In August 2020, The Privacy Collective sued Adtech giants Oracle and Salesforce. The mass tort case resumed on appeal with oral arguments before the Amsterdam Court of Appeal last Thursday. Although a damage claim of 10 billion is on the table, what is at issue is not the amount of this sum but the admissibility of TPC as an advocate. But why could TPC not act as an advocate when it enjoys broad support from several NGOs and the Dutch Consumers' Association? Read it in this article.
A brief summary of the case: it involves substantive allegations against Oracle and Salesforce. They are alleged to have committed large-scale and systematic violations of the privacy of Dutch Internet users through the services they offer. At issue are Data Management Platforms (DMPs). These platforms are accused of collecting huge amounts of personal data from Internet users without their consent, using it to create detailed profiles and monetizing this information through Real Time Bidding (RTB). All this, according to TPC, would lead to a violation of the AVG and the Telecommunications Act (1).
First, what about that enormously large sum of 10 billion? The subpoena describes the severity and scope of the alleged privacy violations. In the 226-page document, TPC seeks compensation based on the intangible damages allegedly caused by the unlawful processing. The foundation demands a lump sum compensation, which serves as a practical solution for determining damages. The choice of an abstract budget of €500 per affected individual is based on the severity of the alleged violations, the nature of the personal data processed and the degree of culpability. Such an estimate of damages is particularly relevant in the context of AVG violations, where intangible damages cannot be precisely quantified. However, lump sum compensation is inconsistent with the nature of Dutch damages law because such compensation would indicate a punitive function of this law. TPC invokes the exception to this rule given the obvious adverse consequences caused by the violations of fundamental rights. It points here to the Supreme Court's preliminary ruling in the Groningerveld case (2) which defined such an exception.
TPC's position, supported by extensive technical research, including research by Dr. Muhammad Ahmad Bashir (3), highlights the privacy-sensitive nature of tracking technologies from Oracle, Salesforce and the Adtech industry in general. Findings from the study reveal the placement of tracking cookies on a wide range of popular Dutch websites, leading TPC to conclude that virtually every Dutch Internet user has been affected. The extent of the alleged data collection and processing, combined with subsequent breaches and leaks, underscores the potential danger to the privacy and control over personal information of Dutch Internet users.
The oral hearing of the appeal case took place last Thursday, during which the foundation was given another opportunity to demonstrate its admissibility. The foundation stands up for all Dutch Internet users who have Oracle and Salesforce tracking cookies on their computers. Despite broad support from several NGOs and the Dutch Consumer Association, the representativeness of the foundation is far from established. The question of whether the foundation is sufficiently representative of its supporters was answered in the first instance in the negative because of the 'Like' system chosen by TPC (4). The court ruled that supporters would not be aware of what they were supporting by the mere clicking of a support button. Furthermore, the circumstance that the foundation acts on the principle of Data minimization , according to the court, would make interaction with the supporters impossible as TPC does not have her contact information. TPC argues on appeal that the court did not correctly assess representativeness. It argues that the organization can reach its supporters, the supporters do know what they support and emphasizes the right of Dutch citizens to be represented through an opt-out system. TPC thus continues to stand behind its data minimization policy as a matter of principle, something the Court can hardly punish the organization for given its raison d'être . Moreover, TPC points to the broad support of a large group of privacy-focused NGOs and the Consumers Union as evidence of its representativeness.
The decision of the Amsterdam Court of Appeal will follow on June 18, 2024. The outcome of the case may set a precedent for private data protection enforcement across Europe, whether or not the admissibility test of the WAMCA is applied.
Want to learn more about the WAMCA and the admissibility test for advocates? Then read the recent article by Anouck Bakhuis (SOLV Attorneys at Law).
(1) https://theprivacycollective.nl/wp-content/uploads/2024/01/RBAMS-dagvaarding-collectieve-vordering-Oracle-Nederland-BV-SFDC-Netherlands-BV-Oracle-Corporation-Oracle-America-Inc-Salesforce-4.pdf
(2) https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:HR:2019:1278
(3) https://www.khoury.northeastern.edu/home/ahmad/publications/bashir-thesis.pdf
(4) https://www.rechtspraak.nl/SiteCollectionDocuments/RBAMS-eindvonnis-tpc-oracle-en-salesforce.pdf
