LG Baden-Baden - 3 O 277/22: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 39: | Line 39: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1=§ | |National_Law_Name_1=§ 242 BGB | ||
|National_Law_Link_1= | |National_Law_Link_1= | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
|National_Law_Name_3= | |National_Law_Name_3= | ||
Line 76: | Line 76: | ||
The court held that the controller's request was admissible and justified. The court pointed out that the CJEU case law allows the application of national law enabling judges to check the existence of abuses of EU rights by the parties (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-373%252F97&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2070463 C-373/97]). | The court held that the controller's request was admissible and justified. The court pointed out that the CJEU case law allows the application of national law enabling judges to check the existence of abuses of EU rights by the parties (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-373%252F97&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2070463 C-373/97]). | ||
In the present case, such parameter is the standard of "''good faith''" under § 242 of the German Civil Code (''Bürgerliches Gesetzbuch'' - BGB) which, according to the court, the data subject had violated in the present case | In the present case, such parameter is the standard of "''good faith''" under § 242 of the German Civil Code (''Bürgerliches Gesetzbuch'' - BGB) which, according to the court, the data subject had violated in the present case. This results from the fact that, contrary to the data subject's submissions, their primary interest when accessing the websites was the generation of claims for damages against the controller. The court rejected the data subject's statement that their main concern was to denounce data protection violations. Besides, the court held that the risk that inexperienced users came to the webpages was very low. A violation in the form of unlawful data transfers materialised only because the data subject intentionally looked for it with an aim of asking for non-material damages. | ||
As a further argument to substantiate the data subject's bad faith, the court claimed that, by visiting the controller's website, the data subject implicitly consented to the data processing in accordance with [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. | |||
In conclusion, the court identified an abuse of the right, as the data subject based their requests on irrelevant interests and goals that were not worthy of protection in themselves. | In conclusion, the court identified an abuse of the right, as the data subject based their requests on irrelevant interests and goals that were not worthy of protection in themselves. |
Latest revision as of 07:52, 31 May 2023
LG Baden-Baden - 3 O 277/22 | |
---|---|
Court: | LG Baden-Baden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(a) GDPR Article 82 GDPR § 242 BGB |
Decided: | 16.01.2023 |
Published: | 26.04.2023 |
Parties: | |
National Case Number/Name: | 3 O 277/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | openJur (in German) |
Initial Contributor: | ludwigederle |
The Regional Court of Baden-Baden ruled that access to a controller's website for the sole purpose of generating data protection claims for damages breaches the German law principle of "good faith" and therefore no compensation under Article 82 GDPR was possible.
English Summary
Facts
The controller run some websites that make use of Google tools. When users interacted with such tools their personal data were transferred to the US, allegedly in violation of the GDPR. The data subject visited some of these websites via web crawling and claimed damages for data protection violations. The controller considered the data subject's request unfounded and brought an action for injunctive relief before the Regional Court of Baden-Baden. The controller asked the court to order the data subject to refrain from further warnings and requests, as the data subject had no right to compensation under the GDPR.
Holding
The court held that the controller's request was admissible and justified. The court pointed out that the CJEU case law allows the application of national law enabling judges to check the existence of abuses of EU rights by the parties (see C-373/97).
In the present case, such parameter is the standard of "good faith" under § 242 of the German Civil Code (Bürgerliches Gesetzbuch - BGB) which, according to the court, the data subject had violated in the present case. This results from the fact that, contrary to the data subject's submissions, their primary interest when accessing the websites was the generation of claims for damages against the controller. The court rejected the data subject's statement that their main concern was to denounce data protection violations. Besides, the court held that the risk that inexperienced users came to the webpages was very low. A violation in the form of unlawful data transfers materialised only because the data subject intentionally looked for it with an aim of asking for non-material damages.
As a further argument to substantiate the data subject's bad faith, the court claimed that, by visiting the controller's website, the data subject implicitly consented to the data processing in accordance with Article 6(1)(a) GDPR.
In conclusion, the court identified an abuse of the right, as the data subject based their requests on irrelevant interests and goals that were not worthy of protection in themselves.
