New Dutch class action legislation makes it possible to claim damages in a collective action to ensure enforcement of the GDPR
A Dutch foundation that acts against violation of privacy rights, named The Privacy Collective, has launched class action proceedings against Oracle and Salesforce at the Court of Amsterdam. The proceedings start on 9 December 2020 and the foundation claims, on behalf of a large group of individuals, an amount of 10 billion euros in compensation for damages. It is the first time that this legal instrument is used in the Netherlands and, as far as I know, in Europe to claim damages for infringement of the GDPR. Oracle and Salesforce are accused of unlawfully collecting and processing data of millions of Dutch internet users. It is said to be one of the largest cases in the context of unlawful processing of personal data in the history of internet. Almost every Dutch individual is supposed to be structurally affected by the practices of Oracle and Salesforce. Millions of profiles are used to offer personalized online advertisements and the profiles are unlawfully shared with numerous commercial parties. Most people are not aware these companies use their enriched profiles and they have never given their legitimate consent for their data to be used to this purpose.
The writ of summons demands that Oracle and Salesforce be requested to give information about their method of operation and be held accountable as personal data controllers. Moreover, the companies are requested to demonstrate they are GDPR compliant. According to The Privacy Collective , the burden of proof is on the two companies to provide evidence that they do not act in conflict with the GDPR. Supported by a well-founded expert report, the foundation seems to have a case.
The Dutch DPA (AP: Autoriteit Persoonsgegevens) does not seem to have enough time to start its own investigation, but high fines by the Dutch DPA can be expected in this kind of cases. The two companies seem to infringe almost all important GDPR principles and rules. These include, amongst others: transfer of personal data to the USA being prohibited, processing of data related to children being prohibited, profiling and processing of sensitive data under article 9 GDPR being prohibited, having no appropriate security in place and data breaches.
Another interesting point is that The Privacy Collective’s claims are fully financed by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. The fee to be paid depends on the result: 25%, 15% or 10% of the amount to be paid by the two companies, Oracle and Salesforce.
This kind of collective class actions can have a massive impact, as we have seen in the Uber data breach case in the USA. Uber had to pay 148 million dollar in a settlement agreement with the class action representative. Ten billion euros, however, is a lot more substantial sum. The amount is based on 500 euros per person in compensation of damages.
Article provided by: Bob Cordemeyer (Cordemeyer & Slager Advocaten, Netherlands)
Dr. Tobias Höllwarth (Managing Director INPLP)