DSGVO, data protection and data scraping: Case analysis LG Offenburg and Facebook

Key Facts

Data scraping is the process of automatically collecting data from websites and social media platforms.
The Offenburg Regional Court case shows how data protection and data security are treated in law.
Courts place high demands on the proof of damage caused by data scraping, both material and immaterial.
Victims must present specific, individualized reasons for claiming damages, not just general fears of loss of control.
The GDPR takes into account both material and non-material damage, including psychological damage.
Users and platforms bear considerable responsibility for the protection of personal data.
Companies should take technical and legal measures to prevent data scraping.

Introduction

Content Hide

1. Introduction

2. LG Offenburg case: Facebook and data protection

3. Intangible damage and GDPR

4. Loss of control: the reality of public data

5. Data security case law

6. The role of Facebook and other social media platforms

7. Conclusion

7.1. Author: Marian Härtel

In the era of digital advancement, data scraping is a widespread practice that raises privacy concerns. But what exactly is data scraping? Data scraping, also known as web scraping, is the process of automatically collecting data from websites or social media platforms. This can be done, for example, via publicly accessible profiles of users. Access to this data can be used for a variety of purposes, from market research to targeted marketing. It should be noted, however, that this raises legal issues, particularly with regard to data protection and privacy.

LG Offenburg case: Facebook and data protection

In the recent decision of the Offenburg Regional Court (LG) (ruling dated February 28, 2023 – Ref.: 2 O 98/23), the issue of data privacy and data scraping was brought into focus. This particular case involved Facebook, a platform that has proven to be an attractive target for data scraping activities due to its large user base and abundance of user data.

In this situation, third parties used publicly accessible data from a Facebook profile, which ultimately led to a legal dispute. While the unauthorized collection and use of this data was certainly unpleasant and potentially upsetting to the affected user, the court pointed out that it does not automatically give rise to a claim for damages.

In accordance with the General Data Protection Regulation (GDPR), the court clarified that the damage to be compensated must be set out clearly and understandably. This means that the plaintiff must show not only the fact of the damage, but also its extent and specific effects. Simply put, the affected user must make it clear how the data scraping has negatively impacted their life, whether through financial loss, reputational damage, or psychological impact. This requirement presents a significant hurdle for those seeking damages for data breaches and underscores the need for a careful and thorough presentation of the facts in such cases.

Intangible damage and GDPR

The General Data Protection Regulation (GDPR) is remarkably comprehensive in its compensation regime. It covers not only material damages, such as financial losses or lost profits, but also immaterial damages. These intangible damages include, for example, psychological impairment, emotional distress or a reduced quality of life that may result from the loss of data or an invasion of privacy.

This approach of the GDPR recognizes the fact that data breaches can not only have economic consequences, but can also have a serious impact on the well-being and mental health of data subjects. A loss of privacy can lead to stress, anxiety, and a sense of vulnerability, which in turn can lead to serious psychological impairment.

Nevertheless, the presentation of such immaterial damages in court poses a considerable challenge. Unlike tangible damages, which are often easily quantifiable, intangible damages can be more difficult to measure and prove. They are often more subjective and can vary greatly from person to person. Therefore, courts require that such damages be set forth in a persuasive and understandable manner.

For example, the victim must be able to clearly demonstrate how exactly the data breach resulted in psychological harm. They might be required to submit medical reports or psychological reports to support their claims. This can be a tall order, especially because many people may not immediately recognize or be able to articulate the emotional or psychological impact they have experienced. It does, however, underscore the importance of careful preparation and presentation of cases claiming damages for data breaches.

Loss of control: the reality of public data

The issue of loss of control plays a crucial role here. The data used by scraping was publicly available, which means that it was already outside the user’s control at the time it was disclosed – i.e., when it was entered into the Facebook profile.

Personal claim for damages: the need for individual reasons

In this particular situation, an important factor against the damages claim was the similarity of the victim’s arguments to those in numerous parallel lawsuits. This similarity indicated that the victim could not present specific, individual grounds for his claim for damages.

Data security case law

The court decision has far-reaching implications for data privacy and data security jurisprudence. It is clear that the court has strict requirements for proving damages that may result from data scraping. This applies to both material and immaterial damage. It is not enough to express general fears or feelings of loss of control. Instead, the user must prove specific and individual damages attributable to the data scraping.

The role of Facebook and other social media platforms

This decision also raises questions about the role of Facebook and other social media platforms. How much responsibility should these platforms bear for protecting their users’ data? In this particular case, the victim was found not to have taken sufficient measures to protect his data, even though he was still logged into Facebook. This raises the question of the extent to which users themselves are responsible for the security of their data.

Conclusion

The case of the Offenburg Regional Court indeed raises many essential questions regarding data protection, DSGVO and data scraping. It is unmistakable that the court sets high standards when it comes to proving damages caused by data scraping. Similarly, it is apparent that both users and platforms have a considerable responsibility to protect personal data.

This decision reminds us as users that vigilance is required and we should be aware of the data security practices of the platforms we use. It also emphasizes the need for companies and platforms to take data protection and data security seriously and to train and inform their users on how to handle their data.

The question of damages, and in particular the quantification of such damages, is currently a central point of discussion and is occupying many courts, including the European Court of Justice. Even if initial decisions may appear negative in terms of high claims for damages, data protection remains a key concern for platforms and forums that process a large amount of user data.

It is strongly recommended that these companies take both technical and legal precautions to prevent data scraping or at least make it more difficult. Technical precautions could include, for example, improved encryption methods, more robust authentication methods, and advanced monitoring systems. Legal precautions could include revising terms and conditions (T&Cs) to introduce clear provisions against data scraping and explicitly inform users of their rights and responsibilities regarding their data.

In summary, data protection in the digital world is both a collective and an individual responsibility. The growing practice of data scraping requires increased vigilance by all stakeholders and more robust jurisprudence to protect the rights and welfare of users.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: AGB Analyse Authentication Case law Damages Entscheidungen Facebook General Data Protection Regulation marketing Privacy Regulation Sicherheit