Class actions in the tech sector: where are we now, where is it going?

In the newsletter of 2023 (in Dutch), Christoph reflected on the possibility of starting class actions on AI in the Netherlands similar to those in the US. In this contribution, I will take a closer look at this phenomenon - also aptly referred to as mass claims - with a view to conflicts in the tech sector. This mainly concerns mass claims brought against large, international tech companies in the Netherlands. The reason is usually a breach of competition rules or violation of the privacy of (end) users.

In the Netherlands, a new legal regime has been in place since 2020 that allows mass claims to be brought on behalf of all victims of a particular event, including claiming collective damages. This is a significant broadening because now (i) in principle everyone is represented unless they exercise their opt-out right, and (ii) the compensation covers the whole group and can therefore reach astronomical amounts. This also explains why there are many mass claims pending here, especially compared to other countries (more than 80 now, see the WAMCA register).

Note that the vast majority of these cases involve actions against the government (e.g. the introduction of the UBO register or ethnic profiling), or only the taking of interim measures or a declaration of law (e.g. a recent Dier&Recht case against the importation of calves), and thus explicitly not damages. However, the latter element is central to mass claims in the tech sector with typically millions of injured parties. So far, there are over 20 cases, mostly related to alleged malpractices in the tech sector, or indirectly related to it (such as diesel cars with their tampered software used to meet emissions standards).

So what are the abuses in the tech sector that can be addressed with mass claims? As already touched upon, these involve two main challenges in today's tech industry, namely (i) dealing with and complying with privacy rules and (ii) competition law issues due to the fact that some tech companies have become so large that they can behave to a large extent independently of competitors and then (can) abuse this dominance.

The informed reader will, of course, immediately think of various actions on the regulatory front that are already fully focused on these abuses. Think, for instance, of growing calls in the US to break up large tech companies to limit their market power, of recent attempts to introduce stricter rules on children's online privacy on social platforms, or of investigations by regulators in the EU into certain behaviour of large tech companies (including Amazon, Apple and Google). With mass claims, consumers or citizens now have a tool to take direct action against these abuses and hold tech companies accountable via substantial damage claims. I will illustrate this using some concrete pending actions in the Netherlands.

Privacy violations

To start with the most obvious example, privacy. The all-pervading topic that is ever-present in today's highly digitised society. This is evident, for example, in the figures of data breach notifications made to the Data Protection Authority (AP); out of the almost 27,000 (!) notifications to the AP per year, an average of 24,000 of these notifications concern data breaches. In addition, the AP is dealing with other data breaches, either in response to complaints lodged with it (with nearly 28,000 in 2019 and over 13,000 in 2022) or in connection with its own investigations or enforcement (with 41 investigations and 13 fines imposed in 2022).

This overview immediately shows that the administrative law route runs up against its limits and, moreover, can only result in fines for offenders. For (mainly immaterial) damages, one has to turn individually to the courts that have incidentally awarded lump-sum damages. It is noteworthy here that this mainly happens in administrative law, i.e. in conflicts with the government (for an analysis, see my contribution in TvIR 2023 no 6, in Dutch).

The advent of the new mass claims regime (the so-called WAMCA) has changed this now that it is possible to aggregate individual claims for damages. The idea is simple: a breach of privacy rules individually causes a small damage which, however, when added together, namely due to the multiplier of hundreds of thousands if not millions of aggrieved parties of the same conduct or event, may lead to claims for damages in the billions. A sampling of the pending mass claims shows that these involve a variety of privacy rule violations, almost all of which have to do with the tech sector or IT-related issues.

• Oracle & Salesforce (Aug 20): this first major WAMCA case looks at real-time bidding and privacy law concerns in that context (including cookie sycing). However, in December 2021, this claim was dismissed at the formal stage because 75,000 likes were not enough to prove the representativeness of the claim foundation. This case was restarted in March 2023.
  
  
• TikTok (June 21): this class action is being pursued by as many as three different competing claim foundations claiming amounts between EUR 1.4 and 5.4 billion in damages for various breaches of the AVG. This is also the first major WAMCA case in which a so-called Exclusive Advocate has been appointed to conduct the collective action on behalf of all aggrieved (at least two, namely one for the aggrieved minors and one for the adults).

• GGD data breach (March 23): this case concerns personal data collected from various GGDs as part of covid tests and shared with third parties due to alleged careless shielding in IT systems. It involves a total of EUR 3.5 billion in damages.

• Google (Sept 23): this action looks at various privacy and consumer law violations resulting from the use of Google services and products. Meanwhile, a second claims foundation has come forward and will also launch a mass claim.

