Amsterdam Court of Appeal confirms the Netherlands as a key jurisdiction for collective privacy actions

The Wamca, which entered into force on 1 January 2020, updated the Dutch collective action regime by allowing representative organisations to seek monetary damages in collective opt‑out proceedings. Under the prior regime, organisations were largely limited to declaratory relief. The Wamca has not only led to greater incentives to litigate but also to fund such actions. In light thereof, the Netherlands has rapidly become a preferred forum for collective actions, with a notable portion of those actions being for alleged privacy and data protection infringements targeting major technology platforms and companies. Claim organisations have started collective actions against, for example, Meta, X, Amazon, Oracle, Salesforce and, as we can see in this verdict, against TikTok. Despite the number of filings, however, none of the privacy and data protection matters reached the merits phase. This was in part due to the defendants having mounted robust defences on issues including jurisdiction, admissibility of the claim organisations and their claims, and group definition. It is worth noting that the appeal proceedings in TikTok were initiated before the merits phase and as such, also in the TikTok case, the merits phase has not yet commenced.

The TikTok litigation commenced in 2021 with a writ of summons issued by claim organisation, SOMI, against TikTok Ireland. After registration in the Dutch collective actions public register, two further foundations (TBYP and SMC) initiated similar claims against multiple TikTok entities. All organisations sought, among other relief, compensation for material and immaterial damages arising from alleged GDPR violations.

At first instance, the Amsterdam District Court held that it had jurisdiction and found the organisations admissible under the Wamca. On similarity, the District Court distinguished between material and immaterial damages. It considered material damages sufficiently similar (at least at this early stage) to proceed on a collective basis. By contrast, it deemed immaterial damages too individualised in the privacy context, pointing to divergent user experiences on TikTok and emotional impacts across a broad user base. The District Court also imposed a temporal cut‑off for the narrowly defined group on 9 November 2022 (the date it accepted jurisdiction), excluding persons who downloaded TikTok thereafter. These constraints substantially limited potential exposure and recovery, leading the claim organisations to appeal. TikTok cross‑appealed on matters including jurisdiction, admissibility, and group delimitation. 

For the purposes of this note we address the Court of Appeal’s ruling around three central themes.

First, on jurisdiction for non‑GDPR claims, the Court of Appeal affirmed the competence of the Dutch courts based on the place where the harmful event occurs or may occur. It rejected in that sense, the notion that the Amsterdam District Court is only competent for damage that occurred within the Amsterdam district, noting that such a position would force duplicative filings across Dutch districts only for referral back to Amsterdam. The Court of Appeal deems this an unnecessary detour that would only lead to further delay. While this defence may be technically correct - particularly in light of currently pending questions before the CJEU on this topic in a matter against Apple - the Court of Appeal takes a pragmatic approach to avoid unnecessary hold-up.

For GDPR-based claims, the Court of Appeal stayed its assessment pending answers to preliminary questions concerning Articles 80 and 82 GDPR referred to the CJEU by the Rotterdam District Court in a similar collective action against Amazon. A key question in that referral is whether Article 80 permits opt‑out collective actions, or instead requires an opt‑in mandate or specific authorisation by data subjects. Importantly, the Court of Appeal allowed the TikTok proceedings to continue with respect to the non-GDPR grounds and declined to a full standstill, distinguishing the approach taken in other, similar matters.

Second, on admissibility and similarity, the Court of Appeal upheld the admissibility of the claim organisations. The Court confirmed that the admissibility assessment is ex nunc consistent with its approach in the collective action against Oracle/Salesforce. It further noted that SOMI and TBYP’s presence on the list of qualified entities of the Representative Actions Directive supports compliance with relevant Wamca requirements. Critically, where the District Court had found immaterial damage claims too individualised to be assessed in the context of a collective action, the Court of Appeal did not agree with that view. It recognised that immaterial privacy harm can, in principle, be advanced in a collective action, emphasising that the route of a collective action is more efficient and effective than individual proceedings, also considering the size of the narrowly defined group and the uniform nature of the alleged misconduct and the legal grounds. If necessary, the group can be further broken into different sub-groups, which approach we have seen in other cases.

Third, on the scope of the narrowly defined group, the Court of Appeal declined to impose the District Court’s temporal cut-off of 9 November 2022. The Court of Appeal considered that the alleged unlawful conduct may be ongoing and that a hard end date would undermine procedural economy by encouraging successive Wamca actions to capture persons subscribing to TikTok after such end date. In practical terms, individuals who create accounts during the proceedings can fall within the narrowly defined group.

Lastly, the Wamca does not provide for specific appeal procedural law. Therefore, the "regular" appeal procedural law applies, with the caveat that deviations are permitted if the purpose and system of the Wamca gives cause to do so. In light thereof the below considerations where the Court of Appeal clarifies certain appellate Wamca particularities are interesting. The Court of Appeal:

• confirmed that a party that was not designated as an exclusive representative may also appeal;
• held that appeals cannot be extended against parties not summoned at first instance, thereby confirming that joint handling for efficiency does not erase the separate identity of each case;
• reiterated that the designation of the exclusive representative is not open to appeal and maintained SMC and STBYP as exclusive representatives; and
• allowed amendments to claims given the early procedural stage, testing such amendments against the requirements of proper procedure in light of the collective context.

Following this decision defendants in privacy class actions in the Netherlands can expect a steeper trajectory toward the proceedings on the merits as admissibility challenges, particularly against immaterial harm claims, face a higher bar. For claim organisations and funders, the confirmation that immaterial privacy damages are not unsuitable for collective adjudication, combined with a flexible approach to group scope, enhances the viability of large‑scale privacy class actions. The evolving framework also intersects with related regulatory developments, including the Digital Services Act and Digital Markets Acts, which may further shape the class action litigation landscape in the Netherlands.

This ruling strengthens the role of the Netherlands as an important jurisdiction for collective privacy litigation and refines the Dutch collective actions' playbook. By affirming jurisdiction for non‑GDPR claims, recognising that immaterial privacy harm can be assessed in the context of collective actions, and allowing a narrowly defined group that is not limited in time, the Court of Appeal prioritises procedural efficiency and access to collective redress. We now eagerly await the CJEU's guidance on Articles 80 and 82 GDPR that will further impact the future of privacy class action litigation in the Netherlands.