Netherlands: One of the first major privacy class actions dismissed by Court of Amsterdam

TPC asserted that Oracle and Salesforce violated the privacy rights of approximately 10 million Dutch internet users and claimed damages on their behalf. 

The outcome of the case did not favour TPC as the Court declared the claim inadmissible – TPC failed to demonstrate that it represented the alleged injured parties and therefore did not have legal standing. Those hoping that the Court would consider the fundamental question of whether it is possible to bring a GDPR-damages claim in class actions in the Netherlands were also left disappointed. It remains to be seen how courts will approach privacy damages class actions going forward.

Below you will find the highlights of the judgement. We have looked at class actions for data protection violations throughout Europe in a recent blog. For more background on the Dutch class action law, please read our blog. The decision of the Court is available here (in Dutch only).

The alleged privacy violation

TPC is a Dutch claim foundation. It alleged that Salesforce and Oracle unlawfully collected and processed personal data of Dutch internet users in violation of the General Data Protection Regulation (GDPR) and Article 11.7a of the Dutch Telecommunication Act (the ‘cookie rules’). TPC argued that defendants were not permitted to, through their Data Management Platform (DMP) service, collect data through cookies, combine it with other additional information and then subsequently create individual profiles for users, which were used to offer personalised online advertisements and were shared with ad tech providers in a process known as Real Time Bidding (RTB). 

If you would like more information about the data protection aspects of ad tech and the process of RTB, please reach out to Nicole Wolters Ruckert. 

TPC’s claim under the WAMCA

TPC filed the class action claim under the procedure stipulated in the Dutch Act on Mass Damages Settlement in Class Actions (Wet Afwikkeling Massaschade in Collectieve Actie or WAMCA). In force since January 2020, the WAMCA introduced the possibility for representatives to claim damages on behalf of injured parties using a class action. The WAMCA provides for an opt-out regime, meaning even injured parties that did not actively sign up for the claim are bound to the judgement unless they actively opt-out. 

“Support with one click”

To prevent frivolous claims and claims without sufficient support of the injured parties, the WAMCA sets out admissibility requirements for organisations bringing class action procedures, including a requirement that the claimant (in this case TPC) represents a sufficiently large proportion of the injured parties (often referred to as a ‘representativeness requirement’). 

To substantiate the representativeness requirement, TPC asserted that over 75,000 individuals had clicked on the ‘support’ button on its website dedicated to this class action. The ‘support button was next to a very general text offering to support the mass monetary compensation claim against “two large internet companies” with a single click. The text stated that the claim related to the large-scale collection and sale of the data of millions of Dutch people without valid consent. According to TPC, they could identify, on the basis of IP address, how many unique users clicked the button, and in the opinion of TPC, this would demonstrate that the claim has sufficient support of the injured parties. In addition, TPC said that the action was backed by many privacy rights NGOs in the Netherlands.

The defendants challenged this position and stated, using various arguments, that the steps taken by TPC were not enough to demonstrate the representativeness of the class action and the claim therefore did not meet the representativeness threshold required by the WAMCA.

Court rules on inadmissibility

The Court held that TPC had not managed to prove that it had sufficient support from the injured parties it intended to represent in these proceedings: 

• The Court found that 75,000 clicks on a “support” button on TPC’s website was not enough to substantiate that TPC had obtained a statement of support from a significant number of individuals to represent all internet users in the Netherlands. 
• The Court highlighted that visitors to TPC’s website were not given key information about the case when clicking the button (such as details of the legal proceedings, the names of the parties being sued or a description of the injured parties being represented) and that TPC had not registered the data of those clicking the button or their contact details. 
• The Court further found it problematic that TPC was not able to communicate with its alleged supporters (which made it impossible to meet requirements of transparency and governance for WAMCA based claims) and that it was unclear whether ‘likers’ were actually injured parties. 

In the eyes of the Court, these failings were not mitigated by support from other privacy rights organisations. To be representative, the Court argued, the TPC’s constituency should consist of injured parties whose interests a claimant represents in a WAMCA case and not of other organisations sympathetic to the relevant cause.

Data protection aspects

As the claim was rejected on formalities, the Court did not consider the merits of the case. Nevertheless, the Court touched upon the arguments of parties regarding the relationship between the WAMCA and the provisions in the GDPR. Specifically, the possibility under Article 80 GDPR for non-for-profit organisations to lodge complaints on behalf of data subjects with data protection authorities and exercise data subject rights, including the right to receive compensation for damages suffered as a result of GDPR infringement.

The Court summarised, but did not expressly agree with, the positions of the parties. Rather, the Court observed that the legislative history of the WAMCA and the Dutch GDPR Implementation Law did not address whether Art. 80 GDPR precludes claiming damages in class actions for violation of GDPR. The Court noted that obtaining a clear picture on this issue is important for the future WAMCA-based privacy infringement and damages claims.