Higher Regional Court of Stuttgart Rules on Facebook Data Leak and GDPR Claims
The 4th Civil Senate of the Higher Regional Court of Stuttgart has ruled in two judgments on claims in connection with a data leak on Facebook (scraping). In total, more than 100 cases are now pending before the Senate – there are said to be more than 6,000 cases nationwide. Further announcement dates are scheduled for December.
Background of the Facebook Data Leak
The plaintiffs are asserting several violations of the General Data Protection Regulation (GDPR) against Meta (formerly Facebook). This follows a data breach from 2018 onwards, where plaintiffs’ personal data was read and linked to their cell phone numbers. In 2021, a total of 533 million such data records were published on the darknet worldwide.
The plaintiffs demand non-material damages due to GDPR violations. They also seek the determination of a future obligation to pay compensation. Furthermore, they demand that Meta cease making data accessible without security measures and stop processing telephone numbers. Plaintiffs also request further information about the leaked data. Many disputes exist between the parties concerning these claims.
Senate's Decision on GDPR Claims
The Senate dismissed most of the claims brought by the plaintiffs. Only the application for a declaratory judgment was successful.
Claims for Non-Material Damages
Regarding the claim for damages based on Art. 82 para. 1 GDPR, the Senate found no tangible immaterial impairment of the respective plaintiffs. Art. 82 para. 1 GDPR grants compensation for material or non-material damage caused by a GDPR breach affecting the plaintiff.
The concept of concrete damage requires a uniform European definition. According to GDPR recitals, this includes loss of control over personal data, restriction of rights, discrimination, identity theft or fraud, financial losses, unauthorized removal of pseudonymization, damage to reputation, or loss of confidentiality. Other significant economic or social disadvantages for the natural person concerned should also suffice.
The European Court of Justice has clarified that no materiality or de minimis threshold exists for establishing damage. After hearing the plaintiffs – who had not submitted sufficient written evidence – the Senate could not establish an actual immaterial impairment. Mere annoyances and inconveniences were described, and the mere loss of control was deemed insufficient to constitute impairment.
Claims for Injunctive Relief and Information
The asserted claim for injunctive relief was unsuccessful for legal reasons. Previous case law of the Federal Court of Justice (e.g., BGH, judgment of 12.10.2021, VI ZR 488/19 para. 69) states that claims under Sections 823, 1004 BGB are barred under German law by Art. 17 GDPR.
However, Art. 17 GDPR only standardizes a right to erasure and storage, not rights regarding data processing methods. Data controllers cannot be dictated specific processing techniques. The request for information was also rejected. The defendant had already provided information. Regarding the recipients of the data, it was assumed that providing such information was impossible, as the defendant credibly asserted a lack of knowledge and inability to determine them.
Successful Declaratory Judgment
The requested determination of a more extensive obligation to pay compensation was successful in one of the two proceedings. Specifically, the Senate found violations of Art. 5 para. 1 f) GDPR (safeguarding integrity and confidentiality) and Art. 25 para. 2 GDPR (lack of data protection-friendly default settings). The ability to access personal data via the contact import tool violated Art. 5 para. 1 f) GDPR. The default setting, which required active deselection of an access option, violated the prohibition of an opt-out model.
Progress of the Proceedings and Appeals
Due to deviations from a judgment of the Higher Regional Court of Hamm (judgment of 15.08.2023, 7 U 19/23) and the Federal Court of Justice's referral to the European Court of Justice (of 26.09.2023; VI ZR 97/22), the Senate has allowed an appeal in the partially successful case (4 U 20/23). In the second case, the action was dismissed in its entirety on factual grounds.
Conclusion
These rulings from the Higher Regional Court of Stuttgart highlight the complex legal landscape surrounding data leaks and GDPR claims. While direct immaterial damages were often rejected due to lack of concrete proof, the court affirmed violations concerning data integrity and protection-friendly default settings. The ongoing appeals process suggests further clarification from higher courts, potentially shaping future litigation in similar data privacy cases.