The rise of big data poses all kinds of legal challenges for society. The Dutch government and Parliament are currently exploring whether or not the Dutch collective redress mechanism suffices for claiming damages following violations of data protection law. Recent reports commissioned by the Dutch government have proposed changes to this collective redress mechanism; in this blog, we set out the latest developments and share our initial view as to whether changes to Dutch law are indeed necessary.
Suggested changes to the Dutch mechanism of collective redress
On 19 August 2019, the WODC (the Research and Documentation Centre of the Dutch Ministry of Justice and Security) published a report on access to justice and principles of procedural fairness in relation to big data. The report indicates that case law, literature and regulators have focused much of their recent attention in relation to big data on substantive law. However, according to the WODC, the same attention has not been placed on the procedural framework that aims to implement substantive law:
“Citizens who have rights but are unable to successfully enforce them remain empty-handed and a legal system that addresses incidental Big Data harms only on an individual level does not tackle the underlying causes, so that structural problems may persist. Issues related to procedural fairness and access to justice vis-à-vis Big Data projects have received little attention so far.“
One of the issues raised by the report concerns the possibility for individuals to claim damages for an infringement of data protection law through a collective action. The report explores the current collective action framework and sets out several potential improvements (such as changes to admissibility requirements) in light of the increasing importance of big data:
“Although within civil law there are currently adequate possibilities for taking actions in the collective or general interest, a number of minor adjustments can ensure that procedural law is brought in line with the transformation to a data-driven society. Examples include the relaxation of the requirement for legal persons to include in their statutes the general interests they wish to defend in a court case and of the requirement of prior consultation with the party against whom an action in the public interest is being initiated, or the establishment of a fixed amount for non-material damage as a result of unlawful Big Data projects, which would help to cover the costs for such actions […]“
The issue of improving collective redress mechanisms for infringements of data protection law is also a priority for the Dutch Parliament. Following the publication of the Netherlands Scientific Council for Government Policy of its report “Big Data in a free and safe society“, the Dutch government on 12 June 2018 accepted a motion (submitted during a parliamentary committee meeting on 6 June 2018, following a Dutch House of Representatives debate into the issue of data protection on 30 May 2018) of a member of the Dutch House of Representatives requesting the government to look into how collective redress could be further facilitated in light of a data-driven society. In his letter of 7 June 2019, Dutch Minister Dekker stated that the government will inform the Dutch House of Representatives by the end of 2019 about any further action that the government will take following the findings of the WODC report on collective redress. This letter was subsequently discussed in Parliament.
Although we agree that collective actions relating to data protection infringements should be efficient and effective, we caution against introducing a fixed amount for non-material damages for such infringements. Not only could this potentially intensify the so-called ‘claim culture’ (as the report rightfully recognises), it would arguably also be somewhat at odds with the well-recognised Dutch private law rationale of damages for actual harm incurred as a result of an unlawful act (see also the judgment of the Supreme Court of 19 July 2019 confirming that non-material harm can only be established on a case by case basis). The WODC report correctly notes that some jurisdictions, such as the US, seem to allow for per-violation statutory damages in the context of data protection law infringements (which has sparked discussion in US courts, see here and here), but this phenomenon is relatively unknown under Dutch private law (save for specific cases such as where damages for specific non-material harm are claimed). Interestingly, Dutch and German district courts appear to be open to awarding non-material damages for violations of the General Data Protection Regulation (see here, here and here), without being able to rely on per-violation statutory damages.
Finally, we are somewhat doubtful as to the merits of the WODC report’s suggestion to abandon the requirement of prior consultation or other admissibility requirements in collective actions. Various admissibility requirements for collective actions were only recently amended and have not entered into force yet (see our earlier blog). In any case, part of the assessment of the WODC’s suggestion should be that these admissibility requirements aim to safeguard important interests, such as facilitating amicable settlements and protecting companies against frivolous litigation.