In the October 2023 newsletter, Christoph reflected on the possibility of bringing similar class actions on AI in the Netherlands as well. In this post, I will take a closer look at this phenomenon - also aptly referred to as mass claims - with a view to conflicts in the tech sector. These are mainly mass claims brought against large, international tech companies in the Netherlands. The reason is usually a breach of competition rules or violation of the privacy of (end) users.
A new legal regime exists in the Netherlands since 2020 that allows mass claims to be brought on behalf of all aggrieved parties of a particular event and also claim collective damages in the process. This is a significant broadening because now (i) in principle everyone is represented unless they exercise their opt-out right, and (ii) the damages cover the entire group and can therefore amount to astronomical sums. This also explains why, certainly in comparison to other countries, there are many mass claims pending here (already more than 80 by now, see the WAMCA register (1)).
Please note that the vast majority of these cases concern actions against the government (e.g. the introduction of the UBO register or ethnic profiling), or only the taking of provisional measures or a declaration of right (e.g. a recent case by Dier&Recht against the importation of calves), and thus explicitly not damages. However, the latter element is central to mass claims in the tech sector with typically millions of injured parties and thus American states. So far, there are over 20 cases, many of which have to do with alleged abuses in the tech sector, or are indirectly related to it (such as diesel cars with their tampering software used to meet emissions standards).
So what are the abuses in the tech sector that can be addressed with mass claims? As already touched upon, these involve two major challenges in today's tech industry, namely (i) dealing with and complying with privacy rules and (ii) competition law perils resulting from the fact that some tech companies have become so large that they can behave to a large extent independently of competitors and then (can) abuse this dominance.
The informed reader will, of course, immediately think of various actions in the regulatory arena that are already fully focused on these abuses. Think, for example, of growing calls in the U.S. to break up large tech companies to limit their market power, of recent attempts to introduce stricter rules for children's online privacy on social platforms, or of investigations by regulators in the EU into certain behaviors of large tech companies (including Amazon, Apple and Google). With mass claims, consumers or citizens now have a tool to take direct action against these abuses and hold tech companies accountable through high damages. I will illustrate this using some concrete pending actions in the Netherlands.
Privacy violations
To begin with the most obvious example, privacy. The all-pervasive topic that is unthinkable in today's society with a high degree of digitization. This is evident, for example, in the figures of data breach notifications made to the Autoriteit Persoonsgegevens (AP) as the regulator; as of 2019 with a record number of nearly 27,000 (!) notifications, an average of 24,000 data breaches are reported per year. In addition, the AP is engaged in other privacy breaches, either in response to complaints filed with it (with nearly 28,000 in 2019 and over 13,000 in 2022) or in connection with its own investigations or enforcement (with 41 investigations and 13 fines imposed in 2022).
This overview immediately shows that the administrative law route is reaching its limits and, moreover, can only lead to fines for violators. For (mainly immaterial) compensation, one must individually turn to the courts, which have occasionally awarded lump-sum compensation. It is noteworthy that this happens mainly in administrative law, i.e., in conflicts with the government (for an analysis see my contribution in TvIR 2023 No. 6 (2)).
With the advent of the new mass claims regime (the so-called WAMCA), this has changed now that it is possible to bundle individual claims for damages. The idea is simple: a violation of privacy rules individually causes a small damage which, however, when added together, namely as a result of the multiplier of hundreds of thousands if not millions of victims of the same conduct or event, leads to literally billions of claims. A sampling of the pending mass claims shows that these involve a variety of privacy rule violations, almost all of which have to do with the tech sector or IT-related issues.
Oracle & Salesforce (Aug. 20): this first major WAMCA case looks at real-time bidding and privacy law concerns in that context (including cookie sycing). However, in December 2021, this claim was dismissed at the formal stage because 75,000 likes are not sufficient to demonstrate the representativeness of the claim foundation. This case was restarted in March 2023.
TikTok (June 21): this class action is being pursued by as many as three different competing claim foundations claiming amounts between EUR 1.4 and 5.4 billion in damages for various violations of the AVG. This is also the first major WAMCA case in which a so-called Exclusive Advocate has been appointed to conduct the collective action on behalf of all aggrieved (at least two, i.e., one for the aggrieved minors and one for the adults).
GGD data breach (March 23): this case involves personal data collected from various GGDs in the context of coronate testing and shared with third parties due to careless shielding in IT systems. It involves a total of EUR 3.5 billion in damages.
Google (Sept. 23): this action looks at various privacy and consumer law violations resulting from the use of Google services and products. Meanwhile, a second claims foundation has come forward and will also launch a mass claim.
X/Twitter (Sept. 23): this case concerns so-called trackers in various third-party mobile apps that can be downloaded for free that then collect personal data and share it with third parties.
