LG Traunstein - 9 O 173/24: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Traunstein |Court_Original_Name=Landgericht Traunstein |Court_English_Name=Regional Court Traunstein |Court_With_Country=LG Traunstein (Germany) |Case_Number_Name=9 O 173/24 |ECLI= |Original_Source_Name_1=Bayern.Recht |Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-GRURRS-B-2024-N-19976?hl=true |Original_Source_Language_1=German |O...")
 
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 81: Line 81:
The data subject is a user of a social network platform, which also provides a messaging service. This platform is managed by a company with its headquarter in the USA.
The data subject is a user of a social network platform, which also provides a messaging service. This platform is managed by a company with its headquarter in the USA.


The data subject promoted a lawsuit before the Regional Court of Traunstein (Landesgericht Traunstein – LG Traunstein).
The data subject initiated a lawsuit before the Regional Court of Traunstein (''Landesgericht Traunstein – LG Traunstein'').


Firstly, she argued that the controller is constantly monitoring her private messages and that the privacy policy is not transparent and is too complex.
Firstly, she argued that the controller is constantly monitoring her private messages and that the privacy policy is not transparent and is too complex.


Secondly, she argued that the controller is collecting through cookies data relating to activities that happen outside the social network without her consent.  
Secondly, she argued that, through cookies, the controller is collecting data relating to activities that happen outside the social network without her consent.  


Thirdly, she claimed that the controller forwarded all her personal data from and in connection with her account to the USA. She argued that this transfer is unlawful since the USA did not guarantee a level of protection corresponding to the GDPR.
Thirdly, she claimed that the controller forwarded all her personal data from and in connection with her account to the USA. She argued that this transfer is unlawful since the USA did not guarantee a level of protection equivalent to the GDPR.


Therefore, the data subject asked the court to order the controller to pay non-material damages.
Therefore, the data subject asked the court to order the controller to pay non-material damages.


As for the first argument, the controller pointed out that it conducts scans on the private messages only when to detect child sexual abuse material (CSAM) in compliance with the ePrivacy Directive 2002/58/EC (see Article 3 Regulation (EU) 2021/1232).
As for the first argument, the controller pointed out that it conducts scans on the private messages only when to detect child sexual abuse material (CSAM) in compliance with the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 ePrivacy Directive 2002/58/EC] (see [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32021R1232 Article 3 Regulation (EU) 2021/1232]).
 
Moreover, the controller argued that it is respecting its transparency obligations and that the transfer of data to the US is legal since there is an adequacy decision and, before that, there were SCCs.


=== Holding ===
=== Holding ===
First of all, the court ruled that the data subject has not demonstrated that the controller is systematically and automatically monitors the content exchanged via the messenger service. In every case, it found that the controller has proven that it carries out only permissible CSAM scanning. According to the court, this processing is covered by the legal basis provided for by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
First of all, the court ruled that the data subject has not demonstrated that the controller is systematically and automatically monitors the content exchanged via the messenger service. In every case, it found that the controller has proven that it carries out only permissible CSAM scanning. According to the court, this processing is covered by the legal basis provided for by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].


Secondly, it held that, due to the extensive data protection requirements that are imposed on the controller, the privacy policy cannot be more concise or simpler. Therefore, it found no violation of Article 13 and 14 GDPR.
Secondly, it held that, due to the extensive data protection requirements that are imposed on the controller, the privacy policy cannot be more concise or simpler. Therefore, it found no violation of [[Article 13 GDPR|Article 13]] and [[Article 14 GDPR|14 GDPR]].


Thirdly, it did not uphold the data subject’s argument about cookies. It found that the controller could rely on consent under Article 6(1)(a) and 9(2)(a) GDPR to collect this data.  
Thirdly, it did not uphold the data subject’s argument about cookies. It found that the controller could rely on consent under [[Article 6 GDPR#1a|Article 6(1)(a)]] and [[Article 9 GDPR#2a|9(2)(a) GDPR]] to collect this data.  


Fourthly, the court noted that the social media platform at hand is designed as a global platform whose aim is to allow users to have a worldwide network and allow users to have “friends” from all over the World. Therefore, according to the court, it is obvious – and also the data subject should know this – that data is also transmitted to the USA, especially since the search for users in other jurisdictions can only work if there is a cross-border exchange of data.
Fourthly, the court noted that the social media platform at hand is designed as a global platform whose aim is to allow users to have a worldwide network and allow users to have “friends” from all over the World. Therefore, according to the court, it is obvious – and also the data subject should know this – that data is also transmitted to the USA, especially since the search for users in other jurisdictions can only work if there is a cross-border exchange of data.
Line 106: Line 108:
Furthermore, it held that the data transfer at hand is necessary for the performance of a contract and, therefore, lawful under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]].
Furthermore, it held that the data transfer at hand is necessary for the performance of a contract and, therefore, lawful under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]].


Finally, as for Chapter V GDPR, the court pointed out that currently the controller can rely on the Commission Implementing Decision EU 2023/1795 which allows data transfers to the USA under [[Article 45 GDPR#3|Article 45(3) GDPR]].
Finally, as for Chapter V GDPR, the court pointed out that currently the controller can rely on the [https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj Commission Implementing Decision EU 2023/1795] which allows data transfers to the USA under [[Article 45 GDPR#3|Article 45(3) GDPR]].


