To tell the story of the people

By Roel van Rijsewijk


Inspiring conversations with Christiaan Alberdingk Thijm


I am actually an internet hippie, a ‘new age digital anarchist’. The internet also started out as an open space where all people could connect, create and share. But that anarchism, combined with the network-effect, has led to the emergence of a number of dominant platforms who program their rules and collect all the data.


I am going to talk about this with lawyer Christiaan Alberdingk Thijm, a wordsmith and I think also a bit of a hippie. In the summons he tells the story of how all Dutch internet users are harmed by the data management platforms of Oracle and Salesforce and he is taking them to court on behalf of the foundation The Privacy Collective to claim mass damage in a collective action.


This time I will not meet Christiaan at my kitchen table, which has recently moved from Amsterdam to Landsmeer. Christiaan was busy writing the subpoena we’re about to talk about, so we sat at a conference table at his law firm bureau Brandeis. He is one of the country’s most well-known trial lawyers, working on the cutting edge of technology and law. Privacy and copyright in the digital world are his specialties. He also teaches one day a week at the University of Amsterdam about privacy and freedom of speech. He can be heard regularly on BNR, is a regular guest on talk- and news shows and makes himself heard through opinion pieces.


Finally, he also writes novels, a dream that I have myself as well. His debut “The Trial of the Century” has been well received and he tells me that he has just handed in the manuscript for his second novel to his publisher. “Story­telling, isn’t that an important skill for a trial lawyer?” I start.


“Good question! As a lawyer you have to be an artist with language. Advocacy is actually a form of storytelling. You have to think about the order in which you build up your argument, to get the Court behind your vision. The big difference with a book is that in legal writing you have to tell everything in a procedural document explicitly, while in a novel you consciously leave a lot of information underground for the reader to discover. As an author I am still experimenting with that and that is precisely what I like so much about writing a novel.”


The Open Space
I ask him where his passion for law comes from. He says that he was already interested in law as a child. “I have always been pre-occupied with rules. Whether they are good or bad. I have the sometimes awkward habit to speak truth to power, so if I don´t agree with a certain rule or its interpretation I will say so..” And this is not only about written rules, but also about the unwritten ones. “I think that’s the great thing about our Dutch society: we can handle unwritten rules quite well. For example, if you look at how cars are parked on the Amsterdam canals;
Americans find that completely irresponsible, while we think: if you drive too far and hit the water, that is your own responsibility.”
I tell him that I also love to philosophize about rules. “In my keynotes, I like to share with the audience that as a cyclist in Amsterdam I consider a red light a ‘well-intended recommendation’. Especially the non-Dutch people find that hilarious. And then I also refer to that open space behind the Amsterdam Central Station, which I cycle over more often since I have moved to Landsmeer when I get off the ferry. All traffic converges there and they have created a square where nothing is regulated at all.”


Christiaan: “Exactly. A place such as behind the Central Station in Amsterdam cannot exist in every country. The basic idea behind it is: let’s see what happens when people have to take responsibility themselves and have to solve it as a group. The same principle is applied in our corona policies. The government has really thought carefully about: how do we get people engaged and motivated to do what is needed? The Dutch approach was somewhat in the middle between Sweden, where people had a lot of freedom, and countries with a very strict lock-down. I find it fascinating to see what choices countries make. They all have the same goal in mind, but the right approach to get there is culturally determined. And you can see that on the internet as well, which once started out like the open space we have behind Central Station. And now look at the differences in policies governing the internet between, say, America and China. In fact, seeking a balance between health and the restriction of personal privacy is the same kind of tension as the balance between freedom of expression and privacy online.”


I agree with him wholeheartedly and I desperately hope that the Dutch government will continue to focus on own responsibility in its corona policy. And that this policy will prove to be successful. But can we keep this up with the second wave of infections? And can the internet remain that open space?


Space without boundaries is emptiness
“How did you actually end up in technology as a lawyer?” I want to know from Christiaan.
“I started as a lawyer in 1998, shortly after completing a master’s degree in London. It was the era of the dotcom hype. At that time, I felt inspired by John Perry Barlow.”


Perry Barlow of the Grateful Dead is, of course, the internet hippie ‘avant la lettre’. He is one of the first digital rights activists. The fact that I also see an internet hippie in Christiaan is one of the reasons I was looking forward to this meeting.


Christiaan continues: “The first case I was allowed to work on was that of XS4All against the Scientology Church. On the one hand, you had the view of XS4All and other internet companies who said: you should not regulate anything on the internet, it belongs to everyone. It should be a place where information flows freely and where freedom of speech is paramount. And on the other side was the Dutch government who said: what applies offline also applies online. The trick is to reconcile these two extremes because the truth is, as always, somewhere in the middle. And the truth shifts over time. Because I’m also starting to see that the internet has become a shamble due to the lack of rules.”


I recognize his struggle and want to understand why he now seems to be more on the side of the regulator. “Everything is connected but nobody is in charge.
That appeals to me as a digital anarchist, but in practice it appears that we still need a few good agreements and some boundaries. Space without boundaries is just emptiness.”


