Two multinational data processing firms are facing legal action that could amount to billions of euros for alleged breaches of the EU’s General Data Protection Regulation (GDPR).
The Privacy Collective, a non-profit Foundation that pursues claims for violations of privacy rights, is suing Oracle and Salesforce in action representing millions of individuals objecting to the use of their personal data.
The damages could exceed €10 billion if the legal proceedings are successful, the NGO said.
A case was set to be filed on Friday at the District Court of Amsterdam and similar case was due to be filed later this month at the High Court in London England, it added.
The Dutch case is the biggest-ever class action in the Netherlands over a violation of the GDPR.
Both firms deny the claims.
The action concerns a process called real-time bidding — a behind the scenes auction in which consumer profiles are put up for sale.
When a user consumer visits a website, ad tech companies place a cookie on the user’s device to track and monitor their behaviour online.
While The Privacy Collective acknowledges hundreds of companies collect personal data of internet users and share it in this way, it alleges in the actions that Oracle and Salesforce without the proper consent or knowledge of the user.
The EU General Data Protection Regulation came into effect on May 25, 2018 and from this point on tech companies were required to get informed consent from consumers in any European country to collect and share their personal data through cookies and other technologies.
‘Far from harmless’
“Everyone who has ever used the internet is at risk from this technology,” said Dr Rebecca Rumbul, class representative and claimant in England & Wales.
“It may be largely hidden but it is far from harmless. If data collected from internet use is not adequately controlled, it can used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions.”
Oracle EVP and General Counsel Dorian Daley refuted The Privacy Collective’s allegations in a statement to Euronews, saying the NGO “knowingly filed a meritless action based on deliberate misrepresentations of the facts.”
“As Oracle previously informed The Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance programme,” he added.
The EVP said his company “will vigorously defend against these baseless claims.”
“The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service,” the data management platform provider told Euronews.
Adding it helps its clients “comply with their own obligations under applicable privacy laws – including the EU GDPR – to preserve the privacy rights of their own customers.”
“Salesforce disagrees with the allegations and intends to demonstrate they are without merit,” the company said.
The General Data Protection Regulation is a regulation in EU law that concerns data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.