Amazon (Oct 23): this class action concerns Amazon's advertising business, that is, the processing of personal data via cookies as part of its services. It also appeals a EUR 746 million fine imposed by the regulator in Luxembourg.
Meta (Nov. 23): this case concerns the use of personal data on Facebook, at least the creation of profiles for targeted advertising and the transfer of data to the US. It also invokes previous fining decisions, namely from the Irish regulator with fines of EUR 210 million for unlawful processing and EUR 1.2 billion for unlawful transfers. In total, damages of EUR 12.8 billion are claimed.
Adobe (Dec. 23): the most recent class action concerns the processing of personal data by the AdTech industry, specifically by Adobe which collected personal data and processed it into profiles that were then offered to third parties.
All these cases are still at the formal stage of reviewing the admissibility of the foundations bringing the collective claims on behalf of their constituents. In addition to the question of whether the new regime applies (with a cut-off date of November 15, 2016), a high-profile interlocutory ruling in the TikTok case held that that the non-material damages of the aggrieved cannot be bundled. The reason was that (at least in this case) it has not been shown that all aggrieved parties suffered the same damages because, in short, everyone experiences the alleged privacy violations differently. Thus, for the time being, the claims for compensation of immaterial damages (calculated as a lump sum per aggrieved person) appear to be in doubt, but the last word on this matter is far from being said in view of appeals and possibly different decisions by other courts.
Competition law violations
In addition, the civil law closure of competition law violations is also gaining new momentum. This mainly concerns so-called follow-on actions in competition law, i.e. civil damages actions after public enforcement, such as a fine decision. It is an important part of European legislation to encourage private enforcement and thereby promote compliance with competition law. This has led to some major court cases in the Netherlands (including damages actions concerning the air-cargo, elevator and trucks cartel). These cases are between producers (the cartel participants) and their professional customers who have overpaid for certain goods or services, and thus in the B2B sphere.
Here too, the WAMCA offers a new possibility of recovering damages. This time by consumers who, as end users/customers, have ultimately paid too much provided the extra price was also passed on to them (for which a legal presumption of proof exists). Whereas in cartel cases one has previously had to litigate on the basis of an assignment or with multiple claimants, this can now be done on behalf of all victims unless they have chosen not to participate (the opt-out). This makes it easier to initiate a damages action on behalf of a large group of consumers. In addition, the WAMCA makes it possible to claim collective damages that in principle cover the entire damage caused by a competition law infringement.
Again, the pending mass claims show that various violations of competition law are involved, with the main categories being cartel cases and abuse of dominant position (Art. 101 and Art. 102 Treaty on the Functioning of the European Union, respectively), and that the arrows are often pointed at the tech sector.
Apple (Oct 21): this action deals with the app store and the commission charged therein for offering apps and in-app purchases, as well as various other forms of abuse of dominance. In late 2023, preliminary questions were raised about the relative jurisdiction of the Dutch court.
Google (Oct 22): this action looks at Google's app store with similar competition law allegations. In Dec. 2023, it was held that the WAMCA applies even though the imputed acts existed long before the Nov. 15, 2016 reference date.
Samsung (Dec. 23): this case is the first follow-on proceeding under the WAMCA and concerns the cartel in respect of TVs in the period 2013 to 2018 that was fined by the ACM on Sept. 14, 2021 (with confirmation of this sanction decision on Nov. 13, 2023).
As a (tech) company, should I fear this development now? Not necessarily, because ultimately it is about compliance with laws and regulations that are required even without mass claims. In other words, there is only a risk if a certain behavior does not pass muster.
Only, this risk becomes significantly higher because the potential (financial) exposure is much greater because there is no individual plaintiff, but a collective that can bring claims related to the same facts and events (provided they are bundleable). On top of that, some claims are also more likely to be brought because there is external funding that makes a case possible and, according to critics, is the driving force behind the proliferation of class actions that often seek sky-high damages. On the other hand, certain claims may otherwise not be brought, for example because individual litigation is not feasible given the complexity and amount of damages claimed (hence the sometimes used designation as "straw damages").
Regardless of this discussion; mass claims are now a given in the Netherlands and will also lead to similar actions outside the Netherlands as a result of the Directive on Representative Consumer Claims (which came into force in June 2023). This also includes a trend of the same collective actions being brought in different countries. Tech companies - given their global reach, uniform business model and huge turnovers - are a very likely target, each of which will raise issues that are part of the reality of our digital economy.
(1) https://www.rechtspraak.nl/Registers/centraal-register-voor-collectieve-vorderingen
(2) https://kvdl.com/artikelen/het-recht-op-schadevergoeding-bij-immateri%C3%ABle-schade-onder-de-avg
