First strike in a Dutch TikTok class action on privacy violation: court accepts international jurisdiction

/in /by
image_pdfimage_print

Written by Eduardo Silva de Freitas (Erasmus University Rotterdam) & Xandra Kramer (Erasmus University Rotterdam/Utrecht University), members of the Vici project Affordable Access to Justice, financed by the Dutch Research Council (NWO), www.euciviljustice.eu.  

Introduction

On 9 November 2022 the District Court Amsterdam accepted international jurisdiction in an interim judgment in a collective action brought against TikTok (DC Amsterdam, 9 November 2022, ECLI:NL:RBAMS:2022:6488; in Dutch). The claim is brought by three Dutch-based representative organisations; the Foundation for Market Information Research (Stichting Onderzoek Marktinformatie, SOMI), the Foundation Take Back Your Privacy (TBYP) and the Stichting Massaschade en Consument (Foundation on Mass Damage and Consumers). It concerns a collective action brought under the Dutch collective action act (WAMCA) for the infringement of privacy rights of children (all foundations) and adults and children (Foundation on Mass Damage and Consumers). In total, seven TikTok entities are sued, located in Ireland, the United Kingdom, California, Singapore, the Cayman Islands and China. The claims are for the court to order that an effective system is implemented for age registration, parental permission and control, and measures to ensure that commercial communication can be identified and that TikTok complies with the Code of Conduct of the Dutch Media Act and the GDPR.

After an overview of the application of the WAMCA, which has been introduced in a different context on this blog earlier, we will discuss how the Court assessed the question of international jurisdiction.

The class action under the Dutch WAMCA

 Following case law of the Dutch Supreme Court in the 1980s concerning legal standing of representative organisations, the possibility to start a collective action was laid down in Article 3:305a of the Dutch Civil Code (DCC) in 1994. However, this was limited to declaratory and injunctive relief. Redress for compensation in mass damage cases was only introduced in 2005 with the enactment of the Collective Settlement of Mass Claims Act (Wet collectieve afwikkeling massaschade, WCAM). This collective settlement scheme enables parties to jointly request the Amsterdam Court of Appeal to declare a settlement agreement binding on an opt-out basis. The legislative gap remained as a collective action for compensation was not possible and such mass settlement agreement relies on the willingness of an allegedly liable party to settle.

This gap was closed when in 2019, after a lengthy legislative process, the Act on Redress of Mass Damages in a Collective Action (Wet afwikkeling massaschade in collectieve actie, WAMCA) was adopted. The WAMCA entered into force on 1 January 2020 and applies to mass events that occurred on or after 15 November 2016. The WAMCA expanded the collective action contained in Article 3:305a DCC to include actions for compensation of damage (Tillema, 2022; Tzankova and Kramer, 2021). While the WAMCA Act generally operates on an opt-out basis for beneficiaries represented by the representative organisation(s), there are exemptions, including for parties domiciled or habitually resident outside the Netherlands. In addition, the standing and admissibility requirements are relatively strict, and also include a scope rule requiring a close connection to the Netherlands. Collective actions are registered in a central register (the WAMCA register) and from the time of registration a three-months period starts to run (to be extended to maximum six months), enabling other claim organisations to bring a claim, as only one representative action can be brought for the same event(s). If no settlement is reached, an exclusive representative will be appointed by the court. Since its applicability as of 1 January 2020, 61 collective actions have been registered out of which 8 cases have been concluded to date; only a very few cases have been successful so far. These collective actions involve different cases, including consumer cases, privacy violations, environmental and human rights cases, intellectual property rights, and cases against the government. Over one-third of the cases are cross-border cases and thus raise questions of international jurisdiction and the applicable law.

