LG Traunstein - 9 O 173/24: Difference between revisions
No edit summary |
No edit summary |
||
Line 115: | Line 115: | ||
== Comment == | == Comment == | ||
This judgement seems not to be consistent with the settled case law of the CJEU. In particular, in [[CJEU - C-311/18 - Schrems II|C-311/18, ''Schrems II'']], the CJEU ruled that when personal data are transferred to a third country pursuant to standard data protection clauses, a level of protection essentially equivalent to that guaranteed within the European Union must be afforded. To operate this assessment, not only the content of the SCCs must be taken into account, but also the relevant aspects of the legal system of that third country, as regards any access by the public authorities of that third country to the personal data transferred (para. 105). | This judgement seems not to be consistent with the settled case law of the CJEU. In particular, in [[CJEU - C-311/18 - Schrems II|C-311/18, ''Schrems II'']], the CJEU ruled that when personal data are transferred to a third country pursuant to standard data protection clauses, a level of protection essentially equivalent to that guaranteed within the European Union must be afforded. To operate this assessment, not only the content of the SCCs must be taken into account, but also the relevant aspects of the legal system of that third country, as regards any access by the public authorities of that third country to the personal data transferred (para. 105). In the same case, the CJEU found that the legal system of the USA does not guarantee an equivalent level of protection (paras. 198-199). | ||
== Further Resources == | == Further Resources == |
Revision as of 14:41, 2 September 2024
LG Traunstein - 9 O 173/24 | |
---|---|
Court: | LG Traunstein (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(f) GDPR Article 6(1)(a) GDPR Article 13 GDPR Article 14 GDPR Article 45(3) GDPR Article 46(2)(c) GDPR Article 49(1)(b) GDPR Article 3 Regulation (EU) 2021/1232 |
Decided: | 08.07.2024 |
Published: | |
Parties: | |
National Case Number/Name: | 9 O 173/24 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Bayern.Recht (in German) |
Initial Contributor: | fb |
In a case about non-material damages, a court ruled that a controller that manages a social media platform can lawfully transfer data to the USA relying on an adequacy decision and, before the approval of the latter, on SCCs.
English Summary
Facts
The data subject is a user of a social network platform, which also provides a messaging service. This platform is managed by a company with its headquarter in the USA.
The data subject promoted a lawsuit before the Regional Court of Traunstein (Landesgericht Traunstein – LG Traunstein).
Firstly, she argued that the controller is constantly monitoring her private messages and that the privacy policy is not transparent and is too complex.
Secondly, she argued that the controller is collecting through cookies data relating to activities that happen outside the social network without her consent.
Thirdly, she claimed that the controller forwarded all her personal data from and in connection with her account to the USA. She argued that this transfer is unlawful since the USA did not guarantee a level of protection corresponding to the GDPR.
Therefore, the data subject asked the court to order the controller to pay non-material damages.
As for the first argument, the controller pointed out that it conducts scans on the private messages only when to detect child sexual abuse material (CSAM) in compliance with the ePrivacy Directive 2002/58/EC (see Article 3 Regulation (EU) 2021/1232).
Holding
First of all, the court ruled that the data subject has not demonstrated that the controller is systematically and automatically monitors the content exchanged via the messenger service. In every case, it found that the controller has proven that it carries out only permissible CSAM scanning. According to the court, this processing is covered by the legal basis provided for by Article 6(1)(f) GDPR.
Secondly, it held that, due to the extensive data protection requirements that are imposed on the controller, the privacy policy cannot be more concise or simpler. Therefore, it found no violation of Article 13 and 14 GDPR.
Thirdly, it did not uphold the data subject’s argument about cookies. It found that the controller could rely on consent under Article 6(1)(a) and 9(2)(a) GDPR to collect this data.
Fourthly, the court noted that the social media platform at hand is designed as a global platform whose aim is to allow users to have a worldwide network and allow users to have “friends” from all over the World. Therefore, according to the court, it is obvious – and also the data subject should know this – that data is also transmitted to the USA, especially since the search for users in other jurisdictions can only work if there is a cross-border exchange of data.
Moreover, the court believed that the business decision of the controller transfer data to the USA is to be accepted by the data subject since no one is forced to use the platform.
Furthermore, it held that the data transfer at hand is necessary for the performance of a contract and, therefore, lawful under Article 6(1)(b) GDPR.
