Dutch Consumer Groups Sue Google Over Privacy Concerns

Two prominent Dutch consumer advocacy groups, the Privacy Protection Foundation and Consumentenbond, have filed a privacy lawsuit against Google, alleging "constant surveillance" and the sharing of personal data in its targeted advertising auctions. The lawsuit, initially announced in May, has garnered significant support, with approximately 82,000 individuals signing up to participate. It was officially filed in the Amsterdam District Court and is open to any Netherlands resident who has used Google services since March 2012.

The crux of the privacy lawsuit centers around Google's targeted advertising auction system, which has previously faced regulatory scrutiny across Europe. Advertisers engage in real-time bidding to secure ad slots aimed at specific demographics and keywords. However, the consumer groups argue that European users are exposed to this bidding process numerous times daily while conducting routine internet activities.

In theory, Google's system anonymizes targeted ad data by assigning users unique ID numbers not linked to personally identifiable information. Nevertheless, the consumer groups assert that the system collects an excessive amount of data, enabling the identification of individuals by connecting data points. Moreover, third-party data brokers enhance these profiles with more detailed information that can be linked to real identities.

Should the court rule in favor of the plaintiffs and award the maximum requested damages, Google could potentially face a bill of at least $65 million, based on the current number of claimants. However, the lawsuit remains open for new sign-ups indefinitely, implying that nearly every resident of the Netherlands, with a population of 17.5 million, who has used a qualifying Google product since 2012 could potentially participate.

The privacy lawsuit's foundation benefits from a March decision by the Amsterdam District Court, which found Facebook in violation of EU data protection rules. Facebook had failed to obtain proper user consent and declare a valid lawful basis for data processing. In a related lawsuit involving consumer groups, Facebook may face taxation for the period between 2010 and 2020, with an estimated 10 million Dutch residents eligible to claim damages.

Real-time bidding has faced legal challenges in the EU since the implementation of the General Data Protection Regulation (GDPR) in 2018. While multiple consumer group complaints on this issue have languished, recent actions in the Netherlands, as well as a 2022 decision by Belgium's Data Protection Authority, have reshaped how companies can claim valid user consent. Google is under investigation on various fronts in Ireland, with some cases initiated several years ago, including targeted advertising, deceptive language in user interfaces and privacy policies, and location tracking across its services.

The EU Court of Justice's recent ruling that established no threshold of seriousness for claims of non-material harm in privacy cases further bolsters privacy lawsuits within the bloc. This opens the door to claims related to emotional or psychological distress stemming from privacy breaches or data theft.

In a time when data privacy is of paramount concern, this lawsuit serves as another example of consumers holding tech giants accountable for their data handling practices.