The Paderborn Regional Court has effectively dropped a bombshell in the Facebook “data theft” cases, not only granting an “injured party” injunctive relief, but also awarding 500.00 euros in damages. This could not only have consequences for Facebook, but also result in obligations to act for all other providers of forums, communities, etc.
What is it all about?
Facebook then published that the data had not been obtained through a hack, but that it was publicly viewable information. The responsible data protection authority was not informed by Facebook about the incident. Instead, in response to media coverage, the defendant took steps to provide users with information about “scraping” and how to change their privacy settings.
The plaintiff affected in this end of the proceedings, based on the structure of the privacy settings and the other circumstances, now not only asserted a claim for injunctive relief, but also demanded a claim for damages based on the GDPR.
The decision of the Paderborn Regional Court
The Regional Court ruled that the plaintiff had a claim for damages against Facebook in the amount of €500.00 under Art. 82 Par. 1 GDPR would be entitled to. According to this provision, any person who has suffered material or non-material damage as a result of a breach of this Regulation is entitled to compensation from the controller or from the processor.
A claim for damages pursuant to Art. 82 GDPR can only be established if, according to its paragraph 2 sentence 1, damage has been caused by processing not in compliance with this Regulation. In accordance with the legal definition of Art. 4 No. 2 GDPR, the information and education obligations of Art. 13 GDPR already arise with the collection of personal data. Already at this point, the responsible party has to fulfill extensive information obligations towards the data subject. If the consent of the data subject pursuant to Art. 6 para. 1 lit. a) GDPR the basis of the data collection and thus also of the data processing operation, such consent cannot stand, taking into account the principles of fair and transparent processing of personal data prevailing in the GDPR, if the data subject is not already provided with all the information required under Art. 13 GDPR at the time of data collection.
What is exciting is that the court first states:
A violation of the information and clarification obligations of Art. 13 para. 1 lit. c) The GDPR cannot be seen in the fact that the defendant did not inform the plaintiff when collecting the data of his mobile phone number that there is a possibility of misuse of the data for the mobile phone number that has been preset for “All”. The defendant is already under no obligation to provide information and clarification to this effect. This possibility is to be assigned to the risk sphere of the data subject, since any person who discloses their personal data on the Internet or shares it on social networks is inevitably exposed to the risk of misuse of personal data.
However, Facebook did not provide sufficient clarification that the phone number can be used not only for a two-factor login, but also to allow other members to search for this number and match it with their own stored phone number to add “new friend.”
The court therefore concluded that Facebook, as a controller within the meaning of Art. 4 No. 7 GDPR, also violated Art. 32, 24, 5 (5) of the GDPR due to insufficient security measures regarding the use of the contact import tool. 1 f) GDPR was violated. According to Art. 32 para. 1 Hs. 1 GDPR, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The protective measures claimed by the defendant did not meet these requirements.
Excursus of the district court on TOM
Article 32 GDPR is still a standard hardly known to many providers. It regulates the obligation of the controller and the processor to take certain technical and organizational measures to ensure an adequate level of protection with regard to the personal data processed. It concretizes the data security measures of Art. 24 GDPR, which are designed as a general mandate, and thus serves, among other things, to ensure the safeguarding of the data protection principles of confidentiality and integrity pursuant to Art. 5 (1) f) GDPR. The objective is comprehensive protection of the systems used for the processing of personal data, i.e., data security at its core. In particular, the requirement is intended to protect personal data through appropriate technical and organizational measures against unauthorized or unlawful processing by third parties or against unintentional loss, destruction or damage to the data. When implementing appropriate technical and organizational measures pursuant to Article 32 (1) of the GDPR, the state of the art, implementation costs, the nature, scope, circumstances and purposes of the processing, as well as different likelihood and severity of the risk to the rights and freedoms of natural persons shall be taken into account as factors. However, this only means that they are to be included in the proportionality assessment, but not necessarily to be followed absolutely
In order to measure the appropriateness of the measures, the GDPR further stipulates in particular that they must provide a level of protection appropriate to the risk of the processing. Ultimately, it depends on the extent of the risks threatening the rights and freedoms of the data subject and the likelihood of harm occurring. It follows that the higher the threat of damage, the more effective the measures must be. This is determined primarily by the sensitivity of the data and the likelihood of damage occurring.
Art. 32 par. 1 GDPR does not, however, oblige the controller and processor to provide an absolute level of data protection. Rather, depending on the processing context, the level of protection must be proportionate to the risk to the rights and freedoms of the data subjects in the individual case. At the same time, this means that the risk cannot be completely eliminated and this is not the aim of the measures to be implemented. In order to determine the appropriate level of protection, in accordance with. Art. 32 par. 2 GDPR, in particular, to take into account the risks associated with the processing, in particular through – whether accidental or unlawful – destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. According to the Paderborn Regional Court, these must be included in the risk assessment.
