GDPR Claims and Data Scraping on Facebook: Key Appeals Before the Federal Court of Justice
On October 8, 2024, the VI. Civil Senate, which is responsible for legal disputes concerning claims arising from the General Data Protection Regulation (GDPR), will hear two significant appeals. These cases specifically address the question of what claims data subjects are entitled to when their personal data has been obtained through data scraping by unknown third parties and subsequently disseminated on the internet.
Context: Data Scraping and GDPR Implications
Data scraping refers to the automated extraction of data from websites. When this involves personal data, it can lead to serious violations of the GDPR. The upcoming appeals will clarify the extent of platform operators' liability and data subjects' rights to compensation in such incidents.
Case VI ZR 22/24: Facebook Data Leak and User Claims
The Scraping Incident
The defendant in this case operates the social network Facebook. In early April 2021, data from approximately 533 million Facebook users across 106 countries was publicly distributed online. Unknown third parties had exploited a vulnerability related to Facebook's searchability settings.
Specifically, depending on user settings, Facebook allowed profiles to be found using a telephone number. The attackers utilized automated tools to upload telephone numbers on a large scale via Facebook's contact import function. They then merged this data, if it was linked to a user account, with publicly accessible information and subsequently accessed it. This process is known as scraping.
Plaintiff's Claims and Allegations
This scraping incident also affected the plaintiff's data, which included their user ID, first and last name, country, and gender, all linked to their telephone number. The plaintiff asserts that the defendant failed to implement adequate security measures to prevent the exploitation of its contact tools.
Consequently, the plaintiff claims entitlement to compensation for non-material damages. These damages allegedly stem from annoyance, a loss of control over their data, and resulting anxiety, stress, loss of comfort, and time. Furthermore, the plaintiff seeks a declaration that the defendant is obligated to compensate for all future material and non-material damages related to this incident. Injunctive relief and information from the defendant are also requested.
Court Proceedings So Far
The Landgericht initially dismissed the action. Upon the plaintiff's appeal, the Higher Regional Court ruled that the defendant is obliged to compensate the plaintiff for all future material and non-material damages incurred due to unauthorized access by third parties to the defendant's data archive. However, it also dismissed other parts of the plaintiff's appeal.
To the extent of this partial dismissal, the plaintiff continues to pursue their originally asserted claims through the appeal allowed by the Court of Appeal to the Federal Court of Justice.
Case VI ZR 7/24: Further Data Scraping Allegations
The Incident and Plaintiff's Grievances
In this separate proceeding, another plaintiff alleges that personal data – including their telephone number, Facebook ID, name, place of residence, country, and employer – was scraped by unknown third parties. This data was subsequently published on the darknet during their use of the Facebook social network.
The plaintiff is seeking compensation for non-material damages, asserting that the defendant violated the General Data Protection Regulation in multiple ways and failed to adequately protect their data. They claim a significant loss of control over their data and remain in a state of considerable discomfort and concern regarding potential misuse.
Legal Demands and Appeal Status
Similar to the first case, the plaintiff also seeks a declaration that the defendant is obliged to compensate for all future damages in connection with this incident. Further claims for injunctive relief and information have also been asserted.
Initially, the Landgericht dismissed this action. The Higher Regional Court then dismissed the plaintiff's appeal against this decision. With the appeal allowed by the Court of Appeal, the plaintiff continues to pursue their claim before the Federal Court of Justice.
Conclusion
These two appeals represent crucial proceedings for clarifying the rights of data subjects and the obligations of social network operators concerning data security and GDPR compliance. The Federal Court of Justice's decisions on October 8, 2024, are highly anticipated, as they will set important precedents for future cases involving data scraping and claims for damages under the GDPR.