Greetings from Holland!

It has been an interesting week for privacy pros here in the Netherlands. The government launched the test pilot of the Dutch CoronaApp. The app is based on the Google-Apple contact-tracing technology and works pretty much the same as the German and Italian apps. Tech journalists are busy tweeting their findings on privacy and security. A full rollout of the app is expected after summer.

On Monday, the Dutch data protection authority, the Autoriteit Persoonsgegevens, published its highest fine to date. The Dutch Credit Registration Bureau, which is the central hub in the Netherlands for registering the consumer loans of more than 10 million people, received a fine of 385,000 euros for failure to facilitate the exercise of data subject access rights (Article 12(2) of the GDPR), plus a fine of 650,000 euros for not making data subject access free of charge (Article 12(5) of the GDPR). BKR allowed free data subject access only once a year. If data subjects needed access more than once a year, they needed to purchase a subscription to access their data (up to 12.50 euros per year). Between May 2018 and April 2019, about 30,000 people bought a subscription. As the two violations were related, the AP applied a discount of 20%, resulting in a total fine of 830,000 euros.

Interestingly, the AP’s fining decision is dated 30 July 2019. In the past year, BKR has objected to the decision (per Dutch Administrative Law Act) and sought several court orders to prohibit the publication of the decision during the various stages of objection and appeal, but their latest request was rejected recently in summary proceedings. Hence the publication of the decision almost a year later. Referring to the AP’s publication policy, the judge ruled that the ex officio publication of the fining decision has no punitive effect on BKR but is solely intended to serve the AP’s FOIA accountability purposes vis-á-vis the public. BKR has said it will appeal the fine.

On Tuesday, the Dutch Consumer Union, Consumentenbond, together with the Data Privacy Foundation, started a collective action against Facebook for violation of the privacy rights of its users. Within a day, more than 100,000 people signed up. Although the Consumentenbond would see an amicable settlement rather than a court battle, the case may eventually result in a WAMCA claim (Article 3:305a Civil Code and Title 14A Code of Civil Procedure), which is the brand-new, U.S. class-action style, Dutch law for mass compensation claims that came into effect last January.

The WAMCA is potentially a serious weapon for enforcing GDPR compliance through collective actions (Article 80 of the GDPR). It is probably most valuable for collective redress after a serious data breach, as well as in case of a violation of Articles 5, 6, 8 and 44 of the GDPR. A WAMCA claim may be extra powerful in combination with Article 6:104 Civil Code, which allows damages to be related to the profit that resulted from the behavior which gave rise to the liability (e.g., a violation of the GDPR), rather than damages based on fairness for immaterial damages (Article 6:106 Civil Code), which so far has been the traditional way of compensation for privacy invasions in the Netherlands.

A WAMCA claim is possible if there is a close connection with the Dutch jurisdiction. That is if:

  • The majority of the data subjects lives in the Netherlands (which is relevant for non-Dutch controllers and processors).
  • The controller or processor is established in the Netherlands (note: foreign data subjects may also be part of the WAMCA class).
  • The violation of the GDPR occurred in the Netherlands (which may be relevant for noncompliance with ePrivacy rules, such as tracking cookies and location-based services in apps).

The Facebook claim is likely to be first in a long line of GDPR-related class actions in the Netherlands. We will keep you posted.