• X/Twitter (Sept 23): this case concerns so-called trackers in various third-party mobile apps that can be downloaded for free which then collect personal data and share it with third parties.

• Amazon (Oct 23): this class action concerns Amazon's advertising business, i.e. processing personal data via cookies as part of its services. It also appeals against a fine of EUR 746 million imposed by the regulator in Luxembourg.

• Meta (Nov 23): this case concerns Facebook's use of personal data, at least the creation of profiles for targeted advertising and the transfer of data to the US. It also invokes previous fining decisions, namely from the Irish regulator with fines of EUR 210 million for unlawful processing and EUR 1.2 billion for unlawful transfers. In total, damages of EUR 12.8 billion are claimed.

• Adobe (Dec 23): the latest class action concerns the processing of personal data by the AdTech industry, specifically by Adobe which collected personal data and processed it into profiles which were then offered to third parties.

All these cases are still at the formal stage of testing the admissibility of the foundations bringing the collective claims on behalf of their constituents. Besides the question of the applicability of the new regime (with a cut-off date of 15 November 2016), a high-profile interlocutory judgment in the TikTok case held that that the immaterial damages of the aggrieved could not be bundled. The reason for this was that (at least in this case) it has not been shown that all aggrieved parties suffered the same damages because, in short, everyone experiences the alleged breaches of privacy differently. As a result, the claims for compensation of immaterial damages (calculated as a lump sum per aggrieved person) appear to be in doubt for the time being, but the last word on the matter is far from being said in view of appeals and possibly different decisions by other courts.

Competition law infringements

In addition, the civil law closure of competition law infringements is also gaining new momentum. This mainly concerns so-called follow-on actions in competition law, i.e. civil damages actions after public enforcement, such as a decision to fine. It is an important part of European legislation to encourage private enforcement and thus promote compliance with competition law. This has led to some major court cases in the Netherlands (including damages actions concerning the air-cargo, lift and trucks cartel). These cases are between producers (the cartel participants) and their professional customers who overpaid for certain goods or services, and thus in the B2B sphere.

Also in these cases, the WAMCA offers a new opportunity to recover damages. This time by consumers who, as end users/customers, ended up overpaying provided the price hike was also passed on to them (for which there is a legal presumption of proof). Whereas cartel cases have so far had to be litigated on the basis of an assignment or with multiple claimants, this can now be done on behalf of all injured parties unless they have chosen not to participate (the opt-out). This makes it easier to initiate a damages action on behalf of a sizeable group of consumers. In addition, the WAMCA makes it possible to claim collective damages that in principle cover the entire damage caused by a competition law infringement.

Again, the pending mass claims show that different competition law violations are involved, with the main categories being cartel cases and abuse of dominant position (Art 101 and Art 102 Treaty on the Functioning of the European Union, respectively), and that the arrows are often pointed at the tech sector.

• Apple (Oct 21): this action deals with the app store and the commission charged therein for offering apps and in-app purchases, as well as various other forms of abuse of dominance. In late 2023, preliminary questions were raised about the relative jurisdiction of the Dutch court.

• Google (Oct 22): this action looks at Google's app store with similar competition law allegations. In Dec 2023, it was held that the WAMCA applies even though the imputed acts existed long before the reference date of 15 November 2016.

• Samsung (Dec 23): this case is the first follow-on proceedings under the WAMCA and concerns the cartel in respect of TVs in the period 2013 to 2018 that was fined by the ACM on 14 September 2021 (with confirmation of this sanction decision on 13 November 2023).

As a (tech) company, should I fear this development now? Not necessarily, because ultimately it is about compliance with laws and regulations that are required even without mass claims. In other words, there is only a risk if a certain behaviour does not pass muster.

That said, the risk of non-compliance has becomes significantly higher because the potential (financial) exposure is much greater because there is no individual plaintiff, but a collective that can bring claims related to the same facts and events (provided they can be bundled). On top of this, some claims are also more likely to be brought because there is external funding that makes a case possible and, according to critics, is the driving force behind the increase in class actions that often seek sky-high damages. On the other hand, some claims may otherwise not be brought, for example because individual proceedings are not feasible given the complexity and amount of damages claimed (hence the sometimes used designation as 'spreading damages').

Whatever this discussion; mass claims are now a given in the Netherlands and will also lead to similar actions outside the Netherlands as a result of the Representative Actions Directive (which entered into force in June 2023). This also sees a trend of the same collective actions being brought in different countries. Tech companies - given their global reach, uniform business model and huge turnovers - are a very likely target, each of which will raise issues that belong to the reality of our digital economy.