“Exactly”, replies Christiaan. “there is tension between an open space and a safe space and that is why there is now regulation governing the internet. By the EU but also by individual countries. And self-regulation by companies. It is interesting to see that LinkedIn banned Maurice de Hond from the platform for a while. In my opinion that was way over the top. While at other times the tech companies seem to do too little. In fact, by doing nothing they are also moderating content; no intervention is also a conscious choice.”


I continue on this thread: “Yeah, look at how Facebook allowed the Trump campaign team and Russian trolls to manipulate the election. Facebook – and actually all of Silicon Valley – is seen in America as a very progressive, left-wing company. “Liberals” or even socialists, a republican would say with disgust. Because of that reputation Facebook did not dare to intervene when the hate speech and right-wing populist discourse became so loud on their platform, for fear that they would then be accused of left-wing bias by a large part of the Americans. As a result, they are now being accused of something else: why didn’t you intervene? That is of course easy to say in retrospect. But in practice that was extremely difficult for them: how do you determine what can and cannot be said in an objective way? I don’t think Facebook is evil, I think they are struggling with a moral dilemma.”


A different view
Christiaan says the US elections were a turning point for him in how he thought about freedom of speech versus privacy and the role tech companies have in regulating that. “Until then, I was of the opinion that intermediaries are neutral and should be protected. But it was tilted by those elections and by the Snowden revelations about how the big tech companies were forced by parties like the NSA to participate in all kinds of investigations and share their data. That is why I now think we have gone too far. We have given businesses too much freedom to do what they want. We have now reached the point where some companies know so much and can manipulate so much that we as a society become victims.”


I know he has a daughter the age of one of my own and ask him if she is on TikTok. “Yes, of course, I would almost say. As a parent I liked it first: encouraging children to be creative and make something. Until I started thinking about the TikTok business model. Because of course you can have serious ethical question marks about that: it’s my expertise, I should know better. The same is actually true of Google. I’ve been a fan of them for a long time because Google is so open source unlike, say, Microsoft. I was a firm believer in that openness and ‘do no evil’. Until I realized that with that way of working they collect a lot of information about you. That business model also causes a lot of trouble, of course. At the office we have now said goodbye to Firefox as a browser and I have to work with Google Chrome. And I think that is terrible. Keeping track of my legal hours in the Chrome browser doesn’t feel quite right.”


I see that he too is struggling to reconcile the two extremes: an open space – which he has been so supportive of for years – or rules imposed from above by the government. And perhaps he has found a way to overcome this dilemma. Because he is filing a case against Oracle and Salesforce on behalf of the Dutch population.


Before we talk about that summon, I tell him that last time I had Lokke Moerel as a guest at my kitchen table and she made me see things differently.


“Ha, nice”, says Christiaan, “my old boss.”


“I must admit that until recently I was a naïve believer in freedom and happiness on the internet. Lokke showed me that online advertising and the hunger for data is not that innocent anymore. And it is no longer just about advertising, this eco-system is expanding into the financial sector, in healthcare, in elections. “


“Her firm represents Oracle attorney in this case by the way,” Christiaan informs me.


I laugh: “That doesn’t surprise me, ‘I work for the dark side’ she told me in that interview. Because from within she can better influence how they deal with privacy.” Interestingly, as a privacy advocate, she is in fact trying to achieve more or less the same as Christiaan but in a different way.


The orchestrators: Salesforce and Oracle
What is the reason for taking Oracle and Salesforce to court? These two companies have acquired a crucial position in the market of data management platforms (DMPs), which play a leading role in flash auctions of online advertising space. The DMPs collect information from cookies and enrich it with all kinds of other data. They claim to know exactly which IP address visits which websites, enters which search queries and so on. Whether you have your navigation on, buy something in a web shop or interact with your friends through social channels, these are all actions that tell something about you. This information may seem anonymous because it concerns an IP address, but the combination of multiple data points could lead to a person of flesh and blood and so could also be seen as pseudonymous and personally identifiable. And then these profiles are made public in online auctions to hundreds of parties who can then bid on them to show these people targeted advertisements.


Christiaan uses his own words to formulate the case against Oracle and Salesforce in the summons. And if anyone can do that, it’s him, the wordsmith, the storyteller. I read the writ of summons and was impressed; story­telling at its finest. He confronts them with their own marketing story in which they claim that their DMP builds very rich profiles of people.


Christiaan states: “This industry has gotten completely out of hand. There is a big discrepancy between the marketing story of the tech companies in which they say: we can profile everyone and target them for you. And on the other hand in their privacy statement, they say something completely different.”


“You also use another word of theirs: we are just the ‘enabler’. How do you translate that again?”


Chistiaan laughs: “Oracle and Salesforce wash their hands in innocence, of course. They say what everyone in this industry is saying: I just offer a platform for someone else, who does something with that, I’m just an ‘enabler’. I translated that in the summons as ‘arrangeur’ (orchestrator in English). You orchestrate these abuses, so you are held responsible.”


“I think it’s very exciting to see how this will turn out.”


