Consumer collective launches mass claim against Odido for privacy violation

Legal obligation to handle personal data with care

The General Data Protection Regulation (AVG) has clear requirements. Odido is a so-called “data controller” under this law. The law says about this that it must
1) need to put strict security measures in place in their systems (e.g. with limited access rights for employees and monitoring for downloading large amounts of data);
2) should request as little data from customers as possible and that the processing is lawful;
3) must be transparent; and
4) should take immediate and adequate steps to inform the Personal Data Authority and customers in the event of a data breach.

In Odido's case, it is clear that the telecom company was negligent on several counts. For instance, far too much data was kept, for far too long a period. The sheer amount of data stolen shows that the data was not properly shielded or ‘compartmentalised’. Odido was also insufficiently transparent and did not properly comply with the reporting obligation.

In its own communications, Odido has since pointed out that affected customers' personal data has already been used for criminal activities such as phishing. On other points, there is still uncertainty. Several investigations are ongoing by the Public Prosecutor's Office, the Personal Data Authority and the National Digital Infrastructure Inspectorate.

Three goals

CUIC wants to achieve three things with this case. First: redress for all the people whose data is now on the streets. Second: to set an example for all companies. Privacy is a fundamental right that must be well protected. Third: that Odido opens up about how this massive data breach could have happened and why it seems to have ignored warnings from software company Salesforce about the security of its systems, for example.

The bigger picture

CUIC president Eliëtte Vaal: “You can never completely rule out an intruder getting into systems. But the law requires you to at least take proper precautions. Odido seems to have regarded the security of its customers” data as the cornerstone of its operations. In doing so, they have exposed millions of customers and former customers to the risk that things like their bank details can now be misused. Many people are rightly concerned about this."

Sign up for the case at CUIC.eu for free

People who are or were customers of Odido, T-mobile, Ben or Tele2 are urged to sign up for this collective action at www.cuic.eu. Registration is free of charge. Privacy is a fundamental right that needs protection from abusive commercial practices.

About CUIC

CUIC is an independent non-profit organisation and stands for Consumers United in Court, also pronounced ‘CU in Court’ (see you in court). CUIC's mission is to protect consumers' privacy and, to this end, it can litigate under the new Mass Tort Claims Settlement in Collective Action Act (Wamca), joining forces with consumers. CUIC was co-founded by Privacy First and the European organisation None of Your Business (noyb), two organisations that have been successfully fighting and litigating for privacy and data protection of citizens for many years, with important implications in legislation, implementation and supervision.

The claim against Odido is the second lawsuit launched by CUIC, following CUIC's case against tech company Avast that for years illegally collected and resold the online browsing behaviour of millions of people. The case against Avast is currently pending at the Amsterdam District Court.