For the first time in a collective damages action about privacy violations, 2024 starts the substantive debate: on January 10, 2024, the District Court of Amsterdam appointed two exclusive advocates to represent the interests of all Dutch users of the TikTok application in proceedings against the companies behind TikTok. The stakes of these proceedings: compensation for the TikTok users and an order for the companies to comply with (among others) the AVG (1). In this post, Damien Berkhout describes the enforcement deficit at play in privacy violations and why collective actions will help reduce some of this problem. He then discusses lessons for future collective actions.
There is an enforcement problem with privacy violations. This problem arises because such violations often affect many individuals, but those affected rarely take legal action in response to the wrongful conduct. The examples are easy to find. Consider a data breach, which puts the personal data of many customers in the hands of hackers, or seemingly innocuous applications on your phone that appear to systematically process special personal data without basis. These types of breaches are (unfortunately) commonplace, but few people subsequently take action against them.
This is called the "collective action problem": the fact that it is "rational" for affected stakeholders not to take legal action against the wrongdoer because it costs too much money and time compared to the maximum achievable benefit of the proceedings. At the individual level, the benefit of a good judgment and protection of privacy does not outweigh the costs of the proceedings. This while in total - viewed from the perspective of the entire group of those affected - there is extensive social damage.
This enforcement deficit cannot be solved by the valuable work of public (privacy) regulators such as the Personal Data Authority ("AP"). First, because the AP also does not have the people, resources and time to undo the deficit. There are too many violations. Added to this is the fact that privacy violations are regularly committed by parties with significant financial resources at their disposal. Many of the currently existing (alleged) privacy violations are attributable to companies such as the company behind TikTok (ByteDance, 2023 revenue expected: $110 billion) or other of the world's largest corporations (Meta, Google, and so on). The AP's policy must take into account that it does not have the resources to fight all these wealthy parties at the same time. Third, aggrieved parties do not benefit sufficiently from public enforcement. Usually, public enforcement is aimed at stopping violations. Thus, the victims of the violation are then left with the damages already suffered.
Therefore, it is important that private enforcement is also possible. In private enforcement, a civil party seeks an end to the privacy violation in an action, often supplemented by a claim for damages for harm suffered as a result of the violation.
Moreover, a solution to the collective action problem is available in the Netherlands: private enforcement is also possible through collective action based on the Law on Settlement of Mass Damage in Collective Action ("WAMCA"). Since Jan. 1, 2020, representative interest groups can bring a claim on behalf of a group to be represented (or the public interest) and thereby also claim compensation for the affected group members (2). In order to bring such a collective action, however, the interest representative must meet a series of (strict) admissibility requirements. These include conditions relating to the governance and expertise of the advocate, among other things, and the plaintiff must also demonstrate that it has a constituency (and thus is "sufficiently representative").
After a collective action is instituted, the interest representative concerned must register an extract of the collective action in the collective action register (Article 3:305a paragraph 7 BW and Article 1018c Rv). This is done so that other interest representatives have the opportunity to submit a competing claim of a similar nature within the waiting period of, in principle, three months (article 1018d Rv). These other interest representatives will usually argue that they are more suitable than the party that first filed the claim, but it may also be that the interest representative just wants to file other claims or represent the interests of a different (or larger) group in the similar situation.
The court must then determine in the first phase of the proceedings whether there is an admissible claim. From among the admissible representative advocates, the judge must appoint an "exclusive advocate" (article 1018e Rv). Persons in the narrowly defined class established by the court are thereupon represented by the exclusive representative advocate, unless, as a person in the class, you use the option to opt out of the class by means of an "opt-out" declaration. Persons who do not make an opt-out statement, those are basically bound by the final judgment(3).
The second stage of the proceedings is then the substantive debate of the case. Thus, in privacy-related WAMCAs, the debate will then include whether there is a privacy violation and what consequences should be attached to it. In privacy breach WAMCAs to date, damages are always sought as well.
In the TikTok case, representative advocacy organizations succeeded for the first time in getting past the admissibility stage (4). Another, previously filed comprehensive privacy case against Salesforce and Oracle failed at this stage for the time being. The court ruled that the interest group was not sufficiently representative (5).
The TikTok WAMCA is supportive of private enforcement of privacy rights because several important rulings were made by the courts in this case that are also relevant to other privacy class actions for damages. I list some of the lessons learned.
International jurisdiction court. First, it follows from the TikTok WAMCA that Dutch courts may have international jurisdiction to adjudicate a case even if the controller is not based in the Netherlands. TikTok has raised extensive defenses that the Dutch courts lack jurisdiction because its companies are not based in the Netherlands. But this defense was (rightly) rejected by the court for several reasons. At its core, an advocate has jurisdiction under Article 79(2) AVG because the Dutch data subjects (whose personal data are processed) usually reside in the Netherlands (6). A similar analysis and conclusion can be expected in many other privacy cases.
A roadmap for others. Second, through the TikTok WAMCA, the Amsterdam court provided a roadmap that other representative advocacy organizations can follow to be admissible in a similar privacy-related WAMCA case (7). That roadmap shows that the court will test rigorously but fairly whether the advocacy organization is independent, has expertise, has its governance in order, and whether a sufficiently large group has joined to make the advocacy organization sufficiently representative. The roadmap is worth a lot because it provides legal certainty to litigants (8).
Bundling of substantive damages claims is possible. Third, the court has held that substantive damages claims in privacy WAMCA proceedings can be bundled for the time being (9). That is to say, in the substantive phase of the TikTok WAMCA, exclusive advocates will be able to argue that damages should be paid to TikTok users. Incidentally, it is noteworthy that the court simultaneously ruled that the claim for immaterial damages could not be bundled (10). On this, the court stated that any claim for immaterial damages depends too much on the individual situation of the user and that there will also be users without damages. I predict that this is not the last word on this and it seems to me that it depends on the circumstances of the case whether bundling of an immaterial damages claim is possible.