Oracle and Salesforce facilitate that advertisers can target their audience very specifically based on the detailed profiles they create. “The European Court is very clear. It says: we must avoid profiling at all times. That is why the Court sets a limit on what data companies can collect and store. Another principle in the policy is: someone must always be responsible. The question in this case is, can we hold Oracle and Salesforce accountable for the data collected on their DMPs? Although they are not the advertising companies that do the targeting, they do closely collaborate with other parties to exchange and share data so advertisers can serve very personal advertisements via real-time bidding. In our view they are crucial for the process and should be held accountable for this.”


In this case, ‘our’ is the The Privacy Collective foundation, which is taking the case on behalf of ten million Dutch people.


Claim mass damage in collective action
The case is one of the first to be brought on the basis of the new Law on Settlement of Mass Claims in Collective Action (Wamca). Whereas until recently you first had to obtain permission from victims to litigate on their behalf (opt-in), this law is based on an opt-out: you can litigate on behalf of anyone who has suffered damage, unless someone indicates that they do not want to participate (opt-out).


How does that work? The judge will decide if indeed in this case the Foundation represents a claim on behalf of ten million Dutch people. The Foundation is funded by an investor. However, its board consists of independent directors that will make the decisions on behalf of the claimers. The judge will assess if the governance of the foundation offers enough safeguards that these decisions are in the best interest of the people they represent. Finally, there is a grace period of three months where
any other party can stand-up and say they are better positioned to do this case.


Christiaan: “I think it’s very exciting to see how this will turn out. There are now nine pending cases based on this new law and we are one of them.” Another new aspect of this case is that it is a collective action based on the GDPR. “Look”, says Christiaan, “we make it very clear that Oracle and Salesforce have violated the GDPR on several points. That fact is evident. Normally you would go to the Dutch Data Protection Authority (AP) and file a complaint. We are the first to go to court through collective action and claim damages.”


“I know he has a daughter the age of one of my own and ask him if she is on TikTok.”


“That is indeed interesting, so in this case it is not the government that enforces strict rules and comes with fines?”


“The AP has nowhere near enough people to act on everything. You could accuse them of inactivity, but the fact is that they are just structurally understaffed. Aleid Wolfsen himself also indicated that he needs at least twice as many people for the AP to be able to perform its task as a watchdog even somewhat seriously. So now we circle back to our discussion on regulations; is this is a new and maybe better way to enforce written and unwritten rules that govern our shared space.”


“So, if it’s not a fine for violations, do you have to then show that people have suffered damages?”


“The damages we are claiming are immaterial damages. In light of the circumstances of the violations of the GDPR, it is clear that immaterial damages have been suffered.” The stakes are high. Christiaan has set the potential ceiling at five billion euros per company: 500 euros per victim, of which there are ten million. “It is exciting how the judge will view this. It is obvious that people suffer damage, but how much? And can you attribute an amount to that? Our opinion is: yes, you can. Per person, that damage may not be very high, but all the bits together, you come to an enormous amount. By this action the foundation is also ensuring that a hefty fine is imposed.”
At the time of the interview, the writ of summons is available for inspection, which means that other groups can also study the case and ask the judge to assign them the case. Christiaan does not expect much from that. “It takes an awful lot of time to read in, while you only have three months to respond.”
If the case is assigned to The Privacy Collective foundation, Oracle and Salesforce must answer to the summons in January. Christiaan: “Normally, the plea, the hearing and the verdict will follow, but in this case, I expect that the court will be fairly active and mediate at an early stage. And then we have to wait and see where we will end up.”


Power to the people
Christiaan hopes that this is the beginning of a way in which the GDPR will make an impact. “The idea of collective action has already been incorporated into the GDPR, but it has never been done in this way. But there are many examples of collective action in other areas; much of the case law of the European Court comes from action groups. Citizens are given a lot of power, which is a good thing. Collective actions are an important means to ensure access to justice.”


And so Christiaan has found a way to reconcile the dilemma: the internet as an open space ‘where everything is connected and nobody in charge’ or the internet full of rules imposed from above by the government. Let the people determine how far freedom may go, set the boundaries and hold companies accountable for this.


“Power to the people!”, I exclaim enthusiastically.


Christiaan adds: “By the way, if this works, it will also have consequences for the regulator. Because then you can ask yourself in the future: which matters should typically be the responsibility of the AP and which are for the citizens in group actions?”


He also heard that Oracle has indicated that they want to stop this business because they see too little profit in it. “If they make a retreat, I think it has more to do with the realization that people no longer accept that companies collect so much data about them behind their backs, than that that market is no longer commercially interesting,” he says.
The latest news when writing this article is that Oracle is interested in acquiring part of TikTok, so they seem to be tempted again to stay in the data trade.


“I think parties should take their responsibility. You can no longer say: everyone is free on the internet to do whatever they want. There must be rules. There must be moderators who say: this is as far as it goes. I hope that this case will encourage citizens to come to their own defense if they think a company is going too far. They have that power. And they should wield it.”


About the author
Roel van Rijsewijk is a cyber security consultant and evangelist with over 20 years of experience helping organizations become cyber resilient. He is a key note speaker and author of ‘Cyberrisico als Kans’ (The Upside of Cyber Risk).