No compensation for scraping incidents on Facebook

The 4th Civil Senate of the Higher Regional Court of Stuttgart has ruled in two judgments on claims in connection with a data leak on Facebook (scraping). In total, more than 100 cases are now pending before the Senate – there are said to be more than 6,000 cases nationwide. There are further announcement dates in December.

The plaintiffs are each asserting several violations of the General Data Protection Regulation (GDPR) against Meta (formerly Facebook) after data was tapped from 2018 onwards, during which the plaintiffs’ personal data was read and linked to their cell phone number. A total of 533 million corresponding data records were published on the darknet worldwide in 2021.

The plaintiffs are demanding non-material damages due to violations of the GDPR, the determination of a future obligation to pay compensation, the omission of making the data accessible without security measures, the omission of processing the telephone number and (further) information about the tapped data. There are disputes between the parties in many areas.

Decision of the Senate

The Senate dismissed most of the claims, only the application for a declaratory judgment was successful.

For the claim for damages based on Art. 82 para. 1 GDPR, the Senate was unable to establish any tangible immaterial impairment of the respective plaintiffs. Art. 82 par. 1 GDPR grants a claim for compensation for material or non-material damage if there has been a breach of the GDPR with regard to the plaintiff concerned that has caused damage.

The concept of concrete damage to be determined requires a uniform definition under European law, whereby, according to the recitals to the GDPR, the loss of control over personal data, the restriction of rights, discrimination, identity theft or fraud, financial losses, unauthorized removal of pseudonymization, damage to reputation, loss of confidentiality of data subject to professional secrecy or other significant economic or social disadvantages for the natural person concerned should suffice.

In this respect, the European Court of Justice has stipulated that there is no materiality or de minimis threshold for the existence of damage. After hearing the plaintiffs – who had not made sufficient written submissions – the Senate was unable to establish an actual immaterial impairment because mere annoyances and inconveniences were described and the mere loss of control does not constitute an impairment.

The further asserted claim for injunctive relief was unsuccessful for legal reasons because the previous case law of the Federal Court of Justice (e.g. BGH, judgment of 12.10.2021, VI ZR 488/19 para. 69) assumes that claims under Sections 823, 1004 BGB are barred under German law by Art. 17 GDPR.

However, Art. 17 GDPR only standardizes a right to erasure and (re)storage, but does not grant any rights with regard to data processing operations because the data controller cannot be prescribed any processing methods. The request for information was also rejected: The defendant provided information. With regard to the question of the recipients of the data, it was assumed that it was impossible to provide information because the defendant asserted without contradiction that it did not know and could not determine them.

The requested determination of a more extensive obligation to pay compensation was successful in one of the two proceedings. In particular, the Senate found violations of Art. 5 para. 1 f) GDPR (safeguarding integrity and confidentiality) and Art. 25 para. 2 GDPR (lack of data protection-friendly default settings). The possibility of accessing personal data in the so-called contact import tool violated Art. 5 para. 1 f) GDPR is violated. The default setting of an access option that must be actively deselected violates the prohibition of an opt-out model.

Progress of the proceedings

With regard to deviations from a judgment of the Higher Regional Court of Hamm (judgment of 15.08.2023, 7 U 19/23) and the order of reference of the Federal Court of Justice to the European Court of Justice (of 26.09.2023; VI ZR 97/22), the Senate has allowed an appeal in the partially successful case (4 U 20/23). In the second case, the action was dismissed in its entirety on factual grounds.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.