Class action GDPR

 in Privacy

New Dutch class action legislation makes it possible to claim damages in a collective action to ensure enforcement of the GDPR.

On 1 January 2020 a new Act came into force in the Netherlands that allows representative entities to seek damages in a collective action. This Act on redress of mass damages in a collective action (Wet afwikkeling massaschade in collectieve actie) (WAMCA, under article article 3:305a Dutch Civil Code) introduces stricter requirements for filing a valid claim vehicle, the scope of collective actions and procedural changes to enhance the efficiency and effectiveness of the proceedings.

A Dutch foundation that acts against violation of privacy rights, named The Privacy Collective, has launched class action proceedings against Oracle and Salesforce at the Court of Amsterdam. The proceedings start on 9 December 2020 and the foundation claims ,on behalf of a large group of  individuals, an amount of 10 billion euros in compensation for damages.  It is the first time that this legal instrument is used in the Netherlands and, as far as I know in Europe, to claim damages for infringement of the GDPR. Oracle and Salesforce are accused of unlawfully collecting and processing data of millions of Dutch internet users. It is said to be one of the largest cases in the context of unlawful processing of personal data in the history of internet. Almost every Dutch individual is supposed to be structurally affected by the practices of Oracle and Salesfort. Millions of profiles are used to offer personalized online advertisements and the profiles are unlawfully shared with numerous commercial parties. Most people are not aware of these companies having their enriched profiles and have never given their legitimate consent for their data to be used to this purpose.

The writ of summons demands that Oracle and Salesforce be requested to give information about their method of operation and be held accountable as personal data controllers. Moreover, the companies are requested to demonstrate they are GDPR compliant. According to The Privacy Collective , the burden of proof is on the two companies to provide evidence that they do not act in conflict with the GDPR. Supported by a well-founded expert report, the foundation seems to have a case.

The Dutch DPA (AP: Autoriteit Persoonsgegevens ) does not seem to have enough time to start its own investigation, but high fines by the Dutch DPA can be expected in this kind of cases. The two companies seem to infringe almost all important GDPR principles and rules. These include, amongst others: prohibited transfer of personal data to the USA, prohibited processing of data related to children, prohibited profiling, processing of sensitive data under article 9 GDPR, no appropriate security and data breaches.

Another interesting point is that The Privacy Collective’s claims are fully financed by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. The fee to be paid depends on the result: 25%, 15% or 10% of the amount to be paid by the two companies, Oracle and Salesforce.

This kind of collective class actions can have a massive impact, as we have seen in the Uber data breach case in the USA. Uber had to pay 148 million dollar in a settlement agreement with the class action representative.  Ten billion euros, however, is a lot more; the amount is based on 500 euros in compensation fo damages per person.

We’ll keep you posted,

Bob Cordemeyer


Recente berichten
  • 3 juni 2021

    SER adviseert over de hervorming van de arbeidsmarkt.

    Marion Hagenaars
    Gisteren heeft de SER een ontwerpadvies gepubliceerd voor een nieuw kabinet. De SER (ondernemers, werknemers en onafhankelijke kroonleden) is voor sociaal-economische vraagstukken de belangrijkste adviesraad voor de regering en het parlement. De SER adviseert fors te investeren in brede welvaart, waaronder in zekerheid van werk en inkomen. Nederland is gemiddeld genomen een welvarend en gelukkig
    Lees verder
  • 27 mei 2021

    Het doolhof van de wet- en regelgeving op het gebied van de zieke werknemer: deel 2.

    Marion Hagenaars
    De loonstop, de werknemer die vraagt om een nieuwe afspraak met de bedrijfsarts en de werkgever die zich “verschuilt” achter het advies van de bedrijfsarts.  Re-integratietrajecten zitten vol valkuilen en zijn soms gekmakend. Werknemers die na een verkregen advies van de bedrijfsarts direct om een nieuwe afspraak vragen, werkgevers die het gevoel hebben voor de
    Lees verder
  • 11 mei 2021

    INPLP article May 11, 2021

    Wouter Huisman
    Bob Cordemeyer
    Fine of €475,000 for reporting data breach 22 days to late. According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
    Lees verder

Plaats een reactie