Amsterdam District Court 29 December 2021, ECLI:NL:RBAMS:2021:7647
Case Overview
The Privacy Collective ('TPC') claims to act on behalf of all Dutch internet users in these WAMCA proceedings. TPC alleges that the software companies 'Oracle' (Oracle Nederland B.V., Oracle Corporation and Oracle America, Inc.) and 'Salesforce' (SFDC Netherlands B.V. and Salesforce.com, Inc.) violated the privacy of 10 million Dutch internet users by, in brief, collecting, processing and selling personal data to third parties and enabling them, inter alia, to offer personalised advertisements on websites. In addition, TPC alleges that the privacy of Dutch internet users had been infringed by a data breach at Oracle. In brief, TPC claimed, as a declaratory judgement, that Oracle and Salesforce are liable for all direct and indirect damage caused amounting to a total of EUR 11 billion.
The Judgement
Admissibility phase
In this ruling, the Court determined whether TPC meets the admissibility requirements mentioned in Section 3:305a (1) to (3) of the Dutch Civil Code ('DCC'). Article 3:305a paragraph 2 of the DCC requires, inter alia, that the representativeness of particular interest group represented by TPC sufficient in relation to the constituency and the scope of the represented claims (in Dutch voldoende representatief).
From the judgement it becomes clear that TPC stated the following on its website:
"HOW MUCH IS YOUR PRIVACY WORTH TO YOU? We are taking two large tech companies to court to claim compensation for the large-scale theft and sale of data of millions of Dutch citizens, without valid consent. (...) "
By clicking on the webtext "support with 1 click", users were encouraged to show their support. On this basis TPC claimed that it had obtained more than 75,000 likes.
The Amsterdam Court decided that TPC had not factually proven how many people were in support of TPC's action and consequently the actual content and scope of its claims. According to the Court, simply clicking on a webtext does not automatically ensure that a declaration of support has been obtained as intended by the requirement of representativeness. Moreover, critical information concerning the nature and purpose of these proceedings is clearly missing. According to the Amsterdam Court, TPC's submission stating that more than 75,000 persons from its supporters have expressed their support by clicking on the support button cannot be upheld as true. The Amsterdam Court also considered that TPC's assertions, stating that it has provided information regarding these proceedings elsewhere on its website and via other channels (such as in newsletters and at conferences), does not alter the Court's viewpoint. The Court therefore ruled that, based on submitted documentation by TPC, it remains unclear how many likers have been supporting TPC's action.
The Court furthermore considered of great importance that TPC does not register any data regarding likers of the webtext. In this respect, the Court observed that, even though the legislator does not require organisations to submit a list of supporters' names and details, organisations should accurately describe the individuals they are representing. According to the Court, the current 'like' system does not provide conclusive evidence of whether individuals, who have given a 'like' via clicking the webtext, belong to the group represented by TPC. The Court decided that, due to the absence of such registered contact details, TPC has also not been able to (fully) comply with the admissibility requirements of transparency and governance – for example by organising participation in or representation in decision-making for the individuals on whose behalf the legal action has been instigated (Section 3:305a(2)(b) of the DCC). Hence, the absence of contact details prevents TPC from communicating with the individuals.
Finally, the Amsterdam Court considered that - contrary to TPC's argument - the fact that TPC is supported by privacy organisations does not result in 'sufficient' representativeness as mentioned above. The existing WAMCA legislation defines a 'constituency' narrowly as those injured individuals on whose behalf a WAMCA case has been submitted and therefore does not include the privacy organisations supporting TPC's actions.
The Amsterdam Court stated that this also applies to TPC's claims relating to the alleged data leak at Oracle. According to the Court, the claims lack a sufficient connection to the Dutch jurisdiction, as required by Section 3:305a(3)(b) of the DCC. Fact is that the event occurred in the United States of America, where Oracle's database is located. In relation to Oracle's undisputed assertion, that at least in eighteen cases it was proven that personal data coming from the Oracle database could be traced back to the Netherlands, the Court concluded that it was not convinced that a majority of the individuals affected have their actual residency in the Netherlands. In addition, the Court decided that the consultation requirement of Section 3:305a(3)(c) of the DCC has not been met, merely because the data leak has not been mentioned in TPC's letter to Oracle and consequently no consultation was scheduled regarding this issue.
TPC was not granted an opportunity to prove that its claims are supported by a sufficiently large group of injured individuals. In this respect the Court considered it should act cautiously when offering a remedy, particularly in light of (i) the importance of the representativeness admissibility requirement and (ii) the requirement of due process. Only special circumstances allow a different approach (HR 3 April 2020, ECLI:NL:HR:2020:587 (Trafigura I)). The Court stated that no such circumstances are at hand. The Court therefore concluded that TPC's claims were inadmissible due to insufficient representativeness.
The Amsterdam Court did not discuss the other conditions mentioned in Section 3:305a of the DCC, because TPC's claims were already declared inadmissible. Interestingly, to benefit future WAMCA cases concerning privacy rights, the Court identified a different area of dispute that "has been an important part of the debate between the parties". Namely, how the WAMCA and the GDPR legislations relate to one another. However, the Court was not able to assess this issue. Nevertheless, the Amsterdam Court did include reasoning on this topic in the judgement.
WAMCA/GDPR
The GDPR distinguishes two forms of advocacy in Article 80. Paragraph 1 regulates the possibility for data subjects to instruct a non-profit body, organisation or association to exercise on their behalf the rights referred to in Articles 77, 78 and 79 and to exercise on their behalf the right to compensation referred to in Article 82. Paragraph 2 provides for the possibility to lodge a complaint and exercise the rights referred to in Articles 78 and 79 independently of the mandate of a data subject. Article 80(2) GDPR, unlike Article 80(1) GDPR, does not refer to Article 82 GDPR which lays down the right to damages. Oracle and Salesforce therefore take the view that the possibility of exercising certain rights under the GDPR independently of the instructions of the data subject does not include the right to compensation under Article 82 GDPR. Oracle and Salesforce further submit that a collective action for damages under the WAMCA for infringement of the AVG is contrary to EU law. The Union legislator wanted to prevent a commercial claims culture in the context of data protection, according to Oracle and Salesforce. TPC disputes this argument. It submits, inter alia, that the text of Article 80(2) GDPR (i.e. the absence of a reference to Article 82) does not a contrario infer the intention of the Union legislature to exclude such a provision. TPC also points out that Article 80(2) GDPR does refer to Article 79 GDPR. The 'effective remedy' referred to there also includes damages. TPC further argues that Article 80(2) GDPR is addressed to the Member States and serves only to confer powers on the Member States, not to limit them. Member States are free to transpose this provision or not, according to TPC. The interpretation advocated by Oracle and Salesforce is also inconsistent with the Representative Representatives Directive (2020/1828). According to TPC, there is also no reason to assume that the GDPR would want to interfere with the principle of procedural autonomy. The Dutch legislator takes as a starting point that the Representative Claims Directive further simplifies actions on the infringement of data protection law. The Court will not be able to make an assessment on this point, because TPC's claims are inadmissible on other grounds.