Comment
In providing the controller with an injunctive relief, the court did not address the question whether an interference with the right to informational self-determination can only arise when the person concerned opened websites manually or whether this is also possible through the use of "bots" and "crawlers". As a matter of fact, this case did not directly concern the existence of a GDPR violation, but rather a claim for damages. It may be argued that the data subject, by engineering these cases, broke the causal link between the controller's unlawful conduct and the harm suffered by the data subject themselves.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If a website is accessed for the purpose of generating a data protection claim for compensation for pain and suffering, this constitutes an implied consent to the data processing there in accordance with Art. 6 Para. 1 Subpara. 1 lit. a GDPR. (Principles: Lawyer Evgeny Pustovalov) Rubrum Baden-Baden Regional CourtIn the name of the peopleJudgmentIn the legal dispute...- Plaintiff -Procurator: against...- Defendant -Procurator: because of an injunction, the Baden-Baden Regional Court - Civil Chamber III - by the judge at the Regional Court as a single judge based on the oral hearing of 12/21/2022 recognized for right: tenor 1. The preliminary injunction of October 11, 2022 is confirmed.2. The defendant has to bear the further costs of the proceedings. facts The plaintiff works in the field of ... It operates ... a centralized franchise system in which approx. ... partner companies currently participate. In particular, they participate in the advertising measures, wholesale purchasing conditions, a central online billing system and a listing with the insurance companies that is favorable for them. Furthermore, the plaintiff creates and maintains the website for its franchisees; Only the plaintiff appears as the person responsible in the imprint of these so-called sub-domains. The fonts "Google Fonts" are used on the plaintiff's website. These are made available by Google to the operators of websites free of charge. If a user calls up a website that uses "Google Fonts", his IP address will be transmitted to a Google server in the USA without further notification, unless data processing has previously been set to "local". Commissioned in mid-2022 the plaintiff instructed the service provider responsible for its website to switch the data processing relating to "Google Fonts" to "local" on all websites for which it is responsible (both its own and those of the franchisees), so that the IP address of users is no longer transmitted to the USA would become. On August 16, 2022, the service provider commissioned by the plaintiff confirmed ... the conversion of all websites. It later turned out that the unused, content-free subdomains had not been converted with regard to data processing at "Google Fonts". This has now been remedied. On September 9th, 2022, the defendant sent through his lawyer ... to the ..., the ..., the ..., the ... and the ... each with the same wording with the subject " Personal injury data protection Google Fonts, here: warning". The defendant claimed to be part of the data protection interest group. They have dedicated themselves to defending and enforcing data protection through civil law. By using "Google Fonts" and the associated disclosure of the defendant's IP address, the franchisees contacted committed a data protection violation and thus violated the defendant's general personality rights in the form of the right to informational self-determination according to Section 823 (1) BGB. The defendant therefore has a claim for injunctive relief and offers to "let the matter rest" in exchange for a payment of 170 euros. The defendant sent identical letters on September 19, 2022 to the ..., the ... and the .... In a letter dated September 26, 2022, the legal representative of the plaintiff requested the defendant to refrain from future warnings and to do so by October 6th. 2022 to issue a suitable cease and desist declaration with penalty clause. There was only an automated response to this, but otherwise no further reaction from the defendant. In a letter dated October 10, 2022 (receipt by the court on the same day), the plaintiff applied for the defendant to be fined under threat of a fine in the amount of 5 euros to 250,000 euros, alternatively imprisonment for up to six months if uncollectible, to refrain from contacting a partner company of the applicant's franchise system with claims in connection with the integration of "Google Fonts", if this is done as with Letter dated September 9th, 2022 to Az. ... to ... and/or ... with letter dated September 9th, 2022 to Az. ... to ... . The plaintiff is of the opinion that the letters of the defendant are unjustified represent warnings. The defendant is thus encroaching on their established and exercised business and violated their moral rights as entrepreneurs. You are therefore entitled to an injunction pursuant to Section 823 (1) of the German Civil Code in conjunction with Section 1004 of the German Civil Code. The warnings