Finally, as for Chapter V GDPR, the court pointed out that currently the controller can rely on the Commission Implementing Decision EU 2023/1795 which allows data transfers to the USA under Article 45(3) GDPR.
As for the preceding period, it found that the standard contractual clauses adopted by the European commission in 2010 and 2021 according to Article 46(2)(c) GDPR provide a sufficient legal basis. According to the court, the fact the US government authorities can access the data transferred by the controller does not prevent the guarantee of an essentially equal level of protection since it is also possible for EU authorities to have such an access under Article 6(1)(c) GDPR.
Moreover, the court ruled that the data transfer is however lawful since it is necessary for the performance of the contract under Article 49(1)(b) GDPR.
On these grounds, the court dismissed the data subject's requests.
Comment
This judgement seems not to be consistent with the settled case law of the CJEU. In particular, in C-311/18, Schrems II, the CJEU ruled that when personal data are transferred to a third country pursuant to standard data protection clauses, a level of protection essentially equivalent to that guaranteed within the European Union must be afforded. To operate this assessment, not only the content of the SCCs must be taken into account, but also the relevant aspects of the legal system of that third country, as regards any access by the public authorities of that third country to the personal data transferred (para. 105). In the same case, the CJEU found that the legal system of the USA does not guarantee an equivalent level of protection (paras. 198-199).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
LG Traunstein, final judgment of July 8, 2024 - 9 O 173/24 Title: No claim against the operator of a social network for data processing and data storage in Europe alone Chain of standards: GDPR Art. 6 Para. 1 lit. b, Art. 13, Art. 14, Art. 45 Para. 3 Principles: 1. The extensive data protection requirements that are legally imposed on operators of social networks, among others, in conjunction with the complexity of the services regularly provided by these networks, do not allow for a concise or simple presentation of the data protection framework. Therefore, long and supposedly confusing data protection guidelines do not usually lead to a violation of Art. 13 and 14 GDPR. (para. 24) (editorial principle) 2. A global social network based in the USA cannot be accused of illegally transferring data to the USA. If the social network is designed as a global platform, data must necessarily be exchanged internationally in order to be able to maintain the global network. The data transfer is therefore fundamentally necessary to fulfill the contract under Art. 6 Para. 1 lit. b GDPR. (para. 29 - 30) (editorial principle) 3. The user of a globally operated social network cannot demand that the controller store and process all data from the network in question in Europe. The entrepreneurial decision of the platform operator to process the relevant data outside of Europe must be accepted by the users, especially since no one is forced to use such platforms. (para. 29) (editorial principle) Keywords: Jurisdiction, interest in a declaratory judgment, application for an injunction, need for legal protection, uncertainty, data transfer, claim for damages Source: GRUR-RS 2024, 19976 Tenor 1. The action is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable for the defendant against security in the amount of 110% of the amount to be enforced. The value in dispute is set at €7,000.00. Facts 1 The plaintiff is suing the defendant for damages, injunctive relief, deletion and information due to violations of the General Data Protection Regulation (GDPR), in particular in connection with the monitoring of the ... messenger service, processing of "off-... data" and data transmission to the USA. 2 The defendant operates the social network "...". The plaintiff maintains a user profile there. Name, gender and user ID are always publicly visible, the other data stored there by the user depends on the selected settings. 3 Part of "..." is also a messenger service through which "..." users can exchange messages and files with each other. 4 The plaintiff claims that the plaintiff's consent covering the data processing by the defendant is not available. The plaintiff is suffering from a loss of control over its data and is concerned about possible misuse of the data concerning it. The plaintiff only provided its telephone number for security purposes and assumed that only it could access this information. The information provided by the defendant before the court was inadequate. In addition, the messenger service of "..." is systematically and automatically monitored ("crawling" of the content). This cannot be deactivated by the user and is not necessary for the performance of the contract. 