Netherlands court dismisses mass damage claims in data protection case

Netherlands

A recent ruling by the Amsterdam court provides insight to any party facing mass claims for GDPR breaches in the Netherlands. The case concerned a mass claim against various government bodies for the insufficient security of the personal data processed by municipal health services (GGDs). The court dismissed the damages claim on the grounds that it was insufficiently substantiated.

Relevant facts

The IT systems used by the GGDs in connection with the COVID-19 pandemic contained serious security flaws. The sensitive personal data of millions of people were accessible to some 35,000 GGD employees for months. The data of 1,250 people were actually found to have been stolen and ended up in the hands of criminals.

On 28 March 2023, the ICAM Foundation filed a mass claim against 34 defendants, most of which are government bodies and include the GGDs. ICAM wants compensation to be paid not only to those whose data ended up in criminal hands, but also to those who should fear such an outcome (i.e. anyone who provided data to a GGD, currently estimated to be 6.5 million people).

Legal proceedings and decision

Mass claim

ICAM first submitted the litigation funding agreement on order of the court before the case was judged on its merits. This could show that courts are actively trying to prevent misuse of mass claims by litigation funders.

The court then established that ICAM is admissible as a foundation since it meets the requirements of article 3:305a (1 to 3) DCC. These requirements include having a sufficiently defined and representative group of aggrieved parties, an adequate governance structure, and sufficient expertise and resources to conduct the litigation. Although ICAM was admissible as a foundation, the court found ICAM inadmissible against a number of defendants for whom, according to the court, there was no basis to assume that they bore responsibility for insufficient security of the processed personal data.

The court left the question of whether the claims were sufficiently connected (i.e. bundled) unanswered by first answering the question of whether there was a basis for compensation in the negative. Leaving this question unanswered was unfortunate since case-law in this area is currently divided.

Privacy

The court inferred from European case-law that immaterial damages can only be awarded to persons against whom not only a breach of the GDRP has been established, but who have actually suffered harm as a result of that breach. As a result, the court's key consideration was the fear of a future breach since the fact that third parties may have obtained personal data unlawfully is not sufficient. By following this reasoning, the Amsterdam court ruled in line with the position of MediaMarktSaturn Hagen-Iserlohn and thus required the aggrieved partiers to provide additional substantiation for the actual occurrence of a breach. Without this substantiation, the claim is succinctly unsound and therefore inadmissible.

Comment: relevance for insurance practice

Mass claims are gaining traction in the Netherlands, particularly GDPR actions. As of 24 July 2024, there were 80 mass claims pending in the Dutch courts – 14 of which concern GDPR breaches. The amounts vary from EUR 500 to EUR 2,500 per person, depending on the type and severity of the breach. The total exposure can be significant, especially if the claim is brought on behalf of millions of data subjects.

Although the Amsterdam court chose the path whereby additional substantiation of the damage suffered as a result of the breach is necessary apart from the fact that the data subjects fear that their data may be disseminated or even misused in the future, such claims are not unfeasible. This is also evident from the fact that the group of 1,247 people who did experience “fear after a breach” received compensation of EUR 500 from the GGDs prior to the proceedings.

The court ruling also highlights the importance of investigating affected data sets in the event of a data breach. This can help identify the scope of the breach, including the data subjects involved, which can be the difference between having to pay damages or not having to pay damages.

An appeal is expected.

For notification on the appeal or to receive a more in-depth analysis on this decision and its implications, contact your CMS client partner or these CMS experts: