这一裁决意味着始于2020年的诉讼可以继续。该案件涉及cookies收集用户信息是否违反GDPR,以及这两家公司是否应对网站运营商的行为负责。
一家荷兰上诉法院裁定,甲骨文和Salesforce必须继续为一项集体诉讼辩护,该诉讼涉及使用cookies为其数据管理平台(DMPs)收集和跟踪个人信息。
The case raises issues about who is responsible when websites use third-party data platforms to track users, and relies on the European Union’s General Data Protection Regulation (GDPR). The lawsuit’s plaintiff is The Privacy Collective (TPC), a Dutch non-profit focused on consumer privacy issues.
In the decision, the court summarized TPC’s accusations against both Oracle and Salesforce: “Oracle and Salesforce collect personal data from Internet users in the context of the DMP service they offer, process it in detailed profiles and sell this information to third parties to enable them, among other things, to offer personalized advertisements on websites. According to TPC, this data collection starts with Oracle and Salesforce placing a cookie on the internet user’s equipment (and) personal data is collected. Oracle and Salesforce enrich the data and other unique identifiers collected through the cookie with information from alternative sources. According to TPC, Oracle and Salesforce build a profile on a daily basis to provide the most complete overview possible of the character traits and interests of the person in question. The purpose of the data processing is, among other things, to share the Internet user’s profile in a process called Real Time Bidding (hereinafter: RTB). The profile of the internet user is offered to advertisers in a very fast, fully automated process for a fee, in order to show personalized advertisements on websites.”
Whose cookie is it, anyway?
The court also summarized the defendants’ position. Neither Oracle nor Salesforce dispute that the cookies exist and that they are collecting lots of information. Their argument, though, is that do not place the cookies: The site operators do.
“Oracle and Salesforce already dispute some of TPC’s factual statements about their activities and further argue, among other things, that they are not controllers within the meaning of the GDPR and/or data traders. According to Oracle, cookies are placed by the website that the internet user is visiting and a website can only place cookies for the browser used to visit the website. The decision whether or not to use cookies — and if so, which cookies — is always made solely by the website owner. Oracle disputes that it provides advertising services. All Oracle does is provide customers with a means to create segmented user interest profiles and then make those profiles suitable for filtering,” the court said.
The court summed up Salesforce’s argument by saying that the company agrees with Oracle’s position but adds that “it is a software company that offers its customers a DMP with which customers decide after purchase how they organize their interactions with internet users. It makes its money from licenses, not from data sales. Salesforce has no access or insight into the personal data that its customers process and Salesforce does not collect personal data through this software product for its own commercial purposes.”
TPC is asking for the companies to pay to 10 million Dutch users €500 (about $536) each, for a total of €5 billion ($5.36 billion). “Oracle and Salesforce dispute the damage and argue that it is not plausible that all those persons have suffered non-material damage and certainly not that the damage is always the same,” the court said.
The lawsuit was initially filed in 2020.
CSOonline sent emails to both Oracle and Salesforce seeking comment but no responses were received by deadline.
In a short statement, TPC said the appeallate court’s ruling was “an absolute milestone for access to justice and the protection of privacy of all Dutch internet users.”
Comments