A European privacy group on Friday announced the launch of a class-action lawsuit in Dutch court directed at American tech firms Oracle and Salesforce for alleged violations of the EU’s General Data Protection Regulation (GDPR).

The group, The Privacy Collective, says it is preparing to additionally file a similar lawsuit in England and Wales. The group estimates damages sought through successful litigation could exceed €10 billion (U.S. $11.9 billion).

The lawsuit addresses “one of the largest cases of unlawful processing of personal data in the history of the internet,” said Privacy Collective lead attorney Christiaan Alberdingk Thijm in a press release. It is also the first time a class action has been filed in the Netherlands related to alleged violations of the GDPR, according to the group.

The Privacy Collective alleges Oracle and Salesforce use cookies, bits of code that mark an internet user visiting a website, to collect personal information from individual Dutch users. The cookies are used to create “shadow profiles” of those users without their consent, according to the Privacy Collective. Under the GDPR, companies are obliged to ask permission of EU citizens before using their personal information.

The data contained in those profiles is “used, among other things, to offer personalized online advertisements and unlawfully shared with numerous commercial parties, including ad-tech companies,” the group said.

The privacy group says it will also claim Oracle and Salesforce did not have informed consent to feed users’ data to other companies who would then use it for advertising in a process known as real-time bidding (RTB), according to The Daily Telegraph in the United Kingdom.

Although the data is allegedly collected via cookies on online platforms like Amazon and Spotify, those companies are not named in the lawsuit.

Dorian Daley, executive vice president and general counsel for Oracle, said in a statement that The Privacy Collective “knowingly filed a meritless action based on deliberate misrepresentations of the facts.

“As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program.

“Despite Oracle’s fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith. Oracle will vigorously defend against these baseless claims.”

A spokesman for Salesforce told the Telegraph that the company “disagrees with the allegations and intends to demonstrate they are without merit.”