Multibillion-euro privacy claim off the table

The Amsterdam District Court recently issued an important judgment in a privacy class action against Dutch municipal health services. The Court declared a damages claim on behalf of 6.5 million people inadmissible. 

Background

During the COVID-19 pandemic, Dutch municipal health services were tasked with testing and vaccinating people in the fight against the virus. They therefore held personal data of millions of people. Some of these personal data were stolen by health services employees who had lawful access to the IT systems, and were passed on to third parties (the "'data breach").

Dutch foundation ICAM represents the interests of all persons whose personal data were processed by the health services. Within this group, a distinction can be made between persons whose data might have been stolen (Group A) and persons for whom it is established or will be established that their data have been stolen (Group B). Group A consists of 6.5 million persons. Group B consists of at least 1,373 persons, according to a police investigation, but the Amsterdam District Court presumed that this group is larger.

Claims

ICAM sought to have the health services, the state and other public and private entities held jointly and severally liable for the data breach, based on violation of the GDPR and in tort. ICAM claimed compensation for non-material damage: for group A, EUR 500 per beneficiary and for group B, EUR 1,500 per beneficiary. For both groups, it claimed EUR 500 in material damages per beneficiary. It also sought declarations of law that relate to the defendants' liability and termination of the breach.

Standing requirements

The Amsterdam District Court first considered whether ICAM met the standing requirements of Article 3:305a Dutch Civil Code (DCC), and Article 80 General Data Protection Regulation (GDPR). The Court found the recent designation of ICAM as a 'qualified entity' for bringing cross-border actions under Directive 2020/1828 on representative actions not relevant, since this class action did not qualify as such a cross-border action.

The Court found that ICAM had standing. It considered ICAM to be sufficiently representative. Via ICAM's website, 117,642 adults and 18,974 minors had registered. The Court found these absolute numbers sufficient, even though this was a limited percentage of the total number of persons for whom the class action was brought.

Claims against several defendants inadmissible

The Court then considered whether the claims were admissible. ICAM had not sufficiently argued that all defendants were data controllers within the meaning of the GDPR. For this reason, the claims against several defendants were found prima facie unfounded and therefore inadmissible. Whether the state could be regarded as a data controller depended on evidence yet to be submitted regarding the state's instruction to the health services on registering citizens for the purposes of testing, vaccination, and source and contact investigation.

Damages claims inadmissible

Furthermore, the Court assessed the admissibility of the damages claims. According to the Court, it followed from the judgments in Österreichische Post, VB v NAP, Krankenversicherung Nordrhein and MediaMarktSaturn that damages can be awarded to individuals who have suffered harm because of a GDPR breach. Non-material damage may include the fear that third parties will misuse personal data after such a breach.

Regarding Group A, however, the Court found that it had neither been established nor substantiated that there had been a GDPR infringement as a result of the data breach. ICAM referred to the fear 'of a breach', and not the fear of data misuse 'after a breach'. Therefore, the damages claims on behalf of Group A were inadmissible.

Regarding group B, the Court ruled as follows. The 1,373 people whose data theft was identified had been offered EUR 500. This compensation had been accepted by about 80% of the group, with final discharge. The damages claims for these persons were inadmissible. Group B also included persons whose data theft still had to be established. The size of that group was unknown. According to press reports, the number could be in the tens of thousands, but ICAM had provided only six examples of persons who claimed to have been affected by the data breach. Since ICAM could not make a plausible case that enough of these persons supported the class action, the Court declared the damages claims on behalf of Group B as a whole inadmissible.

This ruling did not end the proceedings. ICAM's claims for declaratory and injunctive relief were admissible. The parties can now submit their views on the question whether ICAM still has an interest in bringing these claims.