5 Data relating to activities outside the social network ("off-... data") is collected, stored and evaluated en masse by "..." and passed on within the ... group. User consent is not required. The defendant has forwarded all of the plaintiff's personal data from and in connection with the plaintiff's "..." account to the United States of America (USA), in particular to the NSA, for random review and investigation. This is illegal because the USA does not guarantee a level of protection corresponding to the GDPR. The plaintiff also did not consent to the transfer of their data. In terms of content, the enormous amount of data transmitted would reflect practically the entire social life of the user. This caused considerable anxiety and stress for the plaintiff. The plaintiff bases the asserted claims for information, injunctive relief and deletion on Art. 15, 17 and 18 GDPR, Sections 1004 analogously, 823 Para. 1, 823 Para. 2 BGB in conjunction with Art. 6 GDPR, the claims for damages on Art. 82 GDPR. 6 The plaintiff requests, 1. The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations with regard to the random monitoring of chat messages sent and received by the plaintiff via the ... messenger service as well as the collection, use and analysis of the plaintiff's "off-... data", the amount of which is left to the discretion of the court, but must be at least EUR 1,500.00, plus interest of five percentage points above the respective base interest rate since the action was brought. 2. The defendant is further ordered to pay the plaintiff non-material damages as compensation for data protection violations with regard to the passing on and transmission of personal data of the plaintiff to the USA, in particular to the NSA there, the amount of which is left to the discretion of the court, but must be at least EUR 1,500.00, plus interest of five percentage points above the respective base interest rate since the action was brought. 3. It is determined that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered and/or will suffer a) as a result of the random monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use and evaluation of the "off-... data" and b) as a result of the passing on and transmission of personal data of the plaintiff to the USA, in particular to the NSA there. 4. The defendant is further ordered to refrain from, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director) or a term of imprisonment of up to six months, in the event of a repeat offense up to two years, a) monitoring chat messages of the plaintiff which are and were sent via the "... messenger" service without cause, b) collecting, using and evaluating "off-... data" of the plaintiff, c) transmitting personal data of the plaintiff to the USA, in particular to the NSA. 5. The defendant is ordered to provide the plaintiff with information a) about the monitored, evaluated and stored data from the monitoring of the ... messenger, namely to present chat logs and disclose their internal evaluation, and to delete these if they were stored without reason, b) to provide information about which "off-... data" was collected by the defendant at the plaintiff's IP address and for what purpose it was stored and used, and to delete these if they were stored without reason, c) to provide information about the specific respect in which the plaintiff was affected by the transmission of the plaintiff's personal data to the USA, in particular to the NSA there, i.e. who accessed which data of the plaintiff and when, and which precise personal data of the plaintiff was viewed by whom. 7 The defendant requests, 8 It complains about the vagueness of the claims and the plaintiff's lack of interest in establishing the facts and need for legal protection. The defendant denies that there was a data protection violation. The transparency obligations are fulfilled by the defendant. All users are sufficiently informed about the setting options for protecting their privacy (in particular target group selection and searchability settings) in accordance with the defendant's data policy. The purpose of the "..." platform is to find other people and to get in touch with them, which is counteracted by the searchability settings being pre-set to "Friends" instead of "Everyone". There was no obligation to report or notify. The defendant provided information about its data processing activities before the court case, but is not obliged to provide information about the data processing activities of third parties. The plaintiff did not suffer any noticeable impairment; a loss of control or feeling unwell does not constitute damage. 9 The defendant further states that it treats all messages transmitted via the messenger service confidentially. The defendant complies with the ePrivacy Directive. The defendant carries out so-called CSAM scanning in accordance with Article 3 of the CSAM Regulation in order to identify child pornography content. The data processing in connection with the messenger service is set out in the defendant's data protection policy. The defendant receives "off-... data", i.e. information about activities outside of the ... technologies, from third parties who are responsible for ensuring that the collection and transmission of data is based on a valid legal basis, in particular for obtaining any necessary consent. In addition, the defendant only uses the data if the user has consented via a cookie banner, unless the processing is necessary for security and integrity purposes. The settings can be changed subsequently. The transmission of data by the defendant to ..., Inc. in the USA is based on Chapter V of the GDPR, the Commission's 2023 adequacy decision and the 2010 and 2021 standard contractual clauses. "..." is a global service, which is why cross-border data exchange is necessary to fulfill the contract. Targeted requests from US government agencies under Section 702 of the Foreign Surveillance Act (FISA) are checked for legality before being answered. Since ..., Inc. is prohibited under US law from disclosing information about such requests, the defendant is not obligated to do so either. 