argued that by collecting 75,000 'likes', obtained by clicking on a 'support button' on its website, it had met the representation requirement. The Court ruled that this was not sufficient:

• Clicking on the support button does not mean that an expression of support has been obtained, as intended by the requirement of representativeness;

• In view of the summary information provided with the support button, it is not clear what the support is for;

• There is no description of the individuals on whose behalf TPC is acting;

• Important information about the claim was not given to the ‘likers’;

• 75.000 ‘likes’ is not enough to substantiate that the support of a significant number of individuals was obtained.

In addition, TPC has not registered details of the 'likers', so that the requirements of governance and transparency cannot be met, as TPC cannot communicate with its supporters in this way. The Court concluded that TPC's claims were inadmissible because they were not sufficiently representative. As a result, the Court was not able to address the substance of the case.

The ruling shows that not just any class action has a chance of succeeding. In this case, even the first threshold, admissibility, proved to be too high. Claim vehicles will have to learn from this ruling and precisely define the group they claim to represent. All parties involved in class actions under the GDPR benefit from clarity about the applicable rules. They will only get that clarification after a substantive hearing, which unfortunately did not take place in this case.

Previous (substantive) rulings on this subject

Albeit not in class action, there is some Dutch case law that involves a substantive assessment of a GDPR violation. In almost all proceedings, the Court concluded that specific damage must be demonstrated in order to reward damages, but there are exceptions. In most proceedings the courts (lower and higher) ruled that in order to award damages on the basis of a violation of the GDPR, it is required that specific adverse consequences are demonstrated. An exception to this is that the nature and seriousness of the violation of the norm means that the specific adverse consequences are so obvious that damage can be assumed.

Under what specific circumstances this condition is met, remains unclear. In the past, lower Dutch courts have ruled that there was a breach of a standard which meant that specific adverse consequences were so obvious that damage could be assumed. This happened, for example, in a case started by a patient against the director of a psychiatric institution. The director had shared his highly sensitive medical data with a medical disciplinary board without his consent and without the patient's knowledge. This disciplinary tribunal dealt with a complaint filed by the patient against the director. Subsequently, the patient brought proceedings against the director before the District Court in Gelderland. The court had initially ruled that the transmission of this personal data to the disciplinary tribunal was unlawful and awarded the appellant €300 in non-material damage. The patient appealed against the amount of the damages.

The Administrative Jurisdiction Division of the Council of State (the highest administrative court) awarded an amount of € 500 for non-material damages and considered the following circumstances:

1. the special sensitivity of the personal data (for which there is a higher level of protection under Article 9 of the GDPR);
   
   
2. the adverse consequences of the disclosure of the sensitive personal data are obvious;
   
   
3. the director had no justification under the GDPR for sharing the personal data;
   
   
4. the data have only reached a small group of professionals (who have an obligation of secrecy);
   
   
5. the disclosure of the data was immediately undone, and;
   
   
6. the disclosure of the data did not play a role in the complaint procedure.

Should a class action reach the phase of a substantive hearing, the above test (whether the damage can be specifically substantiated) will have to take place. If this is not possible, the nature and gravity of the breach of standards must mean that the adverse consequences are so obvious that damage can be assumed.

Article provided by INPLP member: Bob Cordemeyer (Cordemeyer & Slager, Netherlands)

Co-author: Marc Morriën

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)