New Dutch class action legislation makes it possible to claim damages in a collective action to ensure enforcement of the GDPR.

On 1 January 2020 a new Act came into force in the Netherlands that allows representative entities to seek damages in a collective action. This Act on redress of mass damages in a collective action (Wet afwikkeling massaschade in collectieve actie) (WAMCA, under article article 3:305a Dutch Civil Code) introduces stricter requirements for filing a valid claim vehicle, the scope of collective actions and procedural changes to enhance the efficiency and effectiveness of the proceedings.

A Dutch foundation that acts against violation of privacy rights, named The Privacy Collective, has launched class action proceedings against Oracle and Salesforce at the Court of Amsterdam. The proceedings start on 9 December 2020 and the foundation claims ,on behalf of a large group of  individuals, an amount of 10 billion euros in compensation for damages.  It is the first time that this legal instrument is used in the Netherlands and, as far as I know in Europe, to claim damages for infringement of the GDPR. Oracle and Salesforce are accused of unlawfully collecting and processing data of millions of Dutch internet users. It is said to be one of the largest cases in the context of unlawful processing of personal data in the history of internet. Almost every Dutch individual is supposed to be structurally affected by the practices of Oracle and Salesfort. Millions of profiles are used to offer personalized online advertisements and the profiles are unlawfully shared with numerous commercial parties. Most people are not aware of these companies having their enriched profiles and have never given their legitimate consent for their data to be used to this purpose.

The writ of summons demands that Oracle and Salesforce be requested to give information about their method of operation and be held accountable as personal data controllers. Moreover, the companies are requested to demonstrate they are GDPR compliant. According to The Privacy Collective , the burden of proof is on the two companies to provide evidence that they do not act in conflict with the GDPR. Supported by a well-founded expert report, the foundation seems to have a case.

The Dutch DPA (AP: Autoriteit Persoonsgegevens ) does not seem to have enough time to start its own investigation, but high fines by the Dutch DPA can be expected in this kind of cases. The two companies seem to infringe almost all important GDPR principles and rules. These include, amongst others: prohibited transfer of personal data to the USA, prohibited processing of data related to children, prohibited profiling, processing of sensitive data under article 9 GDPR, no appropriate security and data breaches.

Another interesting point is that The Privacy Collective’s claims are fully financed by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. The fee to be paid depends on the result: 25%, 15% or 10% of the amount to be paid by the two companies, Oracle and Salesforce.

This kind of collective class actions can have a massive impact, as we have seen in the Uber data breach case in the USA. Uber had to pay 148 million dollar in a settlement agreement with the class action representative.  Ten billion euros, however, is a lot more; the amount is based on 500 euros in compensation fo damages per person.

We’ll keep you posted,

Bob Cordemeyer