of the defendant are unjustified, since they are not entitled to compensation for pain and suffering under Art. 82 DS-GVO. However, the defendant used a bot to visit the Internet pages that had been warned, i.e. a computer program that uses a specific algorithm. Since no one visited the website in question, there could be no violation of their data protection rights. Furthermore, the defendant had hoped when accessing numerous websites that the IP address would be transferred to the Google servers in the USA. This is the only way he can generate the claim for compensation for pain and suffering that he is striving for. However, it also follows from this that the defendant implicitly consents to the data processing. The action of the defendant is also abusive, since he deliberately brings about the violation of legal interests he has complained about in order to be able to assert claims for damages. Baden issued the temporary injunction requested by the plaintiff. The defendant lodged an objection to this in a letter dated November 8th, 2022. The plaintiff last applied to reject the defendant's objection of November 8th, 2022 and to confirm the injunction of October 11th, 2022. The defendant last applied for the decision on his objection of the Baden-Baden Regional Court of October 11, 2022 and reject the plaintiff's application for the injunction to be issued. The defendant is of the opinion that the plaintiff has no right to injunctive relief against him. The active legitimation of the plaintiff is already problematic, since she was not the addressee of the letter of the defendant. There is also a lack of a direct, substantial and operational intervention in the established and exercised business of the plaintiff. This results on the one hand from the fact that the defendant against the The company addressed had a claim under Art. 82 GDPR and the letters were therefore legitimate. The partner companies of the plaintiff violated data protection standards on their respective websites. As the operator of these websites, you are therefore also responsible. It is also irrelevant here that the defendant used a technical aid in the form of a so-called "web crawler" when visiting the website. His personal date in the form of an IP address was sent to a US server by Google. For this purpose, it is irrelevant whether the defendant accessed the website manually or with the help of a technical aid. The defendant only depicted the data protection violations of the partner companies of the plaintiff, the disclosure of his IP address was a necessary evil for this. The defendant did not consent to the transfer of his IP address to the USA. Finally, his actions were not illegal. On the one hand, this results from the fact that it is not already a question of a warning in the legal sense. He did not demand that the partner companies he wrote to submit a declaration of discontinuance, but merely referred to his existing claim under Art. 82 DS-GVO with the offer to refrain from further enforcement in return for payment of €170. The defendant also pursued this with his letters not the goal of generating income, at least not primarily. Rather, he is concerned with reducing the comprehensive, unnoticed surveillance, in this case initiated by Google with the support of the beneficiaries of the technical support solution "Google Fonts". For this he uses technical and legal help. However, this is not an abuse of rights. For further details, reference is made to the further written presentation by the party representatives together with attachments and the minutes of the oral hearing of December 21, 2022. reasons The request of the plaintiff dated October 10, 2022 is admissible and justified.I. The plaintiff has a claim against the defendant for injunctive relief under Section 823 (1) of the German Civil Code in conjunction with Section 1004 of the German Civil Code, analogously to the effect that the latter no longer sends letters to the plaintiff’s partner companies regarding an alleged data protection violation and an alleged claim under Article 82 GDPR .1. The plaintiff is the operator of the website complained of by the defendant and as such is also indicated in the imprint. As the person responsible for the website, she can assert her claims in her own name against the defendant.2. The plaintiff has a claim for injunctive relief against the defendant pursuant to § 823 para. 1 BGB in connection with § 1004 BGB analogously because of an intervention by the defendant in their established and exercised business.a) An unjustified warning can represent an intervention in the established and exercised business; the person who has been warned can defend himself against this by means of temporary legal protection (cf. BGH, decision of 15.07.2005 - GSZ 1/04 -, BGHZ 164, 1-11). injunction plaintiff, since their interest is protected in the fact that their economic position is not weakened by incorrect information or assessments (cf. BGH, judgment of 16.12.2014 - VI ZR 39/14, juris para. 13). In the present case, the letters from the Defendant pose a concrete risk that the Plaintiff's