10 The defendant complains about the lack of specificity of the claims and the plaintiff's lack of need for legal protection or interest in establishing the facts. It raises the statute of limitations defense. 11 The plaintiff here had filed a lawsuit against the defendant under case number 9 O 989/23, among other things for non-material damages in connection with so-called "web scraping", which was essentially dismissed by a (non-final) judgment of January 17, 2024. 12 The court held oral proceedings on the matter on June 17, 2024 and heard the plaintiff for information. To supplement and complete the facts of the case, reference is made to the exchanged written submissions and attachments as well as the minutes of the meeting. Reasons for the decision 13 The partially inadmissible lawsuit is completely unfounded. 14 The lawsuit is only partially admissible. 15 I. The Traunstein Regional Court has jurisdiction in accordance with Sections 1 of the Code of Civil Procedure, 71 Paragraph 1, 23 of the Court Constitution Act, internationally in accordance with Art. 79 Paragraph 2 Sentence 2, 82 Paragraph 6 of the GDPR and locally in accordance with Section 44 Paragraph 1 Sentence 2 of the Federal Data Protection Act. 16 II. The application aimed at establishing the defendant's liability to pay compensation to the plaintiff for future damages is not sufficiently specific. Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The application aimed at establishing the defendant's liability to pay compensation to the plaintiff for future damages is not sufficiently specific. Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The application refers to "future damages" "that the plaintiff (...) has suffered and/or will suffer in the future." Even taking into account the plaintiff's entire submission, the court cannot determine whether the application should only cover future damages or also damages that have already occurred but are not yet known. 17 III. With regard to the application for a declaratory judgment, there is also no sufficient interest in a declaratory judgment (Section 256, paragraph 1 of the Code of Civil Procedure). An interest in a declaratory judgment must be denied if, from the injured party's point of view, there is no reason, after a reasonable assessment, to at least expect damage to occur (BGH NJW-RR 2007, 601). The court cannot determine what damage the plaintiff is supposed to suffer as a result of the defendant illegally monitoring their messenger messages, processing OffF data and transmitting data to the USA, and this is also not plausibly explained. 18 IV. The injunction application under item 4 a) of the claims is not sufficiently specific, Section 253 Paragraph 2 No. 2 ZPO. The word "without cause" restricts the injunction request in an objectively indefinable manner. A corresponding ruling would not be enforceable. 19 V. With regard to the injunction application under item 4b), the plaintiff lacks the need for legal protection. The plaintiff has the option of controlling the treatment of "off-... data" or "activities outside of the ... technologies" itself via the settings. The plaintiff must also be aware of this at the latest based on the defendant's statement in the legal dispute. Since it has an easier way of achieving its legal protection goal, it lacks the need for legal protection to file an injunction. 20 VI. The application for deletion of "unfounded stored" data (sections 5a and b of the claims) is inadmissible due to the reasons mentioned above under section IV due to its vagueness. 21 VII. Otherwise, the claim is admissible. 22 The claim is - to the extent that it is inadmissible - unfounded. 23 I. The plaintiff has no claims against the defendant in connection with the alleged allegations regarding the ... messenger service. There is already no relevant violation of the provisions of the GDPR. 24 The plaintiff has not provided a convincing explanation of how it should be concluded that the defendant systematically and automatically monitors the content exchanged via the ... messenger service in the sense of "crawling" the content. In any case, this does not follow from the defendant's data protection policy. Rather, the defendant has plausibly demonstrated that it treats the transmitted messages in accordance with the legal requirements, in particular the ePrivacy Directive, and carries out permissible CSAM (child sexual abuse material) scanning to identify child pornography content. To the extent that the plaintiff complains about the length and lack of clarity of the defendant's data protection policy, no violation of Art. 13 and 14 GDPR can be identified. The extensive data protection requirements that are legally imposed on the defendant, in conjunction with the complexity of the services provided by the defendant, do not allow for a more concise or simpler presentation of the data protection framework. The fact that the defendant stores the content exchanged via the messenger service as such and transmits it to the addressee is unavoidable in order to provide this service, Art. 6 Para. 1 Letter B GDPR. The court therefore also sees no evidence of a violation of the data minimization requirement (Art. 5 Para. 1 Letter c GDPR). CSAM scanning is covered by Art. 6 (1) (f) GDPR. Furthermore, it is up to the plaintiff - like every "f" user - whether they want to use the messenger service at all or not. 25 II. The plaintiff also has no claims against the defendant in connection with the alleged allegations regarding the "off-... data". 