You are here:
15 December 2021 / news

Privacy, GDPR and class actions: recent developments in the Netherlands

With the Dutch Collective Damages in Class Actions Act (Dutch acronym WAMCA) nearing its second anniversary, there seems to be a trend of bringing claims for privacy breaches through class actions. In this update, we will look at class actions against several tech businesses, taking the class action social media network TikTok as an example.

Recent developments

As we discussed in the June 2020 edition of Quoted, class actions have been brought throughout Europe against social media and other (tech) businesses on the basis of breaches of data protection law (in particular the EU General Data Protection Regulation, GDPR). This development has now expanded into the Netherlands with (i) a class action against Facebook for breaches of the GDPR, specifically by sharing personal data with external developers and other partners; (ii) a class action against software developer Salesforce regarding the processing and sale of personal data for online marketing; and (iii) a class action against TikTok for multiple GDPR violations in particular relating to the collection and processing of the personal data of children, including inter alia failing to provide sufficient information about and failing to obtain parental consent for the processing of the childrens’ personal data.

The claim against Facebook has been brought under the pre-WAMCA regime, which does not allow the court to directly award monetary damages. Instead, the pre-WAMCA regime merely allows for declaratory relief, which serves as a steppingstone for a collective (court approved) settlement and/or individual follow-on proceedings.

With the introduction of the WAMCA in January 2020, interest organisations can (also) claim monetary damages directly in class actions (see our update on the introduction of the WAMCA for more information on the changes introduced by the new system). The claims against Salesforce and TikTok have been brought under the WAMCA system.

Claims

TikTok case

In the TikTok case, three interest organisations brought largely overlapping claims. The claims concern declaratory relief regarding inter alia the legality of TikTok’s general conditions and the processing of personal data, as well as substantial claims for damages, as summarized in the table below:

  Age less than 13 years old Age between 13 - 15 years old Age 16 - 17 years old
Stiching Onderzoek Marktinformatie EUR 2,000 EUR 1,000 EUR 500
  Age less than 13 years old Age between 13 - 17 years old Age 18+ years old
Stiching Massaschade & Consument EUR 1,750 EUR 1,500 EUR 1,250
  Age less than 13 years old Age between 13 - 15 years old Age 16 - 17 years old
Stiching Take Back our Privacy EUR 1,500 EUR 1,250 EUR 1,000

The materiality of GDPR breaches, and accordingly, the commensurate damages, are difficult to quantify. Dutch courts have struggled to pin a specific number to infringements of the right to privacy (due to a GDPR violation). Instead, case law thus far gives the impression of Dutch courts resorting to ballpark guesses and a ‘feels right’ approach that is - technically - at odds with Dutch legislation and case law on determining damages in civil suits.

The monetary claims against TikTok are remarkable because Dutch courts so far tend to award damages of between EUR 250 and EUR 500 in cases of GDPR breaches, a fraction of what is claimed here. A single exception exists, in which the court awarded EUR 2,500 in damages for the unlawful retention of the claimant’s medical record. Since this concerned so-called sensitive data (which is subject to a stricter regime under GDPR), a higher compensation was awarded. Consequently, there is now a precedent for compensation higher than ‘usual’ for breaches of ‘stricter’ requirements of the GDPR. Whether TikTok’s alleged breaches are of similar magnitude remains to be seen – though the interest organisations have argued that the age of the children and the materiality and duration of the breaches justify the substantial damages they have claimed.

Developments across Europe

The Dutch courts are not alone in their struggle with pinning a number to GDPR infringements or the question of when a GDPR infringement results in damages. Similar questions on how to determine damages are raised abroad. Last May, the Austrian Supreme Court filed questions with the European Court of Justice (ECJ) for a preliminary ruling, including on whether a mere breach of the GDPR suffices for the award of damages or whether such a breach must carry consequences of some weight. While the procedure with the ECJ is expected to last for 2 years, it is evident that the answers will greatly influence claims for damages under the GDPR going forward.

Across the pond, the UK Supreme Court recently dismissed a case brought against Google for the infringement of United Kingdom data legislation, because the claimants sought to apply an abstract ‘lowest common denominator’ approach to the damages. The Supreme Court disagreed with this process and ruled that a claimant must prove that sufficiently serious damage occurred for each individual member of the represented class.

In the Netherlands, in contrast, in a recent judgement under the pre-WAMCA regime against Volkswagen in the ‘dieselgate’ litigation, the district court of Amsterdam handed down a declaratory judgement in which Volkswagen was declared liable to each purchaser of a Volkswagen diesel vehicle. The district court set the same amount of damages for each class member regardless of individual circumstance, such as the price or type of the vehicle they bought, showing the court’s willingness to award abstract damages.

Exclusive Representative

Certain procedural issues in the early stages of the TikTok case could give more insight in the relative novel WAMCA mechanism, such as the appointment of an exclusive representative among the interest organisations. Under the WAMCA, the court-appointed exclusive representative will take the lead role in the proceedings (a system bearing resemblance to the US lead plaintiff system - for more information, see our update on the first anniversary of the WAMCA). It could be, for instance, that the court considers the backing of the Consumer Association (Consumentenbond), the largest consumer rights organisation in the Netherlands.

Get in touch

Our team has extensive experience with privacy/GDPR matters, class actions and -settlements and other forms of collective redress. For more information, please contact Mijke Sinninghe Damsté, Kim Lucassen, Marit Bosselaar, Nina Orlić or someone else in our privacy or class action litigation teams.



Brexit Blog 13: Recognition and enforcement of UK judgments in the Netherlands: the Dutch government gives some guidance

Brexit Blog 13

Brexit Blog 13: Recognition and enforcement of UK judgments in the Netherlands: the Dutch government gives some guidance. read more

European Commission publishes legislative tax proposals

The legislative tax proposals build upon the international negotiations on the misuse of shell entities and reform plan of Energy Taxation Directive read more
International Tax Flash: OECD's Pillar Two model rules

OECD publishes Pillar Two model rules on IIR and UTPR

The OECD released its Pillar Two model rules, for participant jurisdictions to implement most of the Pillar Two rules. read more