Class actions have been brought throughout Europe against social media and other (tech) businesses on the basis of breaches of data protection law (in particular the EU General Data Protection Regulation, GDPR). This development has now expanded into the Netherlands with (i) a class action against Facebook for breaches of the GDPR, specifically by sharing personal data with external developers and other partners; (ii) a class action against software developer Salesforce regarding the processing and sale of personal data for online marketing; and (iii) a class action against TikTok for multiple GDPR violations in particular relating to the collection and processing of the personal data of children, including inter alia failing to provide sufficient information about and failing to obtain parental consent for the processing of the childrens’ personal data.
The claim against Facebook has been brought under the pre-WAMCA regime, which does not allow the court to directly award monetary damages. Instead, the pre-WAMCA regime merely allows for declaratory relief, which serves as a steppingstone for a collective (court approved) settlement and/or individual follow-on proceedings.
With the introduction of the WAMCA in January 2020, interest organisations can (also) claim monetary damages directly in class actions (see our update on the introduction of the WAMCA for more information on the changes introduced by the new system). The claims against Salesforce and TikTok have been brought under the WAMCA system.
In the TikTok case, three interest organisations brought largely overlapping claims. The claims concern declaratory relief regarding inter alia the legality of TikTok’s general conditions and the processing of personal data, as well as substantial claims for damages, as summarized in the table below:
The materiality of GDPR breaches, and accordingly, the commensurate damages, are difficult to quantify. Dutch courts have struggled to pin a specific number to infringements of the right to privacy (due to a GDPR violation). Instead, case law thus far gives the impression of Dutch courts resorting to ballpark guesses and a ‘feels right’ approach that is - technically - at odds with Dutch legislation and case law on determining damages in civil suits.
The monetary claims against TikTok are remarkable because Dutch courts so far tend to award damages of between EUR 250 and EUR 500 in cases of GDPR breaches, a fraction of what is claimed here. A single exception exists, in which the court awarded EUR 2,500 in damages for the unlawful retention of the claimant’s medical record. Since this concerned so-called sensitive data (which is subject to a stricter regime under GDPR), a higher compensation was awarded. Consequently, there is now a precedent for compensation higher than ‘usual’ for breaches of ‘stricter’ requirements of the GDPR. Whether TikTok’s alleged breaches are of similar magnitude remains to be seen – though the interest organisations have argued that the age of the children and the materiality and duration of the breaches justify the substantial damages they have claimed.
Developments across Europe
The Dutch courts are not alone in their struggle with pinning a number to GDPR infringements or the question of when a GDPR infringement results in damages. Similar questions on how to determine damages are raised abroad. Last May, the Austrian Supreme Court filed questions with the European Court of Justice (ECJ) for a preliminary ruling, including on whether a mere breach of the GDPR suffices for the award of damages or whether such a breach must carry consequences of some weight. While the procedure with the ECJ is expected to last for 2 years, it is evident that the answers will greatly influence claims for damages under the GDPR going forward.
Across the pond, the UK Supreme Court recently dismissed a case brought against Google for the infringement of United Kingdom data legislation, because the claimants sought to apply an abstract ‘lowest common denominator’ approach to the damages. The Supreme Court disagreed with this process and ruled that a claimant must prove that sufficiently serious damage occurred for each individual member of the represented class.
In the Netherlands, in contrast, in a recent judgement under the pre-WAMCA regime against Volkswagen in the ‘dieselgate’ litigation, the district court of Amsterdam handed down a declaratory judgement in which Volkswagen was declared liable to each purchaser of a Volkswagen diesel vehicle. The district court set the same amount of damages for each class member regardless of individual circumstance, such as the price or type of the vehicle they bought, showing the court’s willingness to award abstract damages.
Certain procedural issues in the early stages of the TikTok case could give more insight in the relative novel WAMCA mechanism, such as the appointment of an exclusive representative among the interest organisations. Under the WAMCA, the court-appointed exclusive representative will take the lead role in the proceedings (a system bearing resemblance to the US lead plaintiff system - for more information, see our update on the first anniversary of the WAMCA). It could be, for instance, that the court considers the backing of the Consumer Association (Consumentenbond), the largest consumer rights organisation in the Netherlands.
Get in touch
Our team has extensive experience with privacy/GDPR matters, class actions and -settlements and other forms of collective redress.