partner companies could change franchisors due to their alleged poor performance with regard to the website. According to the plaintiff's undisputed statement of facts, the ... is a highly competitive market in which the plaintiff's partner workshops are aggressively courted to change. The intervention is all the more obvious when its purpose - as here - is irrelevant; the defendant does not even claim himself that he wanted to find out about the services of the plaintiff. b) The letters of the defendant are illegal warnings, since the defendant is not entitled to compensation for pain and suffering from a violation of Art. 82 DS-GVO. aa) It can be left open at this point whether an interference with the right to informational self-determination can only take place if the person concerned has called up the respective website manually or whether this is also possible if he uses technical aids such as a " Bots" or "crawlers".bb) By visiting the plaintiff's website, the defendant implicitly consented to the data processing there in accordance with Article 6(1)(1)(a) of the GDPR (cf. Frenzel in Paal/Paulick , GDPR, 3rd edition 2021 Art. 6 para. 11). This results from the fact that, contrary to the defendant's submissions, his primary interest when accessing the website in question was the generation of claims for damages against their operators. The court does not believe the defendant's statements that his main concern was to denounce data protection violations. Here, the assessment can include the fact that the defendant preferred not to answer the court's questions as to how many of those affected he had written to and what the total amount he had received from the letters. This interpretation is also supported by the wording of the series of letters sent by the defendant about a lawyer. Contrary to the statements made by the defendant, there is already talk of a warning in the subject. The purpose of the letter focuses solely on the payment of the sum of 170 euros. According to § 296a sentence 1 ZPO, the plaintiff's pleading of December 22, 2022, which is no longer admissible, with reference to the press release from the Berlin Public Prosecutor's Office regarding the searches carried out on December 21, 2022 the defendant because of the suspicion of (attempted) warning fraud and (attempted) extortion in at least 2418 cases was therefore no longer relevant for this evaluation consented to the transfer of his IP address to the USA, as this was the only way to claim compensation for pain and suffering. His business model could only work because the IP address of the computer he was using was transferred to the USA - as he wished. blame GMOs. It recognized the problem as early as August 2022 and thus before the defendant wrote to the injunction and tried to remedy it via a software service provider. Apart from the website that was the subject of the complaint (which is currently under construction), it has indisputably succeeded in doing so. The risk of an inexperienced user coming to these pages was very low. It only happened here because the defendant specifically searched for sites where he could claim data protection violations and for this purpose had Internet pages accessed in bulk via his webcrawler.dd) The warnings of the defendant against the partner companies of the plaintiff were also abusive within the meaning of § 242 BGB. It is permissible under Community law for a national court to apply a provision of national law according to which it examines whether a right from a Community law provision is being abused (compare ECJ, judgment of 23.03.2000 - C-373/97, juris). In the present case, the application of Art. 82 DS-GVO can therefore be measured against the standards of good faith in accordance with Section 242 BGB. The defendant violated this standard. The legal concept of § 8c UWG can be used to interpret § 242 BGB. Here, the defendant has asserted a significant number of violations of the same legal provision through warnings. An abuse of rights can also be assumed if the dominant motive in asserting a claim for injunctive relief is irrelevant interests and goals that are not worthy of protection in themselves (cf. Brandenburg Higher Regional Court , Judgment of July 19, 2022 – 6 U 41/21, juris para. 22). This is also the case here (see above under 2.b bb).ee) Against this background, it can be left open whether there is a de minimis limit in Art. 82 DS-GVO, which prevents the liquidation of minor damage - as given here - (see above e.g. Karlsruhe Regional Court, judgment of February 9th, 2021, - 4 O 67/20 -, juris para. 28 ff.). The decision on the threat of a disciplinary measure is based on § 890 ZPO.II. There is also a reason for disposal. The intervention by the defendant in the established and exercised business of the plaintiff indicates the risk of repetition. The plaintiff acted immediately after receiving the warnings of September 9, 2022 at its partner companies and submitted its urgent application to the court on October 10, 2022 in sufficient time to protect the reason for the injunction.III. The cost decision results from § 91 ZPO.