On August 14th 2020, The Privacy Collective filed a class action lawsuit against Salesforce and Oracle in the UK and the Netherlands for the use of third party tracking technologies such as cookies, in breach of EU rules under the General Data Protection Regulation (2016/679) and the ePrivacy Directive (2002/58/EC). The cases (if successful) would be the largest class action cases ever in the UK and the Netherlands (expected to hit 10 Billion Euros in damages), to date and the first such class action cases under these laws.
The main basis for the claims stems from a judgment by the Court of Justice of the European Union (CJEU) in October 2019 often referred to as the Planet49 case (Case C-673/17) in which the Court clarified that the use of tracking technologies online is only lawful if opt-in consent has been obtained prior to the use of such technologies; which according to The Privacy Collective, is not the case in relation to Salesforce’s use of such technologies.
In another CJEU case from 2017 (Case C-40/17), the Court also ruled that an organisation which embeds third party technologies into their web sites or mobile applications has a joint liability for any unlawful processing of data by those third parties. It is important to note that under the General Data Protection Regulation, a data subject has the right to pursue legal action against any or all parties considered as Joint Controllers.
Further complications arise when considering yet another judgment from the CJEU this summer (known as the Schrems II judgment) in relation to sending personal data to the United States, a country which is deemed not to have an essentially equivalent level of data protection as the EU making it unlawful to transfer personal data relating to EU data subjects to the US or US companies.
Each of these cases illustrate why it is critically important for organisations to conduct thorough due diligence when choosing third party vendors for cloud based services such as a CRM. Failure to meet your legal obligation of due diligence creates very real risks of damage to your brand (in the case of choosing a vendor which is later determined to be processing data unlawfully) and legal liability as a Joint Controller for the actions of these vendors.
In addition to the above risks, the cost of having to move to a new vendor can be incredibly high in a time when budgets are already tight as a result of economic contraction due to the COVID-19 pandemic.
Furthermore, it doesn’t look as though legal actions in this space are likely to slow down in the near future – just last week, the French privacy regulator CNIL issued enforcement notices to Google and Amazon for 100M Euros and 35M Euros respectively for breaches of the same rules Salesforce and Oracle are alleged to have breached in the class action referenced above; this is the same regulator who just two weeks prior fined EU supermarket and bank Carrefour over 3M Euros for similar infringements.
In the experience of this author after working with hundreds of organisations over the last 12 years on privacy and data protection compliance – the most problematic vendors when it comes to compliance are CRM Services and Direct Marketing services which to date seem totally and wilfully ignorant as to their obligations under EU law.
Looking forward to 2021
Looking forward to 2021 it is likely that we will see increased focus on compliance issues both from a regulatory enforcement perspective and private litigation so the time for organisations ensure they review their compliance obligations is now, particularly in relation to the use of third party vendors with regard as to whether or not those vendors have any legal actions either ongoing or pending and whether or not the use of those vendors meet the requirements of EU Case Law – paying attention to the use of US cloud based services which as of the writing of this article, is not currently lawful.