On the ground | Privacy and data protection | Data protection standards | Profiling practices | Transparency

Oracle and Salesforce taken to court in the Netherlands over GDPR infringement

Dutch Foundation “The Privacy Collective” is suing tech giants Oracle and Salesforce for the misuse of millions of people’s data under GDPR.

By The Privacy Collective (guest author) · November 12, 2020

Designed by stories/Freepik

It’s the biggest class-action of its kind in history and could amount to €10 billion compensation being paid out to affected internet users in the Netherlands alone.

Every time an internet user visits a website that features ‘behavioral’ advertisements, advertising technology companies like Oracle and Salesforce gather large amounts of detailed and sensitive personal data that describe each user. This data is compiled into profiles, which are being shared with advertisers, so their ads can reach very specific audiences. This process makes personal data available to large groups of organisations without protection or oversight, which conflicts with GDPR. In particular, this clashes with rules regarding obtaining valid consent, the appropriate transparency regarding data processing, the transfer of the data to the United States of America and the general requirement of fair, necessary and proportionate processing.

“Through the use of cookies, cookie syncing and other practices, Oracle and Salesforce have created an unlawful infrastructure for profiling based on people’s data, including browsing and search history – all without a valid legal basis and in violation of fundamental rights”,

says Joris van Hoboken, ex-board member of Bits of Freedom and professor of law at the Vrije Universiteit Brussels

EDRi member, Bits of Freedom stands with The Privacy Collective in wanting this action to go to court so that Oracle and Salesforce will be held accountable. The class action means that the foundation seeks actual compensation, which, if awarded could potentially result in a huge hit to the bottom lines of these two companies. The foundation considers this a useful addition in enforcement by Data Protection Authorities, which to date has not been very active in enforcing GDPR in relation to advertising technology companies and the practices described above.

To ensure the case will be heard by the court in Amsterdam, The Privacy Collective is actively seeking support for its legal action, which can be expressed directly through this link.

(Contribution by Janneke Sloetjes and Joris van Hoboken)