Salesforce and Oracle are to face a GDPR lawsuit in London and the Netherlands that could cost them up to €10bn in fines, a legally aggressive privacy campaign group has claimed to The Register.
The suit, which alleges the ad-tech subsidiaries of the American giants are in breach of the EU's General Data Protection Regulation, is to be formally commenced in the Netherlands today.
A campaign group calling itself the Privacy Collective is capitalising on newly liberalised UK rules allowing class-action-style lawsuits to go ahead.
It is to be alleged that Oracle's Bluekai and Salesforce DMP (formerly Krux) were misusing consumers' data by aggregating information collected from differing websites. That information was bundled up into profiles used to help them sell more effectively.
Although the group's website discloses very little about who is behind it, it does reveal: "All costs and expenses of the claims (including any court fees, lawyers and experts) will be funded by a litigation funder in return for a commission, which is based on a percentage of the compensation awarded in favour of the class of claimants."
The litigation funder is Innsworth Advisors. Ian Garrard, its MD, said in a canned statement: "The development of class action regimes in the UK and the availability of collective redress in the EU/EEA mean Innsworth can put money to work enabling access to justice for millions of individuals whose personal data has been misused."
This is the same model used by Richard Lloyd, the public face of a campaign suing Google in London for up to £3bn over the so-called Safari Workaround. That workaround let Google plant ad-tracking cookies on Apple devices, despite efforts by Apple to prevent that from happening.
Dr Rebecca Rumbul of the Privacy Collective told The Register: "We're looking at informed consent. Bluekai would collect data not just on one particular site but other sites too and then aggregate that data. The key thing is, under GDPR who is the data processor legally? You should be able to figure that out."
The business model of commercial litigation funders is simple: they spend a certain amount in legal fees and then get their money back with interest if the legal team wins the case. In the past, England and Wales' courts refused to let many group litigation actions go ahead unless every member of the group (class, if you're American) had precisely the same claim. Google failed to get Richard Lloyd's class definition thrown out of the Court of Appeal, setting a commercially valuable precedent.
People interested in releasing their personal data to the Privacy Collective, a "foundation established pursuant to Article 3:305a of the Dutch Civil Code" in order to hear more about the case, are able to do so on the collective's website.
Oracle sent a statement from EVP and general counsel Dorian Daley: "The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts. As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program. Despite Oracle's fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith. Oracle will vigorously defend against these baseless claims."
Salesforce told us: "We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws – including the EU GDPR – to preserve the privacy rights of their own customers.
"Salesforce and another data management platform provider have received a privacy-related complaint from a Dutch group called The Privacy Collective. The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service. Salesforce disagrees with the allegations and intends to demonstrate they are without merit." ®