A transforming landscape: Collective Actions in Data and Tech

It is generally acknowledged that the Netherlands is a popular forum for various types of class actions. As of 25 June 2023, the implementation act (‘the Dutch Implementation Act’) incorporating the Representative Actions Directive (‘Directive’) in the Dutch class action regime entered into force. As expected, the Netherlands has chosen to maintain its very liberal class action regime and has made only very minor adjustments to ensure compliance with the Directive. This means that commercially driven/third-party funded actions will continue to be available in the Netherlands (see our first blog in this series).

Moreover, since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, there has been a noticeable surge in the occurrence of collective actions related to data protection law. Numerous collective actions, particularly targeting major tech companies, center around purported infringements of the GDPR, occasionally combined with alleged violations of other European consumer protection regulations or competition law (such as abuse of dominance claims).

Previous, ongoing, and future class actions concerning the GDPR

Several class actions have now been filed in the Netherlands based on both the old class action regime and under the WAMCA (Wet Afwikkeling Massaschade in een Collectieve Actie), effective as of 1 January 2020. These proceedings were brought by claim organizations against various leading US tech companies. With the evolving (EU) legislation, we anticipate that there is a considerable number of cases yet to come. These cases will inter alia revolve around the following questions.

Does the GDPR allow for claims on an opt-out basis?

The competent courts have not yet ruled on the question whether the GDPR allows for mass damages claims under the WAMCA, i.e. on an 'opt-out' basis.

Article 80(1) GDPR provides that organisations may claim compensation for damage suffered by a person due to a GDPR breach, under a mandate and on behalf of that person. Article 80(1) GDPR reads: "The data subject shall have the right to mandate [an] (…) organisation (…) to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law." Article 80(2) deals with collective representation of data subjects without a mandate from the data subject. That article does not mention the possibility of claiming damages.

This raises the question whether compensation under Article 80 of the GDPR can be sought through WAMCA proceedings. Opinions vary on this issue. In a 2021 judgment involving American software companies, for example, the Amsterdam District Court emphasized the lack of clarity regarding the relationship between the WAMCA and the GDPR, but did not provide answers in this regard. This question was also left unanswered by the Amsterdam District Court in the more recent class action against TikTok.

Some Dutch legal scholars believe that the judgment of 28 April 2022 of the European Court of Justice (ECJ) against a leading tech company unambiguously confirms the possibility of seeking damages under the WAMCA for alleged GDPR breaches, even without a “mandate”. However, this judgment did not concern damages, but an injunction. The conclusion that the Court's ruling also applies to collective damages is therefore uncertain.

Also, some suggest that the representativeness criterion in the WAMCA may not apply to GDPR-related claims.  According to the abovementioned judgment, it does indeed follow that the interest organisation does not have to identify the person individually beforehand. However, this does not mean that the interest group no longer has to prove that it is sufficiently representative of the group it says to represent. This is still required under the WAMCA. Also, the WAMCA's representativeness requirement does not necessitate "individual identification" of the persons involved. We therefore believe to the perspective of representativeness is still expected from a claim organisation.

To what extent is there a right to damages for GDPR breaches? 

Article 82 of the GDPR gives any person who has suffered material or non-material damage as a result of an infringement of the GDPR the right to receive compensation from the controller or processor for the damage suffered.

There has been considerable debate on the topic of compensation for damages resulting from GDPR infringements. The debate focused primarily on whether compensation for immaterial damages should be awarded for the mere breach of the GDPR. On 4 May 2023, the ECJ handed down an important ruling in this respect in the case of UI/Österreichische Post AG.

The ECJ leaves no room for misunderstanding: without damages, no compensation. A mere breach of one of the provisions of the GDPR is not sufficient to award damages. The ECJ rules the right to compensation is to compensate, not to punish.

The Court does not yet provide much clarity on what constitutes immaterial damages, other than that damage is an autonomous and uniform concept. The court says there is no minimum threshold for damages. This does not automatically mean that annoyance and frustration caused by GDPR breaches are now eligible for compensation. This is because it is still up to the plaintiff to show that they actually suffer adverse effects and to show that those adverse effects also qualify as immaterial damages within the meaning of Article 82 GDPR. This will be quite difficult, given that Dutch courts do not easily award damages for immaterial harm.

In the judgment, the court also clearly indicates that the rules for determining the amount of compensation are subject to national law. As a result, there will be varying policies across the European Union when it comes to the level of compensation.

What to expect from the near future?

We expect an increasing number of Dutch class actions for purported breaches of the GDPR. Firstly, the Netherlands has established itself as a favored jurisdiction for class action litigation. Secondly, in the Netherlands there is a growing awareness of privacy rights among individuals, which motivates them to take legal action. Lastly, both individuals and non-governmental organizations are becoming more assertive in pursuing legal remedies.

The outcome of ongoing cases in the Netherlands and those before the ECJ can significantly impact the volume of class actions, as it sets precedent and influences legal interpretations. We will continue to monitor the developments closely.