Report on public event 'Access to Justice'

After an introduction on mass claim organisation CUIC by chairman Wilmar Hendriks, lawyer Jurjen Lemstra addressed the state of affairs at the mass claim against Avast which CUIC launched on behalf of injured parties. Professor Gerrit-Jan Zwenne then went into more detail on privacy law in mass tort claims. Finally, lawyer Ina Brouwer spoke about the collective privacy case of banga list victims. The debate afternoon was led by moderator Frits Huffnagel. The venue was the Volkshotel in Amsterdam (former office location of Privacy First).

Wilmar Hendriks (chairman) on CUIC Foundation

Wilmar Hendriks introduced CUIC Foundation, an organisation dedicated to protecting privacy rights and taking collective legal action against the misuse of personal data. He stressed the increasing importance of access to rights in a digital world in which both commercial parties and governments attach increasing importance to personal data.

He compared the situation to companies that had "run the red light" for years by collecting personal data without permission and making a profit from it. The fines imposed were often not dissuasive enough. Hendriks indicated that users often do not realise how to seek justice after their data has been misused. CUIC strives to break this issue and fights with full conviction for the protection of privacy rights, including through a case against Avast.

CUIC's mission:
“ The mission of CUIC is to be a significant cause for the change of use of personal data by organizations. In such a way that, where it now tends to limit freedom of people, it will respect this freedom. The mission is based on the fundamental right to privacy, based on the Universal Declaration of Human Rights."

Jurjen Lemstra (lawyer at Lemstra Van der Korst) on the mass claim against Avast launched by CUIC on behalf of injured parties

Jurjen Lemstra elaborated on the class action lawsuit filed by CUIC against Avast. This Czech antivirus company secretly collected browsing data of Dutch users for years and sold it through a subsidiary. This was done without the users' consent, while they thought they were protecting their privacy with Avast software.

The case is being conducted under the Class Action Mass Claims Settlement Act (WAMCA) and has several stages. At the moment, the case is still in the preliminary phase, where legal competence and admissibility are being tested. A ruling on this is expected by the end of 2025, according to Lemstra. Should CUIC be recognised as the representative of victims, the case will proceed to substantive proceedings and possibly compensation for Dutch users.

Key points of the proceedings:

• Avast has already been fined by regulators in the US and the Czech Republic.
• Avast's CEO has acknowledged that the company's reliability has been damaged.
• CUIC seeks damages on two grounds:
  1. Material damage: unfairly enjoyed profits by Avast.
  2. Intangible damage: privacy breach and emotional damage to users.

The case will continue to unfold over the next two years, with possibly a settlement attempt or a substantive trial.

Gerrit-Jan Zwenne (professor of law and the information society at Leiden University, professor of data protection in Dutch legal practice at the Open University and lawyer at Pels Rijcken & Droogleever Fortuijn) about privacy and data protection law in mass claims

Gerrit-Jan Zwenne discussed the legal challenges in enforcing privacy rights through mass claims. He highlighted the difference between "being right" and "being vindicated" and mentioned how complex it is to address privacy violations legally.

Although the Personal Data Authority plays a role in privacy enforcement, it is sometimes seen as a "tiger with false teeth" because their interventions do not always hold up in court. Collective actions can be a more effective way to enforce damages.

It also discussed the importance of Article 80 of the AVG, which allows injured parties to be represented by claims foundations. The Supreme Court ruled in the Pieter Baan Centre judgment that individuals must demonstrate damages concretely, unless the privacy breach is serious enough to automatically result in impairment of the person, as in the case of wrongful publication of a BSN or medical data.

Ina Brouwer (lawyer at La Raison advocacy) on the collective privacy case of bangallist victims

Ina Brouwer discussed a harrowing privacy case surrounding the dissemination of so-called banga lists. These are online lists in which young women are revealed with their address and contact details, and were defamed in this way. This was already warned about in 2016, but in March 2024 such lists resurfaced, with serious consequences for the victims and their families.

The case led to doxing charges and an enforcement request to the Personal Data Authority. A key challenge was that Telegram, the platform on which the lists were distributed, is based outside the EU. Eventually, international cooperation, including the Belgian regulator and the European Commission, led to some action. The arrest of a Telegram chief in Paris contributed to this.

Brewer indicated that, despite this, addressing such online privacy violations remains difficult. Major tech companies such as Meta and Telegram have recently indicated they do not want to moderate content. This means victims often have to rely on individual civil lawsuits, which can be hugely difficult and costly.

Would you like to receive invitations to our events from now on? Then sign up for our newsletter!