According to recital 76 to the GDPR, the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined in relation to the nature, scope, circumstances and purposes of the processing. Risk should be assessed based on an objective evaluation that determines whether the data processing poses a risk or a high risk.
PR mistake by Facebook?
Also interesting is the court’s execution, which could well be called a PR blunder by Facebook. Indeed, the court concludes:
This was also known to the defendant. For them, according to their article “The Facts About Media Reports on G-Data,” 06/04/2021, scraping “is a common tactic.” The defendant therefore had to be aware that measures had to be taken to ensure an adequate level of protection for the personal data with regard to the risk of scraping.
To the extent that the defendant now points out that it is taking action against scrapers by means of cease-and-desist orders, account blocking and legal proceedings, this measure only comes into play once data scraping has actually occurred. The data has already been stolen at this stage. Publication or other misuse can practically no longer be prevented at this stage. Furthermore, even according to the defendant’s submissions, the alleged partial restriction of the CIT was not introduced until after the incident at issue.
The explanations given at trial were probably no better, as the district court points out:
Even the employment of a team of data scientists, analysts and software engineers to combat scraping, transmission restrictions as well as CAPTCHA queries alone do not satisfy the requirements of Art. 32 GDPR in the present case. In this regard, the defendant does not explain how the data scraping in question could have occurred in spite of the security measures it considers sufficient in the present proceedings.
Based on all these points, the court recognizes a violation of Art. 32, 24, 5 para. 1 f) GDPR, which would result in a claim under Art. 82 GDPR if the other claim requirements are met.
Further claims for damages
The defendant also violated its notification obligation under Article 33 of the GDPR.
The amount required by Art. 33 par. 1 GDPR, the controller shall, without undue delay and, where possible, within 72 hours of becoming aware of the personal data breach, notify the competent authority, as specified in Section 1 of the GDPR, of the personal data breach. Article 55 GDPR competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. The minimum content of the notification is specified in Art 33 par. 3 GDPR specified. This is explosive because, as the Essen Regional Court ruled last year, a breach of the obligation to report can also be suitable for the responsible party to incur liability and an obligation to pay damages in accordance with the German Civil Code. Article 82 of the GDPR. The provision serves both to protect the data subject and to enable the supervisory authority to take measures to contain and punish the infringement. In this respect, according to the court, such a formal violation of the GDPR is already sufficient to substantiate a claim for damages on the merits.
Also a violation of Art. 34 para. 1 GDPR exists and is suitable to justify a claim for damages. According to this provision, the controller shall notify the data subject without undue delay of the personal data breach if it is likely to result in a high risk to his or her personal rights and freedoms. The notification must always be made to the data subject as defined in Art. 4 No. 1 GDPR. The provision set forth in Art. 34 para. 1 Hs. According to the Paderborn Regional Court, the singular “person” chosen in Article 2 of the GDPR clarifies that in the cases of Article 34, individual information regarding the data protection incident must be provided on a regular basis. However, Facebook did not provide such individualized information to the plaintiff without culpable delay after disclosure of the personal data breach in 2019.
The personal data breach at issue here is likely to result in a high risk to the personal rights and freedoms of the data subject. Such a risk exists if it is to be expected that, if events continue unhindered, there is a high probability of damage to the rights and freedoms of the data subject. In such a case, it is not relevant whether the data protection breach also leads to a particularly high level of damage. Such damage has already occurred due to the plaintiff’s resulting loss of control over his data.
Excursus of the District Court on “Privacy by Design
The highly interesting December 2022 ruling reads almost like a guidepost for data protection officers. For example, it also contains very exciting explanations on the topic of “Privacy by Design”.
According to the court, Facebook violates Art. 25 of the GDPR with its basic settings for visibility, at least with regard to the email address and searchability via the phone number of the users of the G-Platform.
Art. 25 par. 1 GDPR obliges the controller to ensure that the requirements of the GDPR are met already during the development of products, services and applications (“Privacy by Design”). Abs. 2 concretizes this general obligation and requires existing settings options to be set to the “most privacy-friendly” default settings (“privacy by default”) by default. “Data protection by default” is intended to protect in particular those users who are either unable to grasp the data protection implications of the processing operations or are not concerned about them and therefore do not feel compelled to make data protection-friendly settings on their own initiative, even though the telemedia service opens up this possibility to them in principle. Users should not have to make any changes to the settings in order to achieve the most “data-saving” processing possible. Rather, conversely, any deviation from the data-minimizing default settings should only become possible through active “intervention” by the users. The regulation is intended to ensure that users have control over their data and to protect them from unknowingly having their data collected. Abs. 2 does not, however, require the controller to always use the most data-protection-friendly default setting imaginable. Rather, by specifying a particular processing purpose, the controller also decides on the scope of the data required for this purpose. According to the wording, therefore, a particularly data-intensive default setting with para. 2 compatible if the purpose of the processing so requires. Against the background of the protective direction of para. 2 to protect the user from being taken by surprise or having his or her inexperience exploited, the responsible party must always ensure that the planned use of the data is also sufficiently transparent for a non-technical user.
