ICAM is admissible in its proceedings against the State, GGD GHOR and the GGDs (“the State et al”), is what the Amsterdam District Court ruled in its judgment of 17 July 2024. The proceedings concern the large-scale data breach that occurred at the GGDs during the corona pandemic (“the GGD data breach”). ICAM represents the 6.5 million Dutch people affected by this data breach. With the proceedings, ICAM aims to clarify the extent and consequences of the GGD data breach, on the one hand, and to persuade the government to pursue a higher level of information security in general, on the other. ICAM also claims compensation for the material and immaterial damage suffered by the aggrieved as a result of the GGD data breach.
In this blog, I discuss the admissibility judgment, focusing in particular on the court’s considerations regarding the admissibility of the non-material damage claims.
ICAM is admissible
The proceedings brought by ICAM concern a collective action to which the Settlement of mass damages in collective action Act (“WAMCA”) applies. The court finds that ICAM meets all the admissibility requirements set by the WAMCA in Articles 1018c DCCP and 3:305a of the Dutch Civil Code.[1] Its writ contains the required descriptions and particulars and ICAM as a foundation is also admissible. ICAM brought claims aimed at protecting the interests of the persons for whom it acts. ICAM’s statutory objectives serve the public interest and, given its activities, it is also active in the field of data protection within the meaning of Article 80 GDPR.
The guarantee requirement of Article 3:305a(1) and (2) of the Civil Code is also met, according to the court. ICAM is representative, i.e. it represents a sufficiently large proportion of the total constituency in the proceedings. Moreover, the court emphasises that despite this being a limited percentage of all persons on whose behalf ICAM acts (6.5 million), this does not detract from ICAM’s representativeness.
Finally, the court finds that ICAM has an adequate supervisory body, appropriate and effective mechanisms for participation or representation in its decision-making, and that it has sufficient resources to bear the costs of these proceedings, and that in doing so, it has sufficient control over the legal action.
As ICAM is the sole plaintiff in this case, the court also designates it as exclusive advocate.
Intangible compensation claims
The court then tests whether the claims brought by ICAM are also admissible. ICAM has categorised the 6.5 million people whose personal data have been included in the GGD systems into two groups: group A and B. Briefly, group A consists of the people whose personal data have been processed in one or both of the GGD systems. For group B, it is additionally the case that for these persons it has been or will be established during the proceedings that their personal data has been unauthorisedly accessed by the GGD data breach or has fallen into the hands of unauthorised persons. For both groups, ICAM brought claims for compensation for material and immaterial damages within the meaning of Article 82(1) GDPR. In this blog, I limit myself to discussing the court’s judgment on Group A’s immaterial damages claims.
The WAMCA provides that in a collective action, it must be possible to answer the questions of fact and law without having to consider the particular circumstances of individual interested parties. In other words, the interests whose protection ICAM seeks must lend themselves to bundled consideration. Indeed, in that case, it is more efficient and effective for them to be adjudicated in one collective proceeding rather than in a variety of individual proceedings. The court considers the circumstances of the aggrieved in Group A to be largely comparable. In doing so, the judgment deviates from the opinion of the Court of Amsterdam regarding TikTok, where the court found the claims insufficiently similar due to the wide variety of existing differences in the use of TikTok by the aggrieved.
The court then discusses whether the aggrieved persons in group A are also entitled to immaterial damages. The court rules that immaterial damages can only be awarded to persons against whom not only a breach of the GDPR was committed, but who actually suffered damage as a result. In doing so, the court considers as follows:
It is therefore required that the injured party prove that provisions of the GDPR have been violated. That is precisely not the case here, because, according to ICAM, Group A is about individuals who are uncertain whether or not their data has been stolen. For that reason alone, these persons cannot claim damages.
This consideration is remarkable because it is not at all in dispute between the parties that provisions of the GDPR have been breached. ICAM has argued that the State et al breached Articles 24, 25, 32, 34 and 35 of the GDPR. A breach of Articles 24, 25 and 32 GDPR has also been established by the Dutch DPA and is not disputed by the State et al. Although there is uncertainty about the follow-up question: whether or not the data of the aggrieved from group A were actually stolen, it is certain that the GDPR was breached in respect of these aggrieved. After all, their data were in one or both of the GGD systems, which had numerous security flaws, and thus a breach of the GDPR occurred.
The court continued by initially considering, in line with ECJ case law, that a data subject’s fear of possible misuse of their personal data by third parties following a breach of the GDPR could constitute immaterial damage. However, the court went on to consider that the fear alleged by ICAM is not the fear that third parties will misuse the personal data they have unlawfully obtained (the court calls this ‘the fear after a breach’), but ‘the fear of a breach‘. In other words, the fear that third parties might have unlawfully obtained personal data and then misuse it. According to the court, because ICAM bases its claims on the fear of infringement, the court said that, under ECJ case-law, immaterial damages cannot be awarded for this.
First of all, it is unclear where the court deduces that ICAM would base its claims on the fear of a breach, since it has invariably been argued by ICAM that the aggrieved have a fear of misuse of their data (‘the fear after a breach‘). After all, as stated above, that infringement is well established.
Second, the court compares the fears of the aggrieved in Group A with the fears in the ECJ’s MediaMarktSaturn case. In that case, a document containing personal data was provided to an unauthorised third party. The national court established that the third party had no knowledge of the content of the document. The data subject feared that his data might be disseminated or misused in the future, given the possibility that the third party might have made a copy of the document before it was returned. The question before the ECJ was whether this fear constituted non-material damage within the meaning of Article 82(1) GDPR.
The Court, in line with its previous case-law, considers that the concept of ‘non-material damage’ must be defined autonomously and uniformly. Moreover, the concept should be interpreted broadly, in line with the objective of the GDPR to provide natural persons with a high level of data protection. A data subject’s fears following a breach of the GDPR of possible misuse of their personal data by third parties may constitute non-material damage. The Court emphasises once again that the loss of control over personal data – even during a short period of time – may cause immaterial damage to the data subject for which there is a right to compensation, provided that the data subject proves that he actually suffered such damage.
A breach of the provisions of the GDPR does not – logically – automatically give a right to damages. Data subjects bringing an action for damages supported by Article 82 GDPR must prove the existence of such damages. The ECJ further considers that a purely hypothetical risk of an unauthorised third party misusing personal data cannot give rise to damages. According to the ECJ, such a purely hypothetical risk exists if no third party has knowledge of the personal data in question.
Back to the case against the State et al. The court thus makes the comparison with MediaMarktSaturn and draws the conclusion that here, too, there would be a purely hypothetical risk, as it has not yet been established for the aggrieved from group A that their personal data were actually stolen. However, the court thereby fails to recognise that the risk of misuse in this case is certainly not “purely hypothetical”. After all, it has been established for over 1,350 people that their data has actually been misused, and for all the others in the database, we simply do not know at the moment. As the court itself also considered, the conclusion cannot be drawn without question that no data theft took place other than that established by the police so far.
The cause of the breaches was – among other things – the poor security of the GGD systems. The infringement thus concerns the exposure of all that personal data. The subsequent actual misuse of that data is the consequence. In other words, the fact that it has not yet been established that the personal data of the aggrieved from group A were actually stolen – which is precisely what ICAM wants to clarify through these proceedings – does not alter the fact that there was a breach in the first place.
The breaches of the GDPR have resulted in the loss of control over their personal data for all 6.5 million people, for which there is a right to compensation. This is also how the ECJ ruled in Gemeinde Ummendorf. The national court in that case held that the mere loss of control over personal data was not sufficient to constitute non-material damage within the meaning of Article 82(1) GDPR. In order to recognise the existence of non-material damage, a ‘de minimis threshold’ must be exceeded, according to him. No such thing, the ECJ ruled, reiterating once again that Article 82(1) GDPR precludes a national rule or practice under which immaterial damage within the meaning of that provision can only be compensated if the damage suffered by the data subject reaches a certain degree of severity.
As the ECJ held in the NAP judgment, three cumulative conditions must be met in order to be entitled to damages under Article 82(1) GDPR. There must be a breach of the GDPR, the data subject must have suffered damage as a result, and there must be a causal link between that breach and the damage. These three conditions are necessary – and also sufficient – to be entitled to damages within the meaning of that provision. No additional conditions can be imposed, such as the appreciability of the harm or the objective nature of the infringement. It is therefore not a question of suffering pecuniary damage as a result of loss of control, nor is it a question of the loss of control causing negative feelings such as fear, anger, stress and indignation, or problems in the psychological or mental sphere. The loss of control ís intangible damage.
According to the ECJ, in cases where the aggrieved relies solely on the fear of future misuse, as is also the case in the proceedings against the State et al, the national court must assess whether that fear is well-founded in the concrete circumstances of the case. However, the court did not get to that assessment at all, as it wrongly assumed that the fear put forward by ICAM refers to fear of infringement, rather than fear of misuse.
[1] For a brief explanation of these admissibility requirements and interpretation by case law so far, I refer to our earlier blog.