To the point
On 18 November 2024, the German Federal Court of Justice (BGH) issued a ruling regarding damages for data protection violations in the context of Facebook scraping. In particular, the BGH ruled that even the loss of control over personal data can constitute a claim for non-material damages. The BGH considers a claim in the order of EUR 100 to be appropriate. In addition, the plaintiffs succeeded with applications for declaratory judgments regarding compensation for future damages, applications for an injunction against the use of certain personal data and for compensation for his pre-trial legal fees. This strengthens the position of plaintiffs. Companies should therefore take the decision as an opportunity to review their data protection and compliance measures. Waves of lawsuits are to be expected in the event of data protection incidents - in the worst-case scenario, these can threaten a company's existence.
What is behind the judgement?
Article 82 of the General Data Protection Regulation (GDPR) grants everyone the right to claim damages if a company violates the GDPR. Not only "material" damages - i.e. financial losses - but also "immaterial damages" can be claimed. Similar to the so-called "compensation for pain and suffering" in cases of personal injury, money can be demanded even though the person concerned has not suffered any financial loss. Case law has not yet fully clarified when such "immaterial damage" exists.
The so-called Facebook scraping is also about immaterial damage. In 2021, unknown persons misused Facebook's contact import function to access a total of around 533 million data records containing personal data such as names, telephone numbers and email addresses from Facebook. As a result, professionally organised plaintiffs' representatives filed thousands of lawsuits for damages against Facebook. So far, most of these claims have been dismissed. As a rule, the courts saw no legal offence by Facebook or at least no damage, so the claims were dismissed. Only occasionally have courts awarded damages (often only 100 euros).
A major point of contention in the lawsuits is the question of whether the loss of control over one's own personal data already constitutes immaterial damage. Put another way: Does the fact that a data subject does not know whether their own data, such as their name and telephone number, has been disclosed constitute damage? Plaintiffs are often unable to prove any further damage - such as increased spam calls. They therefore only receive money if the "abstract" loss of control is recognised as damage.
At the same time, it is undisputed that the "loss of control" can be harmful. This has long been recognised by the European Court of Justice (ECJ). According to the ECJ, however, it must be proven that such damage has actually occurred. German courts have therefore often argued that the mere possibility that third parties have gained access to the data does not constitute damage. More would have to be involved, such as a demonstrable increase in spam calls or credible psychological stress. Most plaintiffs are unable to do this.
According to its press release, the Federal Court of Justice has now ruled differently on this point: According to the BGH, the "mere and short-term loss of control over one's own personal data as a result of a breach of the General Data Protection Regulation alone constitutes a[n] immaterial damage". It is not necessary to prove that the data has been misused to the detriment of the data subject. Further noticeable negative consequences are also not required.
However, according to the case law of the Federal Court of Justice, it should be possible to avoid liability for damages if a loss of control can be ruled out. In the Facebook cases, the outflow of data is undisputed. Here, it is clear that the data was leaked. However, this is not necessarily the case in other data protection incidents. For example, if data is stored on an unsecured server, this does not automatically mean that someone has also downloaded the data. A loss of control has therefore not necessarily occurred.
Furthermore, according to its press release, the BGH found that damages of EUR 100 were appropriate in the case at issue. The BGH thus confirms that the mere loss of control, if damage, is not particularly serious damage in individual cases.
Data subjects usually also attempt to establish the controller's liability to pay compensation for future consequences of a breach of the GDPR. In some cases, the courts of lower instances have denied the admissibility of an action for a declaratory judgement, as the threat of future damages was not sufficiently proven. Here, too, the BGH is backing the affected parties: They can sue for a declaration of liability for future damages. In the event of a dispute, the possibility of future damages would exist. At the same time, this means that the interest in a declaratory judgement is not automatic, but must be examined on a case-by-case basis.
The BGH also recognises a claim for compensation for pre-litigation legal costs and for an injunction against the use of personal data. Contrary to the case law of some courts of lower instances, excessive requirements must not be placed on the specificity of the claim for injunctive relief.
Effects on companies
For most companies, the judgement has only indirect effects, but should nevertheless be taken seriously, as the negative consequences can be considerable.
The judgement gives a boost to professional plaintiffs' representatives in particular. They become particularly active when a data protection incident becomes known in which a large number of people are presumed to be affected. Professional plaintiffs' representatives then sometimes launch advertising campaigns to motivate those affected to file a lawsuit with sometimes exaggerated promises. They earn money with every lawsuit regardless of its success. The BGH judgement can be used as an anchor for advertising because it can be presented as if every company now has to pay substantial sums immediately. However, the BGH itself considered EUR 100 to be sufficient in the case decided. If a company is hit by such a wave of lawsuits, this can nevertheless threaten its existence in the worst case. On the one hand, a large number of small claims can add up to large sums. On the other hand, the sometimes considerable legal defence costs can often not be recovered in full or at all from the plaintiffs, even if the defence is successful.
What companies can do
Nevertheless, companies need not despair. Instead, it is worth regularly reviewing your own data protection compliance and, in particular, regularly checking whether your own technical and organisational measures (TOMs) are still appropriate. At best, good TOMs ensure that a data protection incident does not occur in the first place.
However, if a data protection incident does occur, which can never be ruled out, claims can be defended against with good TOMs: Contrary to the rhetoric of some data protection lawyers, not every data protection incident is automatically a breach of the GDPR. Articles 24 and 32 GDPR require "appropriate" security measures for data processing, but not absolute perfection. The ECJ has therefore confirmed this: Anyone who can show that the TOMs are adequate is not liable, even if there is a data leak and thus a "loss of control". Companies must document that their TOMs correspond to the state of the art. This documentation should be kept in such a way that it is quickly available in the event of a claim.
At the same time, anyone who is held liable for damages due to a data protection incident should quickly seek competent legal advice. On closer inspection, the situation is often not as devastating as it initially appears. In particular, however, no hasty settlements should be reached, as this can provoke further lawsuits.
Conclusion
In a leading decision, the BGH has made a favourable ruling for plaintiffs. However, contrary to what has been suggested by interested parties, the decision should not be overestimated in terms of its impact on companies' liability for damages. Companies should therefore not allow themselves to be unsettled and, in particular, should not make any ill-considered decisions, such as entering into unfavourable settlements.
At the same time, companies should take precautions: Data protection violations can quickly become expensive because professional plaintiffs' representatives organise waves of lawsuits for their own financial gain. This can be prevented with good data protection compliance. Ideally, this will prevent an incident from occurring in the first place. If a data protection incident does occur, which can never be ruled out, good documentation of the TOMs taken provides a good line of defence to nip claims in the bud.
