ICAM is admissible in its proceedings against the State, GGD GHOR and the GGDs ("the State c.s."), the District Court of Amsterdam ruled in its judgment of July 17, 2024. The proceedings concern the large-scale data leak that occurred at the GGDs during the corona pandemic ("the GGD data leak"). ICAM represents the interests of the 6.5 million Dutch people affected by this data breach. With the proceedings, ICAM aims to provide clarity about the scope and consequences of the GGD data breach on the one hand, and on the other hand to induce the government to pursue a higher level of information security in general. ICAM also claims compensation for the material and immaterial damages suffered by the victims as a result of the GGD data breach. In this blog, I discuss the admissibility judgment, focusing in particular on the court's considerations regarding the admissibility of the non-material damages claims.
The proceedings brought by ICAM concern a collective action to which the Mass Mass Action Settlement Act ("WAMCA") applies. The court finds that ICAM meets all the admissibility requirements set by the WAMCA in Articles 1018c Rv and 3:305a BW.[1] Its summons contains the required descriptions and particulars and ICAM as a foundation is also admissible. ICAM has brought claims seeking to protect the interests of the persons for whom it acts. ICAM's statutory objectives serve the public interest and it is also active in the field of data protection within the meaning of Article 80 AVG in view of its activities.
The guarantee requirement of Article 3:305a (1) and (2) BW is also met, according to the court. ICAM is representative, that is, it represents a sufficient proportion of the total constituency in the proceedings. Moreover, the court emphasizes that despite the fact that this is a limited percentage of all persons for whom ICAM stands up (6.5 million) does not detract from ICAM's representativeness.
Finally, the court finds that ICAM has an adequate supervisory body, appropriate and effective mechanisms for participation or representation in its decision-making, and that it has sufficient resources to bear the costs of these proceedings, and that in doing so, it has sufficient control over the legal action.
Because ICAM is the sole plaintiff in this case, the court also designates it as exclusive advocate.
The court then tests whether the claims brought by ICAM are also admissible. ICAM has categorized the 6.5 million people whose personal data have been included in the GGD systems into two groups: group A and B. Briefly, group A consists of the people whose personal data have been processed in one or both of the GGD systems. For group B, additionally, for these individuals, it has been determined or will be determined during the proceedings that their personal data has been unauthorizedly accessed by the GGD data breach or has fallen into the hands of unauthorized individuals. For both groups, ICAM has brought claims for compensation for material and immaterial damages within the meaning of Article 82(1) AVG. I will limit myself in this blog to discussing the court's judgment on Group A's immaterial damages claims.
The WAMCA provides that in a class action the questions of fact and law must be able to be answered without having to consider the particular circumstances of the individual interested parties. In other words, the interests whose protection ICAM seeks must lend themselves to bundling. Indeed, in that case it is more efficient and effective for them to be adjudicated in one collective proceeding rather than in a variety of individual proceedings. The Court considers the circumstances of the victims in Group A to be largely comparable. The judgment thereby differs from the opinion of the Court of Amsterdam in the case of TikTok, where the Court considered the claims insufficiently similar due to the wide variety of existing differences in the use of TikTok by the victims.
The court then discusses whether the aggrieved persons in Group A are also entitled to immaterial damages. The court ruled that only immaterial damages can be awarded to persons against whom not only a violation of the AVG was made, but who actually suffered damages as a result. In doing so, the court considered the following:
It is therefore required that the injured party prove that provisions of the AVG have been violated. That is precisely not the case here, because, according to ICAM, Group A involves individuals who are uncertain whether or not their data have been stolen. For that reason alone, these individuals cannot claim damages.
This consideration is remarkable because it is not at all in dispute between the parties that provisions of the AVG have been violated. ICAM has argued that the State et al. violated Articles 24, 25, 32, 34 and 35 of the AVG. A violation of Articles 24, 25 and 32 AVG has also been found by the AP and is not disputed by the State et al. Although there is uncertainty about the follow-up question: whether or not the data of the victims from group A were actually stolen, it is certain that the AVG has been breached with respect to these victims. After all, their data were in one or both of the GGD systems, which had numerous security flaws, and thus there has been a breach of the AVG.