However, providers can breathe a sigh of relief for a moment, because
However, this does not entitle the plaintiff to a claim under the German Civil Code. Art. 82 par. 1 GDPR.
Due to its organizational character, a claim under Art. 82 (2) of the German Data Protection Act could arise solely from a violation of Art. 25 of the German Data Protection Act. 1 GDPR, however, cannot be justified. The provision already develops its regulatory character before the actual start of data processing. However, at this point in time, which is prior to actual data processing, the GDPR has an effect pursuant to Art. 2 Par. 1 GDPR does not yet have any effect. The applicability of the GDPR rather requires an actual processing of personal data
So compensation for damages given?
In the opinion of the court, the plaintiff has suffered non-material damage within the meaning of Art. 82 GDPR. However, a mere breach of data protection as such is not sufficient for the claim for damages to arise. Rather, it follows from the wording of the provision that the legislator did not intend to establish an obligation to pay based solely on the infringement. The Advocate General of the ECJ focused on the requirement of concrete damage in his opinion in the context of the preliminary ruling of the Austrian Supreme Court of 12.05.2021. The concept of damage is, according to recital 146 p. 3, in light of the case law of the European Court of Justice, it is to be interpreted broadly and in a manner that is fully consistent with the objectives of the Regulation. In this regard, the objectives of the GDPR are, inter alia, to address the risks to the rights and freedoms of natural persons which arise – with varying likelihood and severity – from a processing of personal data and which may result in non-material damage…. Recitals 75 and 85 list the loss of control over personal data precisely as an example of the existence of such harm.
And now comes the real “bam” of this decision, because.
Moreover, the loss of control – irrespective of publication on the “darknet” – already occurs as a result of the “scraping” incident and the associated skimming of the data. It is irrelevant that the name, gender and G-ID were public according to the plaintiff’s user settings. Because, in any case, the link with his phone number had not been established by then. In addition, Recital 75 provides that non-material damage shall also be presumed where the processing involves a large amount of personal data and a large number of individuals. This can also be assumed based on the fact that the data of millions of G users was published as part of the “scraping” incident.
Whether a significant impairment, for example in the form of a serious interference with personality, must be present is disputed (pro: OLG Dresden NJW-RR 2020, 1370; LG München I GRUR-RS 2021, 33318; LG Karlsruhe BeckRS 2021, 20347; contra: OLG Frankfurt GRUR 2022, 1252 para. 63; LAG Hannover, ZD 2022, 61; LG München I GRUR-RS 2021, 41707; LG Lüneburg BeckRS 2020, 36932; Gola/Heckmann/Gola/Piltz, 3rd ed. 2022, DS-GVO Art. 82 marginal no. 18), but can be left aside in the result. The Advocate General also assumes in his Opinion that it is up to the national courts to work out when a subjective feeling of displeasure crosses the boundary between mere non-compensable annoyance and genuine compensable non-material damage (Advocate General at the ECJ Opinion of 6.10.2022 – C-300/21, BeckRS 2022, 26562). In the present case, however, the damage is not merely minor. This is because the publication of the plaintiff’s personal data on the “darknet” enables further processing by an unlimited and undefined group of persons, in particular also for targeted misuse, for example in the form of fraudulent calls.
The other requirements for a claim for damages, for example causality, were also unproblematic for the court, which therefore considered a compensation for pain and suffering of 500.00 euros to be appropriate. The main reason for this was that Facebook was accused of several violations of the GDPR, which enabled and encouraged a very extensive loss of control of the plaintiff’s personal data. However, the court reduced the damages from the minimum demanded 1000.00 euros to 500.00 euros. Indeed, the Board could not identify any particular personal concern. Neither did the plaintiff delete his Facebook profile and change his cell phone number, nor did he take any other measures to protect his data. In addition, the defendant’s argument that the “searchability setting” has been set to “All” for the plaintiff since October 7, 2016 (Exhibit B17) has remained uncontradicted on the plaintiff’s side, so that the Board had to assume that a change in the “searchability setting” had not taken place. These circumstances make it clear that the objective loss of control of the personal data did not affect the plaintiff that much, at least subjectively, since the “scraping incident” at issue apparently did not encourage the plaintiff to draw his own consequences and to actively counteract any possible misuse of the data in the future.