This August the Dutch foundation Privacy Collective announced a class action lawsuit against data companies Oracle and Salesforce, accusing the data brokers of breaching the EU’s General Data Protection Regulation (GDPR). The Privacy Collective argues that both companies unlawfully (without consent) collect and process personal data of Dutch internet users. The foundation believes the collective claim could exceed the amount of 10BN EUR.
This class action lawsuit will be followed with great interest. It’s the first case in which a class action is used to claim damages with regard to an infringement of the GDPR. New Dutch legislation enables this since January 2020. It empowers representative entities to bring damages claims on behalf of affected consumers living inside or outside the Netherlands in a class action before any district court in the Netherlands. This includes damages suffered outside the Netherlands.
Class actions may become a new ‘weapon’ for representative entities to defend privacy rights of consumers. A procedure through civil court is expected to be faster than filing a complaint and waiting for the national supervisory authority to start an investigation and eventually impose a fine.
It’s worth mentioning this Dutch class action legislation is ahead of a new European directive, which will give EU citizens broader opportunities for the collective defence of their rights. For example, the directive will allow EU citizens and representative entities to file a class action lawsuit in other EU member states.
A question that rises, is which price tag to put on a privacy breach? Recently, there have been a few Dutch court rulings that give some guidance. For example, in 2019 a district court granted 250 EUR for immaterial damages suffered due to a breach of the GDPR.
Not an exorbitant amount, but the implications of this court ruling might be far reaching. A GDPR breach can be considered a breach of fundamental law and may result in compensation for non-material damages. If such damages are granted in a class action, the amount awarded in damages could seriously add up.
The use of class action legislation to claim damages based on GDPR infringement should be a wake-up call for data driven organisations where GDPR compliance is crucial. Not only a financial, but also reputational risk should cause organisations to process personal data (more) diligently, implement and monitor necessary procedures and become transparent towards data subjects. If there was a time to give GDPR compliance priority, it’s now.