The court continued by initially considering, in line with ECJ case law, that a data subject's fear of possible misuse of their personal data by third parties following a breach of the AVG may constitute immaterial damage. However, the court went on to consider that the fear alleged by ICAM is not the fear that third parties will misuse the personal data they have unlawfully obtained (the court calls this "the fear after a breach"), but "the fear of a breach. In other words, the fear that third parties might have unlawfully obtained personal data and then misuse it. According to the court, because ICAM bases its claims on the fear of infringement, the court held that, based on the case law of the ECJ, immaterial damages can be awarded for this.
First of all, it is unclear where the court deduces that ICAM would base its claims on the fear of infringement, since it has invariably been argued by ICAM that the aggrieved have a fear of misuse of their data ("the fear following an infringement"). Indeed, as noted above, that infringement is well established.
Second, the court compares the fears of the victims in Group A with the fears in the ECJ's MediaMarktSaturn case. In that case, a document containing personal data was provided to an unauthorized third party, which, according to the national court, it was established that the third party had no knowledge of the content of the document. The data subject feared that his data might be disseminated or misused in the future, given the possibility that the third party might have made a copy of the document before it was returned. The question before the ECJ was whether this fear constitutes immaterial damage within the meaning of Article 82(1) AVG.
The Court, in line with its previous case law, considers that the concept of "non-material damage" must be defined autonomously and uniformly. Moreover, the concept should be interpreted broadly, in line with the objective of the AVG to provide natural persons with a high level of data protection. The fear that a data subject harbors after a breach of the AVG about possible misuse of his personal data by third parties may constitute immaterial damage. The Court reiterates that the loss of control over personal data - even during a short period of time - may cause immaterial damage to the data subject for which there is a right to compensation, provided that the data subject proves that he actually suffered such damage.
A breach of the provisions of the AVG - logically - does not automatically give a right to damages. Data subjects bringing an action for damages supported by Article 82 AVG must prove the existence of such damages. The ECJ further considers that a purely hypothetical risk that an unauthorized third party will misuse personal data cannot give rise to damages. According to the ECJ, such a purely hypothetical risk exists if no third party has knowledge of the personal data in question.
Back to the case against the State et al. The District Court thus makes the comparison with MediaMarktSaturn and draws the conclusion that here, too, there would be a purely hypothetical risk, since it has not yet been established for the victims in Group A that their personal data were actually stolen. In doing so, however, the court fails to recognize that the risk of abuse in this case is certainly not "purely hypothetical. After all, it has been established for over 1,350 individuals that their data has actually been misused, and for all other individuals in the database, we simply do not know at this time. As the court itself also considers, the conclusion cannot be drawn without question that no data theft other than that identified by the police so far has taken place.
The cause of the breaches was - among other things - the inadequate security of the GGD systems. The breach thus sees the exposure of all that personal data. The subsequent actual capture of that data is the consequence. In other words, the fact that it has not yet been established that the personal data of the victims from group A have actually been stolen - which is precisely what ICAM wants to clarify by means of these proceedings - does not alter the fact that there has been a breach in the first place.
Breaches of the AVG have resulted in the loss of control over their personal data for all 6.5 million individuals, for which there is a right to compensation. This is also how the ECJ ruled in Gemeinde Ummendorf. The national court in that case held that the mere loss of control over personal data is not sufficient to constitute non-material damage within the meaning of Article 82(1) AVG. According to him, in order for immaterial damage to be recognized, a "de minimis threshold" must be crossed. None of this, the ECJ ruled, reiterating once again that Article 82(1) AVG precludes a national rule or practice under which immaterial damage within the meaning of that provision can only be compensated if the damage suffered by the data subject reaches a certain degree of severity.
As the ECJ held in the NAP judgment, three cumulative conditions must be met in order to be entitled to damages within the meaning of Article 82(1) AVG. There must be a breach of the AVG, the data subject must have suffered damage as a result, and there must be a causal link between that breach and the damage. These three conditions are necessary - and also sufficient - to be entitled to damages within the meaning of that provision. No additional conditions can be imposed, such as the appreciability of the harm or the objective nature of the infringement. It is therefore not a question of suffering pecuniary damage as a result of loss of control, nor is it a question of the loss of control resulting in negative feelings such as fear, anger, stress and indignation, or problems in the psychological or mental sphere. The loss of control ís intangible damage.
According to the ECJ, in cases where the party concerned relies solely on the fear of future abuse, as is also the case in the proceedings against the State c.s., the national court must assess whether this fear is well-founded in the concrete circumstances of the case. However, the court did not get to that assessment at all, as it wrongly assumed that the fear put forward by ICAM refers to fear of infringement, rather than fear of abuse.