26 1. In this respect, too, no violation of data protection law is apparent. The processing of data in connection with "activities outside of the ... technologies" ("off-... data") is covered by the user's consent, Art. 6 (1) (a) and Art. 9 (2) (a) GDPR. According to the defendant's statement, the accuracy of which the court has no doubts about, it obtains the consent of the users by means of a cookie banner shown on page 11 of the written submission dated March 4, 2024. The relevant settings are described in a comprehensible manner by means of notes and can be subsequently changed by the user. The plaintiff is registered with "..." so that he can make the relevant settings himself. The situation with people who are not registered with "..." is irrelevant because the plaintiff does not belong to this group of people. The fact that the "Allow all cookies" button is colored blue does not constitute a violation of Art. 25 Para. 2 GDPR (data protection-friendly default setting). This is because it is not a "default setting", but a usual and permitted visual highlight that does not affect the user's active decision-making ability. To the extent that the defendant receives information from cookies and similar technologies from third parties, it processes this without the user's consent, according to its own statements, only for security and integrity purposes, which is covered by Art. 6 Para. 1 Letter b ff. GDPR or Art. 9 Para. 2 Letter B ff. GDPR. The plaintiff did not bring any substantively contradictory information into the legal dispute. 27 2. To the extent that the defendant processed the "Off-... data" without the required consent until the decision of the Federal Cartel Office of February 6, 2019 (see press release of February 7, 2019, Appendix KE-4), it is not stated that the defendant still retains "Off... data" from this period in relation to the plaintiff. Moreover, the plaintiff's resulting claims would in any case be time-barred, Sections 195, 199 Para. 1, 214 Para. 1 BGB. In any case, the plaintiff had to know the actual requirements for the claim as a result of the aforementioned press release or expose itself to the accusation of grossly negligent ignorance. The statute of limitations would therefore have expired at the end of 2022. 28 III. Finally, the plaintiff has no claims against the defendant in connection with the alleged allegations in connection with the data transfer to the USA. 29 1. The court cannot identify any illegal data transfer. The platform "..." and the MGroup originate from the USA. "..." is designed as a global platform. In order to maintain this worldwide network, data must necessarily be exchanged internationally. It is therefore obvious that in this context data is also transferred by the defendant to the USA. This requirement is also independent of whether the plaintiff is "friends" with US "..." users or not. The search for users in other legal areas alone can only work if there is a cross-border data exchange. All of this must be sufficiently known to every "..." user, including the plaintiff. The plaintiff has no right to expect that "..." is operated in such a way that all data is stored and processed in Europe in the sense of a purely European "...". The entrepreneurial decision of the operator of the "..." platform to process data in the United States of America must be accepted by the users, especially since no one is forced to use the "..." platform. 30 2. The data transfer is therefore fundamentally necessary for the performance of the contract, Art. 6 Para. 1 Letter b GDPR. There is no sufficient factual evidence that the defendant, as the plaintiff ultimately claims, also makes its entire data set freely available to the American foreign intelligence service without any conditions. The plaintiff has not specifically explained what the US government is supposed to have "admitted" in this regard. In any case, the defendant has denied this and no evidence has been provided by the plaintiff. 31 3. The defendant complies with the requirements for data transfer to third countries under Chapter V of the GDPR. 32 a) The data transfer is currently taking place on the basis of the Commission's adequacy decision of July 10, 2023. This represents a suitable basis for the data transfer, Art. 45 (3) GDPR. A further review of the adequacy of the level of protection is therefore unnecessary. 33 b) For the previous period, the standard contractual clauses adopted by the Commission in 2010 and 2021 in conjunction with Art. 46 (1), (2) (c) GDPR provide a sufficient legal basis. According to Art. 46 (1) GDPR, those affected must have enforceable rights and effective legal remedies at their disposal in order to ensure a level of protection equivalent to EU law. The plaintiff complains that the US legal remedy mechanism is based on a government regulation and not on formal law. However, even a regulation is a law in the substantive sense. It is not clear why this cannot provide equivalent legal protection. 34 c) Finally, as already explained above, the data transfer is necessary for the performance of the contract and is therefore permissible on the basis of Art. 49 (1) sentence 1 b GDPR. 35 d) If data protection authorities hold different opinions, these are not binding on the court. 