As mentioned above, in the TikTok case eventually three Dutch representative foundations initiated a collective action against, in total, seven TikTok entities, including parent company Bytedance Ltd. (in the first action, the claim is only brought against the Irish entity; in the other two actions, respectively, six and seven entities are defendants). These are TikTok Technology Limited (Ireland), TikTok Information Technology Limited (UK), TikTok Inc. (California), TikTok PTE Limited (Singapore), Bytedance Ltd. (Cayman Islands), Beijng Bytedance Technology Co. Ltd. (China) and TikTok Ltd. (also Cayman Islands). The claim is, in essence, that these entities are responsible for the violation of fundamental rights of children and adults. The way in which the personal data of TikTok users is processed and shared with third parties violates the GDPR as well as the Dutch Telecommunications Act and Media Act. It is also claimed that TikTok’s terms and conditions violate the Unfair Contract Terms Directive (UCTD – 93/13/EEC) and the relevant provisions of the Dutch Civil Code.

International jurisdiction of the Amsterdam District Court

 The first stage of the proceedings, leading up to this interim judgment, deals with the international jurisdiction of the District Court of Amsterdam, as the TikTok entities challenge its international jurisdiction. TikTok requested the Court to refer preliminary questions to the CJEU but the Court refused this request, stating that the questions on (a) how the GDPR and Brussels I-bis Regulation regimes interact and (b) the applicability of Article 79(2) GDPR were deemed resolved.

Relevant jurisdiction rules

Considering the domicile of the defendant(s) and the alleged violation of the GDPR, both EU and Dutch domestic jurisdiction rules come into the picture. TikTok alleges that the Dutch courts do not have jurisdiction over this case under Article 79(2) GDPR. Moreover, TikTok alleges that, since Article 79(2) GDPR is a lex specialis in relation to the Brussels I-bis Regulation, the latter cannot be applied to override the jurisdictional rules set out in the GDPR. The three representative organisations argue that the Dutch courts have jurisdiction under both EU private international law rules and the Dutch Code of Civil Procedure (DCCP). Before delving into how the District Court of Amsterdam construed the interaction between the legislations concerned, we will describe the applicable rules on international jurisdiction for privacy violations. The alleged violations occurred, or the claims relate to violations occurring, after 25 May 2018, that is, after the entry into force of the GDPR. TikTok Ireland is a data controller subject to the GDPR. Under Article 79(2) GDPR the “data subjects” (those whose rights are protected by the GDPR) shall bring an action for the violation of their rights in either the courts of the Member State in which the data controller or processor is established or of the Member State in which the data subject has its habitual residence. Furthermore, Article 80(1) GDPR provides for the possibility of data subjects to mandate a representative body which has been properly constituted under the law of that Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms to file actions on their behalf under Article 79 GDPR.

The case also deals with non-GDPR-related claims, which triggers the application of the Brussels I-bis Regulation, at least as far as the entities domiciled in the EU are concerned. Article 7(1)(a) Brussels I-bis states that, for contractual matters, jurisdiction is vested in the Member State in which the contract is to be performed. More importantly for this case, with regards to torts, Article 7(2) provides jurisdiction for the courts of the place where the harmful event occurred or may occur. Finally, in relation to the TikTok entities that are not domiciled in the EU, the international jurisdiction rules of the Dutch Code of Civil Procedure (Articles 1-14 DCCP) apply. This is the case regarding both GDPR and non-GDPR-related claims. These Dutch rules are largely based on those of the Brussels I-bis Regulation and also include a rule on multiple defendants in Article 7 DCCP.

The claims against TikTok Ireland

The Amsterdam District Court starts its reasoning by addressing whether it has jurisdiction over TikTok Technology Limited, domiciled in Ireland, the entity that is sued by all three representative organisations. The Court states that Article 80(1) GDPR does not distinguish between substantive and procedural rights in granting the possibility for data subjects to mandate a representative body to file actions on their behalf under Article 79 GDPR. Therefore, actions brought under Article 80(1) GDPR can rely on the jurisdictional rule set out in Article 79(2) GDPR which allows for the bringing of actions before the courts of the Member State in which the data subject has its habitual residence. The Court further reasons that the word ‘choice’ enshrined in Recital 145 GDPR, when mentioning actions for redress, allows for the interpretation that it is up to the data subject to decide where she prefers to file her claim.  In the case at hand, since the data subjects concerned reside in the Netherlands, they can mandate a representative body to file claims before the Dutch courts.

As to the non-GDPR-related claims and GDPR violations that also qualify as tortious conduct, the District Court considered first whether the case concerned contractual matters, to decide whether Article 7(1) or Article 7(2) Brussels I-bis Regulation applies. For this purpose, the District Court relied on the rule established by the CJEU in Wikingerhof v. Booking.com (Case C-59/19, ECLI:EU:C:2020:95), according to which a claim comes under Article 7(2) when contractual terms as such and their interpretation are not at stake, but rather the application of legal rules triggered by the commercial practices concerned – or, in other words, contractual “interpretation being necessary, at most, in order to establish that those practices actually occur”. Given that, in this case, the question is whether TikTok’s terms and conditions are abusive under both the UCTD and the DCC, the claim was deemed to fall under Article 7(2) Brussels I-bis Regulation.

Next, the District Court assesses whether the criteria for establishing jurisdiction under Article 7(2) are met. For this purpose it refers to the CJEU ruling in eDate Advertising and Others (Case C-509/09, ECLI:EU:C:2011:685). In this case the CJEU ruled that, when it comes to “publication of information on the internet” that triggers an “adverse effect on personality rights”, the habitual residence of the victim being his centre of interests can be regarded as the place in which the damage occurred. The District Court rightfully ruled that since the rights of TikTok users that have their habitual residence in the Netherlands had been violated through online means, the Netherlands can be regarded as the place in which the damage occurred.

The Court confronts TikTok’s argument that, since Article 79(2) GDPR is a lex specialis in relation to the Brussels I-bis Regulation, the latter cannot be applied to override the jurisdictional rules set out in the GDPR. As per the Court, the rules on conflict of jurisdiction established by the Brussels I-bis Regulation are general in nature and, as such, cannot be derogated from other than by explicit rules. Hence, the Court interprets Recital 147 GDPR – which states that the application of the Brussels I-bis Regulation should be without prejudice to the application of the GDPR – as being unable to strip away the applicability of the Brussels I-bis Regulation. In the Court’s understanding, Recital 147 GDPR points to the complementarity of the GDPR in relation to the Brussels I-bis Regulation, and both regimes coexist without hierarchy. Therefore, according to the Court, the GDPR is not a lex specialis in relation to the Brussels I-bis Regulation. Furthermore, the Court notes that, under Article 67 Brussels I-bis Regulation, its regime is without prejudice to specific jurisdictional rules contained in EU legislation on specific matters. While the relationship between the jurisdiction rules of the GDPR and the Brussels I-bis Regulation is not wholly undisputed, in the present case the provisions do not contradict each other, while at the same time in this case also non-GDPR issues are at stake.

The claims against non-EU based TikTok entities

Having established international jurisdiction in the case against TikTok Ireland, the Amsterdam District Court rules on its international jurisdiction in relation to the other TikTok entities sued by two of the foundations. As no EU rules or international convention applies, the Dutch jurisdiction rules laid down in Articles 1-14 DCCP apply. Article 7(1) DCCP contains a rule for multiple defendants and connected claims similar to that in Article 8(1) Brussels I-bis. The Court considers that both legal and factual aspects are closely intertwined in this case. The claims concern several different services, not only the processing of data, and all defendants are involved in the provision of these services. The claims are therefore so closely connected that it is expedient that they are dealt with in the same proceedings.

Outlook

TikTok attempted to appeal this interim judgment on international jurisdiction. Under Article 337(2) DCCP, it is at the court’s discretion to grant leave to appeal interim decisions when the appeal is not filed against the final judgment at the same time. In this case, the Court did not find sufficient reasons to allow for such appeal. The case will now proceed on other preliminary matters, including the admissibility of the claim under the WAMCA, and (if admissible) the appointment of the exclusive representative. For this purpose, at the end of its judgment the Court orders parties to provide security as to the financing of the case, which requires submitting to the Court a finance agreement with the third-party financer. After that, assuming that no settlement will be reached, the case will proceed on the merits. It may well be that either of the parties will appeal the final judgment, and that on that occasion TikTok will raise the jurisdictional question again.

To be continued.