The data processing policies and practices of two of the world’s largest software companies, Salesforce and Oracle, will come under scrutiny in the High Court of England and Wales in the biggest digital privacy class action lawsuit ever filed.
The suit, filed by privacy campaigner and data protection specialist Rebecca Rumbul, is seeking damages that have been estimated in excess of £10bn, which could conceivably lead to awards of £500 for every internet user in the UK. A parallel suit in the Netherlands backed by a Dutch group called The Privacy Collective Foundation could take the total damages to more than €15bn.
“Enough is enough,” said Rumbul. “I am tired of tech giants behaving as if they are above the law. It is time to take a stand and demonstrate that these companies cannot unlawfully and indiscriminately hoover up my personal data with impunity. The internet is not optional any more, and I should be able to use it without big tech tracking me without my consent.
“The data these companies are compiling on ordinary citizens is terrifying. With their tracking technologies in use across the most popular websites, it is hard to escape from their data collection.”
Rumbul said that although both software firms could ignore her complaints as a lone individual, by becoming a class representative on behalf of millions, she could more effectively hold the advertising technology industry to account.
“I don’t believe that these companies, who profit from the sale of my personal data to third parties, currently respect the laws that are supposed to protect my privacy,” she said. “Perhaps £10bn given back to consumers in England and Wales will change that.”
The lawsuit centres on the collection and processing of personal information by advertising technology platforms owned by Oracle and Salesforce, which use third-party cookies to track, monitor and collect online browsing data and auction it to advertising platforms to serve targeted online adverts.
These are the tailored ads that many people seem to think “follow” them around the internet, and the data used to generate them can include a person’s interests, location, income, relationship status, gender or sexual orientation, health status, age, level of education and political or religious leanings.
Rumbul’s suit, led by law firm Cadwalader, alleges that this process is done without clear consent and is therefore a breach of the General Data Protection Regulation (GDPR).
A Salesforce spokesperson said: “At Salesforce, trust is our number one value and nothing is more important to us than the privacy and security of our corporate customers’ data.
“We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws – including the EU GDPR – to preserve the privacy rights of their own customers.
“Salesforce and another data management platform provider received a privacy-related complaint from a Dutch group called The Privacy Collective in The Netherlands in August 2020. Salesforce and the same data management platform provider have since received a similar privacy complaint in the UK from Dr Rebecca Rumbul. The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service.”
The spokesperson added: “Salesforce disagrees with the allegations and intends to demonstrate they are without merit.
“Our comprehensive privacy programme provides tools to help our customers preserve the privacy rights of their own customers. To read more about the tools we provide our corporate customers and our commitment to privacy, visit https://www.salesforce.com/privacy/products/.”
Oracle has previously described the legal action as a shake-down made in bad faith, condemned the allegations as baseless, and vowed to vigorously defend against it. It has not yet made any further comment.
The lawsuit proceedings will be stayed until the outcome – anticipated in 2021 – of the Lloyd vs Google case at the Supreme Court. If favourable, this could pave the way for opt-out representative actions for privacy breaches.