The exclusive advocate. Fourth and finally, it is useful that the Amsterdam court provided more clarity on how an exclusive advocate is selected. First of all, the court (rightly) makes it clear that the circumstances explicitly mentioned by the law are not exhaustive (11). After all, the legal norms are only tools and the point is to select the most suitable party. Secondly, it appears that in each case the court looks at: (i) the knowledge and experience present at the foundation, (ii) the size of the (Dutch) constituency and (iii) whether there are cooperative arrangements with relevant social organizations.
In the TikTok WAMCA, three advocates ended up being admissible: Take Back Your Privacy ("TBYP"), Stichting Massaschade en Consument ("SMC") and SOMI. TBYP became the exclusive advocate for Dutch children, SMC for adult users of the TikTok application(12). SOMI remains a party to the proceedings, but in principle no longer performs litigation acts (13). This is presumably partly because TBYP has brought its claims purely on behalf of minor TBYP users and SMC is the only one also on behalf of adults. Incidentally, the court expects TBYP and SMC to coordinate their pleadings as much as possible, because, according to the court, the positions of children and adults will often overlap(14).
The TikTok case is the first class action for damages to reach the substantive stage in an action on the merits, but many more are likely to follow. In addition to the Salesforce/Oracle case already mentioned, class actions have already been filed against Google (15), X (formerly: Twitter) (16), Amazon (17), Meta (18), Adobe (19) and the GGD (20).
These are all cases involving systematic, multiple alleged privacy violations. Moreover, it concerns privacy violations by leading parties in the market. A possible judgment that (for example) Google must adjust its actions to no longer violate the AVG will have a radiating effect on other market parties, just like the case against TikTok will have. At the same time, the "smaller" market parties would do well to keep a close eye on developments. Because the representative advocates who are currently focusing their actions against (especially) Big Tech will surely not stop there and hereafter also look at other market parties. So keeping an eye on the AP is no longer enough for companies: private enforcement is now really getting underway. The die has been cast.
Amsterdam District Court January 10, 2024, ECLI:NL:RBAMS:2024:83. For the record, I mention that I am (have been) involved as a lawyer in the TikTok WAMCA and several of the class actions mentioned in this post.
Collective action under Article 3:305a of the Civil Code also existed before the WAMCA, but the WAMCA introduced important new elements (including an abolition of the prohibition on claiming damages in collective proceedings
I write "in principle" because a second opt-out opportunity arises when a settlement is reached (article 1018h paragraph 5 Rv), and there are also some other nuances to this premise
A comment is appropriate here. Indeed, there have been privacy WAMCAs that have already reached a judgment, such as the case of Stichting Privacy First against the State of the Netherlands with the claim for out-of-work institution of ANPR regulations (District Court of The Hague, ECLI:NL:RBSHA:2021:13165) and the case of Stichting Privacy First against the State about the UBO register (District Court of The Hague March 18, 2021, ECLI:NL:RBDHA:2021:2457). However, these are summary proceedings and this contribution focuses on private enforcement in (i) proceedings on the merits (with substantive debate on the merits), (ii) in which damages are also claimed.
That concerns a case of The Privacy Collective v. Salesforce and Oracle: Amsterdam District Court, December 29, 2021, ECLI:NL:RBAMS:2021:7647. TPC is appealing the judgment.
Rechtbank Amsterdam 9 November 2022, ECLI:NL:RBAMS:2022:6488, r.o. 5.11 - 5.21.
Amsterdam District Court Oct. 25, 2023, ECLI:NL:RBAMS:2023:6694.
Although I expect that the last word has certainly not yet been said on certain legal considerations of the court. However, it is beyond the scope of this short blog to go into more detail about the exact conditions imposed by the court regarding admissibility and funding of collective (privacy) actions.
Amsterdam District Court Oct. 25, 2023, ECLI:NL:RBAMS:2023:6694, r.o. 2.43.
Amsterdam District Court Oct. 25, 2023, ECLI:NL:RBAMS:2023:6694, r.o. 2.44.
Amsterdam District Court January 10, 2024, ECLI:NL:RBAMS:2024:83, r.o. 2.13.
Rechtbank Amsterdam 10 January 2024, ECLI:NL:RBAMS:2024:83, r.o. 2.14 - 2.17.
Amsterdam District Court January 10, 2024, ECLI:NL:RBAMS:2024:83, r.o. 2.14.
Amsterdam District Court January 10, 2024, ECLI:NL:RBAMS:2024:83, r.o. 2.16.
https://www.rechtspraak.nl/SiteCollectionDocuments/Stichting-Bescherming-Privacybelangen-Alphabet-Inc.,-Google.pdf. Zie ook: https://www.rechtspraak.nl/SiteCollectionDocuments/Uittreksel-versie-20-maart.pdf
https://www.rechtspraak.nl/SiteCollectionDocuments/20230908-Stichting-Databescherming-Nederland-v.-X-Corp-uittreksel.pdf
https://www.rechtspraak.nl/SiteCollectionDocuments/Stichting-Databescherming-Nederland-Amazon.pdf
https://www.rechtspraak.nl/SiteCollectionDocuments/Uittreksel-dagvaarding-SOMI-vs-Meta-cs.pdf
https://www.rechtspraak.nl/SiteCollectionDocuments/Stichting-Data-Bescherming-Nederland-v.-Adobe-Inc.-en-Adobe-Systems-Software-Ireland-Limited.pdf
https://www.rechtspraak.nl/SiteCollectionDocuments/RBAMS-dagvaarding-ICAM-vs-de-Staat-der-Nederlanden-cs.pdf