Things are not going well for law firms that have collected masses of alleged clients for DSGVO claims against Facebook. This is because the Higher Regional Court of Hamm has issued its first ruling on the so-called Facebook scraping cases and dismissed a claim for payment of damages under the General Data Protection Regulation(GDPR). According to the ruling, there have been violations of data protection regulations, but the plaintiff was unable to sufficiently demonstrate non-material damage.
In April 2021, unknown persons published the data of about 500 million Facebook users on the darknet, including names and phone numbers. The unknown persons had previously collected the data over a longer period of time, initially by exploiting Facebook’s search functions at the time, which is why the term “scraping” is used. Even if the display of one’s own phone number was not activated on Facebook, it was possible to identify a user via an entered phone number using the search function. The unknown “scrapers” exploited this by generating millions of telephone numbers with the computer and retrieving data for this purpose. Facebook disabled the phone number search feature in April 2018. A subsequent customized scraping process that exploited Facebook’s contact import feature was followed by further data grabs until Facebook also disabled this feature on the platform in October 2018 and on Facebook Messenger in September 2019.
With regard to this “data leak”, numerous lawsuits are pending against Meta as the operator of the platform throughout Germany, including in the district of the Higher Regional Court of Hamm, for which the first decision has now been issued. In it, the 7th Civil Senate, which is responsible for the law of torts, clarifies numerous legal issues in connection with the scraping lawsuits.
The plaintiff in the case that has now been decided was also affected by the scraping. The record published on the darknet included her cell phone number, first and last name, and gender information. The plaintiff has demanded compensation from Meta as operator of the platform for immaterial damages similar to damages for pain and suffering in the amount of at least 1,000 euros, among other things. It took the view that the operator of the platform had violated various data protection provisions from the GDPR both in connection with the scraping and independently of it. Meta has countered this.
The Bielefeld Regional Court had rejected the claim. The appeal filed by the plaintiff has now been unsuccessful before the Higher Regional Court of Hamm. It is true that the Higher Regional Court found violations of the GDPR. However, it was not convinced that the plaintiff had suffered any non-material damage.
With regard to the identified violations of the GDPR, the Higher Regional Court starts from the premise that it is also the task of the data controller – in this case Meta – in civil proceedings to prove that the processing of such data is permissible under the GDPR. The transfer of data to third parties on a search function or a contact import function is also data processing in the sense of the GDPR. Meta was unable to demonstrate here that the disclosure of the plaintiff’s cell phone number as part of the search or contact import function was justified under the GDPR. Meta cannot rely on the fulfillment of the contractual purpose as a justification ground under the GDPR, since the processing of the cell phone number is not absolutely necessary for the networking of Facebook users with each other, taking into account the principle of data minimization. The processing of the cell phone number therefore requires the consent of the user. Such consent was not validly granted in this case, because the consent granted to the plaintiff at the time used default settings that could be deselected by the user if desired (“opt-out”) and the information about the search and contact import function was inadequate and non-transparent.
The Higher Regional Court also affirmed a breach of duty leading to damages in principle, since Meta had not taken obvious measures to prevent further unauthorized data access despite concrete knowledge of the data access in the present case.
Nevertheless, the Higher Regional Court did not award the plaintiff any damages. The plaintiff here has only claimed non-material damages, which is possible in principle under the GDPR and can lead to compensation similar to damages for pain and suffering. However, the plaintiff has not succeeded in demonstrating concrete non-material damage. In doing so, the Higher Regional Court assumes that the immaterial damage cannot lie in the mere violation of the GDPR itself, but that personal or psychological impairments going beyond this must have occurred. However, the plaintiff has not presented such individually. The blanket statement, identical to a large number of similar proceedings, that the “plaintiff party” had developed feelings of a loss of control, of being watched and of helplessness, i.e. an overall feeling of fear, and had expended time and effort, is not sufficient to demonstrate that the plaintiff was concretely and individually affected. Nor is the misuse of data at issue here, which led to the unintentional publication of the name and cell phone number, so serious that the occurrence of non-material damage is readily apparent. In addition, the plaintiff had only stated in her personal hearing before the district court that she had suffered a “feeling of fright”.
The Higher Regional Court assessed the amount in dispute for the entire proceedings – in which further claims for declaratory judgment, injunctive relief and information had also been asserted unsuccessfully – at only EUR 3,000. It saw no reason to refer the proceedings to the European Court of Justice for a preliminary ruling or to allow an appeal, as the decisive legal questions had recently been clarified by the European Court of Justice.