Greetings from The Netherlands!

June has been an interesting month here in the Lowlands. While the privacy world was focused on the new standard contractual clauses and the EDPB guidance on supplementary measures, the Dutch Consumer Union filed a 1.5 billion euro claim against TikTok for an alleged violation of children's privacy. At the same time, a similar claim was filed in the UK. If my count is correct, this is the fifth collective action claim under the GDPR filed in the past year. Consumer Union v Facebook (selling data without consent), TPC v Oracle/Salesforce (tracking cookies), Somi v TikTok (violation of children's privacy) and Stop Online Shaming v [Porn Site] (exploiting nude images without consent) preceded this claim. However, as far as I know, the latest TikTok claim is also the biggest.

A year ago, I wrote that two legislative forces converged here in The Netherlands. Not only did the GDPR take effect in 2018, but in January 2020, a new Dutch class-action style law, called WAMCA, took effect. An important element of the WAMCA is it allows claim funding. And claim investors have noticed! The claim against Oracle and Salesforce is funded by Innsworth Litigation Funding, a London-based claim investor owned by Paul Singer's Elliott Management Corp. Bloomberg named Singer as "the world's most feared investor." Although WAMCA prohibits claim funders from influencing the litigation strategy, I wouldn't be surprised if this would make The Netherlands a litigation hotspot in Europe for GDPR and ePrivacy class action lawsuits.

WAMCA allows damages to be related to the profit that resulted from the illegal behavior, which gave rise to the liability. These damages could well exceed the GDPR maximum for fines. Especially where processing of consumer personal data is a key element of the business case, the WAMCA is a potentially serious weapon in enforcing the GDPR and the future ePrivacy Regulation. A WAMCA claim is possible if there is a close connection with the Dutch jurisdiction. That is if:

  • The majority of the data subjects live in the Netherlands (which is relevant for non-Dutch defendants).
  • The defendant is established in the Netherlands (Note: Foreign data subjects may also be part of the WAMCA class in this case).
  • The violation of the GDPR occurred in the Netherlands (which may be relevant for noncompliance with ePrivacy rules, such as tracking cookies and location-based services in apps).

Last week, the Dutch Data Protection Authority issued guidance on the role of the DPO. The AP laid down eight principles for the effective functioning of DPOs:

  1. The DPO is an advisor.
  2. The DPO is a supervisor.
  3. The DPO must be provided with means and access to management.
  4. The DPO must be kept up-to-date with developments in the organization.
  5. The DPO is the first point of contact for data subjects' complaints.
  6. The DPO is not informed about (the progress of) an investigation by the AP.
  7. The AP may use the advice of the DPO in its conclusions.
  8. The AP may use the DPO as a source of information, but the DPO cannot be the organization's advocate.

In its explanation of principle 2, the AP notes it may refer a case to the DPO. This should not be read as the AP ordering the DPO to conduct an investigation. However, such referral will undoubtedly raise expectations of the side of the data subject. And although Dutch law allows the AP to obtain information from anybody, principles 7 and 8 seem to conflict with the DPO's duty to keep all information confidential.

We'll see how all this will play out.