On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under Dutch law put the Netherlands at the forefront of collective redress in Europe. The Legislation is expected to enter into force in July 2019 and will apply to events which took place on or after 15 November 2016.
The key features of the Legislation include:
- An option to claim monetary damages in a collective action on an opt-out basis. The Legislation consequently lifts the current prohibition on representative organisations claiming monetary damages in a collective action. The proposed action can either result in a judgment in which the court will award damages or in a collective settlement held to be binding by the court.
- The opt-out mechanism is limited to Dutch class members only, giving foreign class members the opportunity to opt-in. However, upon request by one of the parties, for instance an organisation representing data subjects, the court may also apply the opt-out regime to those foreign class members who are “easily identifiable.” An example of this is a personal data breach affecting data subjects throughout Europe.
- An Exclusive Representative can be appointed if there are more than one collective action organisations wishing to bring an action for the same circumstance(s) on similar points of law and of fact. This compares with a “lead plaintiff” concept in the US. The Exclusive Representative will litigate on behalf of all collective action organisations. These organisations stay involved in the procedure, meaning that it will be necessary to coordinate with each other. After the appointment of the Exclusive Representative, it is possible for class members to opt-out.
- After the Exclusive Representative is appointed, the court will set a period for the parties to try to negotiate a settlement agreement. If a settlement agreement is reached and declared binding, there is a second opt-out opportunity for the class members. If no settlement agreement is reached, the proceedings will continue.
- Enhanced standing and admissibility (e.g., governance, funding, and representation) are introduced for collective action organisations, which will be assessed at an early stage of the proceedings (comparable to the US’s “motion to dismiss”).
- One of the admissibility requirements is that the action must have a sufficiently close connection with the Dutch jurisdiction (the so-called “scope rule”), for instance (i) if the majority of the affected individuals of whom the collective action is initiated reside in the Netherlands, (ii) if the controller or processor is established the Netherlands, or (iii) if the processing which resulted in the violation of the GDPR took place in the Netherlands.
With the development of big data, the scope and impact of personal data breaches or losses have significantly increased. As such, it only seems natural that public authorities and affected individuals would consider class actions as a potential effective remedy for these breaches. With a possibility to claim damages, it seems likely that more personal data class actions will be initiated in the Netherlands.