Facebook Scraping Compensation | IT-Medienrecht

Understand the verdict: The Stuttgart Higher Regional Court denied Facebook scraping compensation claims. Learn about GDPR data leak rulings & what it…

Higher Regional Court Stuttgart Rules on Facebook Data Leak Compensation Claims

The 4th Civil Senate of the Higher Regional Court of Stuttgart has issued two judgments regarding claims related to a Facebook data leak, also known as 'scraping'. This ruling is significant, as over 100 cases are currently pending before this Senate alone.

Nationwide, more than 6,000 such cases are reported. Further announcements are expected in December.

Plaintiffs are asserting multiple violations of the General Data Protection Regulation (GDPR) against Meta (formerly Facebook). These claims stem from a data breach incident where personal data, including phone numbers, was accessed and linked starting in 2018.

Ultimately, 533 million affected data records were published on the darknet globally in 2021.

The plaintiffs are seeking various forms of relief, including non-material damages for GDPR violations. They also demand a determination of Meta’s future obligation to pay compensation, the cessation of data accessibility without proper security, and the stop of processing their telephone numbers.

Additionally, they request comprehensive information about the data that was accessed. These demands highlight significant areas of dispute between the parties.

Senate's Decision on GDPR Claims

The Senate largely dismissed the plaintiffs' claims. Only the application for a declaratory judgment was successful.

Regarding the claims for damages under Article 82(1) GDPR, the Senate found no tangible immaterial impairment for the plaintiffs. Article 82(1) GDPR provides for compensation for material or non-material damage resulting from a GDPR breach.

The definition of "concrete damage" under European law requires a uniform interpretation. Recitals to the GDPR suggest that various harms, such as loss of control over personal data, restriction of rights, discrimination, or identity theft, could constitute sufficient damage.

Other examples include financial losses, unauthorized pseudonymization removal, damage to reputation, or loss of confidentiality regarding professional secrecy. Any significant economic or social disadvantage for the individual should also be considered.

The European Court of Justice has previously clarified that no materiality or de minimis threshold applies to the existence of damages. However, after hearing the plaintiffs, who had not submitted sufficient written evidence, the Senate could not establish an actual immaterial impairment.

The court reasoned that mere annoyances and inconveniences, or the simple loss of control over data, do not alone constitute such an impairment.

Claims for injunctive relief were unsuccessful for legal reasons. Prior case law from the Federal Court of Justice (BGH, judgment of 12.10.2021, VI ZR 488/19 para. 69) suggests that claims under Sections 823, 1004 BGB are precluded by Article 17 GDPR under German law.

However, Article 17 GDPR primarily establishes a right to erasure and (re)storage, not broader rights concerning data processing methods. Data controllers cannot be mandated specific processing techniques.

The request for information was also rejected because the defendant had already provided details. Regarding the recipients of the data, the court accepted Meta’s unchallenged assertion that it neither knew nor could determine these recipients.

Significantly, the Senate did find a more extensive obligation to pay compensation in one of the two proceedings. Specifically, violations of Article 5(1)(f) GDPR (safeguarding integrity and confidentiality) and Article 25(2) GDPR (lack of data protection-friendly default settings) were identified.

The court ruled that the ability to access personal data via the contact import tool violated Article 5(1)(f) GDPR. Furthermore, a default setting that required active deselection (an opt-out model) was found to be a breach of data protection principles.

Further Progress of the Proceedings

Due to discrepancies with a judgment from the Higher Regional Court of Hamm (judgment of 15.08.2023, 7 U 19/23) and a referral order from the Federal Court of Justice to the European Court of Justice (dated 26.09.2023; VI ZR 97/22), the Senate has permitted an appeal in the partially successful case (4 U 20/23).

The second case was dismissed entirely based on factual findings.

Conclusion

The rulings by the Higher Regional Court of Stuttgart highlight the ongoing legal complexities surrounding GDPR violations and data breaches. While direct compensation for non-material damages remains challenging without concrete proof of harm, the court emphasized the importance of data protection-friendly default settings and integrity safeguards.

These judgments underscore the evolving landscape of data privacy litigation and the continued scrutiny faced by large tech platforms regarding their handling of personal data.