Introduction

In the era of digital advancement, data scraping is a widespread practice that raises privacy concerns. But what exactly is data scraping? Data scraping, also known as web scraping, is the process of automatically collecting data from websites or social media platforms. This can be done, for example, via publicly accessible profiles of users. Access to this data can be used for a variety of purposes, from market research to targeted marketing. It should be noted, however, that this raises legal issues, particularly with regard to data protection and privacy.

LG Offenburg case: Facebook and data protection

In the recent decision of the Offenburg Regional Court (LG) (ruling dated February 28, 2023 – Ref.: 2 O 98/23), the issue of data privacy and data scraping was brought into focus. This particular case involved Facebook, a platform that has proven to be an attractive target for data scraping activities due to its large user base and abundance of user data.

In this situation, third parties used publicly accessible data from a Facebook profile, which ultimately led to a legal dispute. While the unauthorized collection and use of this data was certainly unpleasant and potentially upsetting to the affected user, the court pointed out that it does not automatically give rise to a claim for damages.

In accordance with the General Data Protection Regulation (GDPR), the court clarified that the damage to be compensated must be set out clearly and understandably. This means that the plaintiff must show not only the fact of the damage, but also its extent and specific effects. Simply put, the affected user must make it clear how the data scraping has negatively impacted their life, whether through financial loss, reputational damage, or psychological impact. This requirement presents a significant hurdle for those seeking damages for data breaches and underscores the need for a careful and thorough presentation of the facts in such cases.

Intangible damage and GDPR

The General Data Protection Regulation (GDPR) is remarkably comprehensive in its compensation regime. It covers not only material damages, such as financial losses or lost profits, but also immaterial damages. These intangible damages include, for example, psychological impairment, emotional distress or a reduced quality of life that may result from the loss of data or an invasion of privacy.

This approach of the GDPR recognizes the fact that data breaches can not only have economic consequences, but can also have a serious impact on the well-being and mental health of data subjects. A loss of privacy can lead to stress, anxiety, and a sense of vulnerability, which in turn can lead to serious psychological impairment.

Nevertheless, the presentation of such immaterial damages in court poses a considerable challenge. Unlike tangible damages, which are often easily quantifiable, intangible damages can be more difficult to measure and prove. They are often more subjective and can vary greatly from person to person. Therefore, courts require that such damages be set forth in a persuasive and understandable manner.

For example, the victim must be able to clearly demonstrate how exactly the data breach resulted in psychological harm. They might be required to submit medical reports or psychological reports to support their claims. This can be a tall order, especially because many people may not immediately recognize or be able to articulate the emotional or psychological impact they have experienced. It does, however, underscore the importance of careful preparation and presentation of cases claiming damages for data breaches.

Loss of control: the reality of public data

The issue of loss of control plays a crucial role here. The data used by scraping was publicly available, which means that it was already outside the user’s control at the time it was disclosed – i.e., when it was entered into the Facebook profile.