36 4. There is no conclusive evidence of a violation of Art. 5 Paragraph 1 Letter f or Art. 32 GDPR. The statement of claim does not provide any reason to believe that the defendant does not adequately protect the plaintiff's data in technical or organizational terms. 37 5. The court cannot identify a violation of Art. 13 GDPR either. The defendant has provided the sources where users can find out about the need to transfer data to foreign companies, namely .., Inc., as well as about the provision of information in response to government requests. It is not apparent that the defendant has not complied with its obligation to provide information. 38 6. To the extent that US government agencies, including the secret services, can request information from .., Inc. under US law, this is a consequence of the lawful transfer of data to the territory of the United States of America. This possibility does not conflict with the guarantee of an essentially equal level of protection, as it would also be permissible under the European data protection regime under Art. 6 Para. 1 Letter c GDPR (fulfillment of a legal obligation). 39 IV. In order to claim damages under Art. 82 GDPR, there is also no causal damage to the plaintiff. During its informative hearing, the plaintiff merely stated that it had only been made aware of possible data protection violations in connection with the transfer of data or the messenger by the plaintiff's representatives. It was only after the court pointed this out that it became clear to it that the current lawsuit did not relate to the scraping cases. Finally, reference is made to the decision of the Higher Regional Court of Munich, case no. 14 U 3359/23 e, order of December 19, 2023, in which the following is stated: “The fear (even more clearly: English “fear” and French “crainte”), in which the ECJ sees material damage, can only be something that the injured party (a) experiences personally and which (b) burdens him mentally, thus impairs him psychologically. If the trial court is unable to identify anything of the sort, the occurrence of non-material damage is not predominantly probable within the meaning of Section 287 Paragraph 1 of the Code of Civil Procedure.” 40 This is the case here: the “great concern” stated (only) in the context of the information hearing when presented by her attorney (after initially stating that she “also finds it bad”) does not constitute non-material damage. 41 V. The plaintiff is not entitled to information claims against the defendant under Article 15 of the GDPR. 42 1. If information is requested regarding the data “from the monitoring of the FMessenger”, “chat logs are to be presented and their internal evaluation disclosed”, the chat histories can be downloaded by the plaintiff themselves. The right to information is thereby fulfilled, Section 362 Paragraph 1 of the German Civil Code. What is meant by an “internal evaluation” is not clear to the court; a subsumption under one of the categories of Art. 15 Para. 1 GDPR is not possible in this respect. 43 2. Insofar as information is requested as to which "off-... data" was collected by the defendant at the plaintiff's IP address and for what purpose it was stored and used, the defendant rightly refers to the self-disclosure option it has made available and, with regard to the processing purposes, to a specific page in the help section. The information is thus provided, Section 362 Para. 1 BGB. 44 3. With regard to any data transmitted to the NSA, the defendant can refuse to provide information because, on the one hand, there is a duty of confidentiality under US law and, on the other hand, the information is of a confidential nature, Art. 23 GDPR in conjunction with Section 29 Para. 1 Sentence 2 BDSG, whereby, contrary to the plaintiff's opinion, the latter provision is not limited to those who are bound by professional secrecy, even based on its wording. It goes without saying that the information as to whether and what information is provided to secret services is, by its nature, confidential. Furthermore, the information provided to the NSA is not provided by the defendant, but by .., Inc., so that the defendant would not be liable with regard to a claim for information. 45 VI. The requests for deletion pursuant to Art. 17 GDPR (points 5 b and c of the claims) are ineffective because they are made under the condition that the data processing is carried out “without cause”. Even if one wanted to give this term the meaning “not necessary” (Art. 17 para. 1 letter a GDPR), “without legal basis” (Art. 17 para. 1 letter b GDPR), or “unlawful” (Art. 17 para. 1 letter d GDPR), these conditions are not met, as explained in points I to II. 46 VII. All claims for injunctive relief fail due to the lack of a violation of the GDPR, see above, sections I to III. With regard to the "off-... data", it is also up to the user to manage the relevant settings. The plaintiff acts inconsistently if it leaves the settings as they are and, on the other hand, demands that the defendant not process the data on the basis of these settings. 47 VIII. In the absence of a main claim, there is also no claim to litigation interest under Section 291 of the German Civil Code. 48 I.The decision on costs is based on Section 91 Paragraph 1 of the Code of Civil Procedure. 49 II.The provisional enforceability arises from Section 709 of the Code of Civil Procedure. 50 III.The determination of the value in dispute is based on Sections 39 Paragraph 1, 43 Paragraph 1, 48 Paragraph 1 Sentence 1 of the Code of Civil Procedure. 51 The Court assesses the applications as follows: