On 30 June 2021, Amsterdam District Court rendered an interlocutory judgment in the case between the foundation Data Privacy Stichting and Facebook.[1] The underlying dispute concerns the question of whether Facebook has violated the privacy of its users.
In this interlocutory judgment the District Court ruled on its jurisdiction, the admissibility of Data Privacy Stichting’s claim and the applicable law.
With regard to the jurisdiction of the District Court, the District Court assumed jurisdiction on various grounds. Firstly, Facebook has an establishment in the Netherlands (the “anchor defendant”) which performs relevant activities with regard to the revenue model (personalised advertisements) of Facebook. The claims against the various Facebook entities are therefore so closely connected that the District Court has jurisdiction to rule on all claims simultaneously (Article 8(1) Brussels I Regulation Recast). Secondly, the damage is suffered by the individuals represented by the foundation. This damage is suffered in the Netherlands. Based on “Erfolgsort”, the Dutch court therefore has jurisdiction to rule on this damage (Article 7(2) Brussels I Regulation Recast). Thirdly, the District Court ruled that it had jurisdiction based on the GDPR. Facebook has an establishment in the Netherlands and the individuals represented by the foundation reside in the Netherlands. Both facts are grounds for jurisdiction (Article 79 GDPR). Importantly, the District Court concluded that the rules on jurisdiction from the Brussels I Regulation Recast and the GDPR were not mutually exclusive.
Furthermore, regarding the admissibility of Data Privacy Stichting’s claim, the District Court ruled that the claimed unlawful activities are the same for all individuals represented by Data Privacy Stichting. The interests of all individuals can therefore be bundled. Furthermore, the fact that Data Privacy Stichting is an ad hoc foundation, funded by an American funder, is no obstacle. The independence and quality of the board of the foundation are guaranteed. Lastly, the GDPR (Article 80) forms no obstacle to representation of individuals on an opt-out basis.
As regards the applicable law, the District Court ruled that the GDPR (and its predecessor) were applicable, based on the Dutch establishment of Facebook. Regarding Dutch law on unlawful act, the Rome II Regulation establishes applicable law in the place where the damage occurs. As the individuals represented by the foundation suffer damage in the Netherlands, Dutch law applies.
[1] https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2021:3307.