NEW DUTCH CLASS ACTION LEGISLATION MAKES IT POSSIBLE TO CLAIM DAMAGES IN A COLLECTIVE ACTION TO ENSURE ENFORCEMENT OF EUROPEAN GENERAL DATA PROTECTION REGULATION (“GDPR”)
On 1 January 2020, a new Act allowing qualified entities to seek damages in a collective action came into effect in the Netherlands. This Act introduces stricter requirements for claim filing as well as procedural changes to enhance the efficiency and effectiveness of the proceedings.
The Privacy Collective (“Plaintiff”), a Dutch foundation working against violation of privacy rights, has launched a class action proceeding against Oracle and Salesforce (‘Defendants”). The proceedings start on 9 December 2020 and the foundation seeks ten billion euros in compensation for damages. It is the first time that this legal instrument is used in the Netherlands and, most likely, in Europe, to claim damages for infringement of the GDPR.
The defendants are accused of unlawfully collecting and processing data of millions of Dutch internet users. This might be one of the largest cases dealing with personal data infringements in the history of internet. Millions of profiles were unlawfully shared with commercial parties. The people were unaware of these companies using their enriched profiles never having given their legitimate consent.
The writ of summons demands that the defendants be ordered to disclose their method of operation and be held accountable. Also, they must demonstrate they are GDPR compliant. According to the plaintiff, the burden of proof is on the defendants. Supported by a well-founded expert report, the foundation seems to have a case.
The Dutch Data Protection Authority (“DPA”) is not starting its own investigation. However, high fines by the DPA are to be expected. The defendants seem to have infringed upon almost all important GDPR principles and rules. These include, but not limited to: (a) transfer of personal data to the USA, (b) processing of data related to children, (c) profiling and processing of sensitive data, (d) having no appropriate security in place, (e) data breaches.
Another interesting point is that Plaintiff’s claims are fully financed by a litigation funder. The organization’s funding enables the individual claimants not to be exposed to litigation costs.
This kind of collective class actions can have a massive impact, as we have seen in the Uber data breach case in the USA. The amount of ten-billion-euro Plaintiff is seeking is based on 500 euros per person in compensation for damages.
We’ll keep you posted,
Bob Cordemeyer