On 18 June 2024, the Amsterdam Court of Appeal issued a significant ruling in a class action brought by a Dutch foundation, The Privacy Collective (TPC), against Oracle and Salesforce. The case, initiated under the Dutch Wet Afwikkeling Massaschade in Collectieve Actie (WAMCA), marks the first major class action for damages related to unauthorized data usage under the new legislation.

TPC alleges that Oracle and Salesforce illegally harvested personal data from 10 million Dutch internet users through cookies and used it for targeted advertising. The foundation is pursuing 10 billion euros in compensation for non-material damages resulting from these privacy infringements.

Under the EU’s General Data Protection Regulation (GDPR), the toughest privacy and security law in the world, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.

The court’s decision not only reversed an earlier ruling on TPC’s admissibility but also clarified critical points about class action requirements and the scope of collective redress for non-material damages.

TPC’s legal battle began with controversy over how it demonstrated support for the collective action. WAMCA requires claim organisations to show that their claim has actual support from the individuals they seek to represent. Traditionally, this is done through a book-building process, where individuals register with the foundation and sign agreements to participate in the claim.

However, TPC adopted an unconventional approach by inviting visitors to its website to show their support via a “thumbs-up” button or “like.” Beyond capturing an IP address, no additional data was recorded, and no formal registration process was used. TPC also garnered support from consumer and privacy organisations with a history of advocating for data protection rights.

In December 2021, a lower court ruled against TPC, finding that “thumbs-ups” and “likes” failed to meet the requirement for actual support. The court reasoned that verifying if the “likers” were part of the affected class was impossible without collecting identifying information. Furthermore, the page providing information about the lawsuit lacked sufficient details about the claim or its implications, casting doubt on whether users who clicked “like” understood what they were endorsing. Support from advocacy organisations was also dismissed as irrelevant since these groups were not part of the class.

The appeal court took a different stance. It ruled that WAMCA’s opt-out mechanism, which contrasts with traditional opt-in systems, does not require formal registration to demonstrate support. According to the appeal court, the “likes” were adequate evidence of backing from a small but sufficient number of individuals. TPC has since enhanced its website to provide comprehensive information about the lawsuit, including details about the defendants and the purpose of the class action.

The Court of Appeal determined that the anonymity of internet users providing support was not an issue, as there is no legal obligation to register their identities. It concluded that the actions implemented by TPC to facilitate consultation with beneficiaries were adequate. TPC disseminates information via its website, newsletters, and Ask Me Anything sessions on Reddit.

The court acknowledged the importance of backing from privacy and consumer advocacy groups. Although TPC lacks a proven history and established track record, endorsements from these organizations can bolster the credibility of a claim organisation.

The ruling, overturning the previous dismissal regarding its admissibility, represents a significant triumph for TPC. However, it raises questions about the feasibility of similar approaches in future cases. Using a “like” button is cost-effective and potentially efficient but carries inherent risks. Defendants and courts may scrutinize whether this method sufficiently demonstrates actual support, making traditional book-building practices the safer choice. Claim organisations can avoid doubts about legitimacy by collecting detailed participant information and strengthening their claims during admissibility assessments.

The ruling also addresses another important issue in class actions: the collective pursuit of non-material damages. Dutch law requires claims in collective actions to have a common legal basis, ensuring they can be litigated effectively for the entire group. Previously, the Amsterdam district court ruled in an unrelated case against TikTok that intangible damages could not be handled collectively due to their inherently personal nature. This decision posed a challenge for claims like TPC’s, which seeks compensation for privacy violations that vary significantly among individuals.

The appeal court took a more nuanced view in the Oracle and Salesforce case. While it agreed that the mere collection of personal data does not automatically warrant non-material damages, it found that such claims can share a common legal foundation across a class. The court emphasized that variations in the extent or lack of harm altogether (some people may support data collection for personalized ads) do not undermine the collective nature of the claim. The WAMCA framework allows for sub-classification, enabling courts to address the differences within a class.

This interpretation reopens the door for collective redress of intangible damages, which seemed closed after the TikTok ruling. Although TPC must still prove that specific members of its class suffered harm, the appeal court’s decision prevents such claims from being dismissed outright for lack of commonality.

The appeal court’s decision will likely significantly impact data privacy litigation in The Netherlands. It reaffirms the viability of pursuing collective claims for privacy violations, even when the harm is intangible and varies among class members. It also highlights the evolving nature of collective redress mechanisms in addressing complex, modern legal challenges like data misuse.

The ruling is a crucial step forward for TPC, but the battle is far from over. The foundation must demonstrate that its class has suffered comparable damages—a challenging task given the diversity of experiences among affected individuals. Still, the case sets an important precedent for other privacy advocacy groups, showing that innovative approaches to collective representation can succeed under the right circumstances.

The Amsterdam Court of Appeal’s ruling favouring The Privacy Collective represents a turning point in Dutch class action law. By affirming TPC’s admissibility and clarifying the conditions under which non-material damages can be pursued collectively, the decision provides a roadmap for future litigation involving privacy breaches.