In a landmark ruling dated March 30, 2023 (case number: 16 U 22/22), the Higher Regional Court of Frankfurt am Main decided that data subjects are not entitled to injunctive relief if their personal data is transferred to third parties in violation of the General Data Protection Regulation (GDPR). The ruling has been met with criticism because it makes it more difficult to enforce data protection. Clarification by the Federal Supreme Court would be desirable.

What the OLG Frankfurt am Main ruled on

The plaintiff had sued an online store for injunctive relief because, according to him, it had forwarded personal data such as IP address and usage data to third-party providers such as Google when the website was called up.

The Frankfurt am Main Higher Regional Court rejected the claim for injunctive relief. Art. 17 and Art. 82 of the GDPR do not give rise to a claim for injunctive relief. Article 17 of the GDPR only grants a right to the deletion of data. From this, a claim for injunctive relief could also be derived with regard to the storage of data, but not with regard to the transmission of data to third parties. According to Art. 82 GDPR, a claim for injunctive relief requires concrete damage, which is not shown here (OLG Frankfurt am Main, judgment of March 30, 2023, Case No. 16 U 22/22, para. 63).

National claims for injunctive relief under Section 1004 BGB in conjunction with Section 823 BGB are also ruled out. § According to the Higher Regional Court of Frankfurt am Main, national claims for injunctive relief under Section 100 of the German Civil Code (BGB) in conjunction with Section 823 of the German Civil Code (BGB) are also ruled out, since the GDPR, as fully harmonized EU law, contains conclusive provisions. There was no opening clause for national law. The “remedies” mentioned in Art. 79 GDPR refer only to procedural, not substantive claims. Legal protection under individual law was deliberately restricted in favor of “public enforcement” by the data protection supervisory authorities (OLG Frankfurt am Main, loc. cit., para. 76 et seq.).

Reactions to the ruling of the Higher Regional Court of Frankfurt am Main

The ruling has met with a divided response. Data protectionists criticize that the rights of those affected will be severely restricted. They see effective enforcement of data privacy at risk.

For companies and website operators, on the other hand, the ruling means a strengthening of their position. It lowers the liability risk in the event of data protection breaches, as long as no concrete damage is proven.

In the legal discussion, the view of the OLG Frankfurt am Main is not unanimously shared. According to another opinion, it can be argued that substantive claims also arise from Art. 79 GDPR. The restriction of individual legal protection is contrary to the principle of effectiveness.

Whether the restrictive approach of the OLG Frankfurt am Main is correct remains questionable. In any case, the ruling shows that in the event of data protection violations under the GDPR, data subjects primarily have the complaint to the competent data protection supervisory authority as a legal remedy. Individual claims against the responsible party are only possible to a limited extent.

Is the OLG Frankfurt am Main of the wrong opinion?

Some data protection experts are of the opinion that the OLG Frankfurt am Main has misjudged the legal situation. They argue:

• Art. 79 GDPR ensures data subjects an effective judicial remedy. A claim for injunctive relief can also be derived from this.
• The GDPR does not conclusively exclude supplementary national regulations. Therefore, national claims such as § 823 BGB can also be used. (Note: The Higher Regional Court of Frankfurt am Main rejected a claim based on § 1004 BGB)
• The restriction of individual legal protection contradicts the principle of effectiveness of Union law.
• Without individual claims for injunctive relief, the GDPR will not be effectively enforced. Complaints to data protection authorities alone are not enough.

BGH must provide clarity

In view of the legal uncertainties following the ruling by the Frankfurt am Main Higher Regional Court, it is to be hoped that the Federal Court of Justice will soon be given the opportunity to comment on the issue of injunctive relief. Only the Federal Court of Justice can ensure a uniform line in the last instance.

Until then, the legal situation remains uncertain for those affected and website operators. Injunctions for data privacy violations have poorer prospects of success due to the restrictive view of the Frankfurt am Main Higher Regional Court. Conversely, website operators are not automatically liable for injunctive relief in the event of infringements. In the future, this will probably depend even more on a case-by-case assessment.

Conclusion

The landmark ruling by the Frankfurt am Main Higher Regional Court significantly restricts the enforcement of data privacy law via individual claims. Whether this is compatible with the principle of effectiveness of Union law seems doubtful. A supreme court clarification by the BGH would therefore be desirable. Until then, there will be a great deal of legal uncertainty for data subjects and website operators alike in the event of data privacy violations.