As for the preceding period, it found that the standard contractual clauses adopted by the European commission in 2010 and 2021 according to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] provide a sufficient legal basis. According to the court, the fact the US government authorities can access the data transferred by the controller does not prevent the guarantee of an essentially equal level of protection since it is also possible for EU authorities to have such an access under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
As for the preceding period, it found that the standard contractual clauses adopted by the European commission in 2010 and 2021 according to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] provide a sufficient legal basis. According to the court, the fact the US government authorities can access the data transferred by the controller does not prevent the guarantee of an essentially equal level of protection since it is also possible for EU authorities to have such an access under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
Line 115: Line 117:


== Comment ==
== Comment ==
This judgement seems not to follow the case law of the consistent case law of the CJEU.
This judgement seems not to be consistent with the settled case law of the CJEU. In particular, in [[CJEU - C-311/18 - Schrems II|C-311/18, ''Schrems II'']], the CJEU ruled that when personal data are transferred to a third country pursuant to standard data protection clauses, a level of protection essentially equivalent to that guaranteed within the European Union must be afforded. To operate this assessment, not only the content of the SCCs must be taken into account, but also the relevant aspects of the legal system of that third country, as regards any access by the public authorities of that third country to the personal data transferred (para. 105).
 
In the same case, the CJEU found that the legal system of the USA does not guarantee an equivalent level of protection (paras. 198-199).


== Further Resources ==
== Further Resources ==
Line 124: Line 128:


<pre>
<pre>
LG Traunstein, final judgment of July 8, 2024 - 9 O 173/24
Key Points:
 
1. The extensive data protection requirements imposed by law, including those on operators of social networks, combined with the complexity of the services regularly provided by these networks, do not allow for a concise or simple presentation of the data protection framework. Therefore, lengthy and seemingly confusing data protection policies generally do not constitute a violation of Articles 13 and 14 of the GDPR. (Paragraph 24) (Editorial Guideline)
Title:
2. A global social network based in the USA cannot be accused of unlawful data transfer to the USA. If the social network is designed as a global platform, data must necessarily be exchanged internationally to maintain the worldwide network. Data transfer is thus generally required for contract fulfillment under Article 6(1)(b) GDPR. (Paragraphs 29-30) (Editorial Guideline)
No claim against the operator of a social network for data processing and data storage in Europe alone
3. A user of a globally operated social network cannot demand that all data of the network in question be stored and processed in Europe. The business decision of the platform operator to process the relevant data outside Europe must be accepted by the users, especially since no one is forced to use such platforms. (Paragraph 29) (Editorial Guideline)
Chain of standards:
GDPR Art. 6 Para. 1 lit. b, Art. 13, Art. 14, Art. 45 Para. 3
Principles:
1. The extensive data protection requirements that are legally imposed on operators of social networks, among others, in conjunction with the complexity of the services regularly provided by these networks, do not allow for a concise or simple presentation of the data protection framework. Therefore, long and supposedly confusing data protection guidelines do not usually lead to a violation of Art. 13 and 14 GDPR. (para. 24) (editorial principle)
2. A global social network based in the USA cannot be accused of illegally transferring data to the USA. If the social network is designed as a global platform, data must necessarily be exchanged internationally in order to be able to maintain the global network. The data transfer is therefore fundamentally necessary to fulfill the contract under Art. 6 Para. 1 lit. b GDPR. (para. 29 - 30) (editorial principle)
3. The user of a globally operated social network cannot demand that the controller store and process all data from the network in question in Europe. The entrepreneurial decision of the platform operator to process the relevant data outside of Europe must be accepted by the users, especially since no one is forced to use such platforms. (para. 29) (editorial principle)
Keywords:
Jurisdiction, interest in a declaratory judgment, application for an injunction, need for legal protection, uncertainty, data transfer, claim for damages
Source:
GRUR-RS 2024, 19976
 
Tenor
 
1. The action is dismissed.
 
2. The plaintiff must bear the costs of the legal dispute.


Judgment:
1. The lawsuit is dismissed.
2. The plaintiff shall bear the costs of the legal dispute.
3. The judgment is provisionally enforceable for the defendant against security in the amount of 110% of the amount to be enforced.
3. The judgment is provisionally enforceable for the defendant against security in the amount of 110% of the amount to be enforced.


The value in dispute is set at €7,000.00.
Order:
 
The amount in dispute is set at €7,000.00.
Facts
 
1
The plaintiff is suing the defendant for damages, injunctive relief, deletion and information due to violations of the General Data Protection Regulation (GDPR), in particular in connection with the monitoring of the ... messenger service, processing of "off-... data" and data transmission to the USA.
 
2
The defendant operates the social network "...". The plaintiff maintains a user profile there. Name, gender and user ID are always publicly visible, the other data stored there by the user depends on the selected settings.
 
3
Part of "..." is also a messenger service through which "..." users can exchange messages and files with each other.
 
4
The plaintiff claims that the plaintiff's consent covering the data processing by the defendant is not available. The plaintiff is suffering from a loss of control over its data and is concerned about possible misuse of the data concerning it. The plaintiff only provided its telephone number for security purposes and assumed that only it could access this information. The information provided by the defendant before the court was inadequate. In addition, the messenger service of "..." is systematically and automatically monitored ("crawling" of the content). This cannot be deactivated by the user and is not necessary for the performance of the contract.
 
5
Data relating to activities outside the social network ("off-... data") is collected, stored and evaluated en masse by "..." and passed on within the ... group. User consent is not required. The defendant has forwarded all of the plaintiff's personal data from and in connection with the plaintiff's "..." account to the United States of America (USA), in particular to the NSA, for random review and investigation. This is illegal because the USA does not guarantee a level of protection corresponding to the GDPR. The plaintiff also did not consent to the transfer of their data. In terms of content, the enormous amount of data transmitted would reflect practically the entire social life of the user. This caused considerable anxiety and stress for the plaintiff. The plaintiff bases the asserted claims for information, injunctive relief and deletion on Art. 15, 17 and 18 GDPR, Sections 1004 analogously, 823 Para. 1, 823 Para. 2 BGB in conjunction with Art. 6 GDPR, the claims for damages on Art. 82 GDPR.
 
6
The plaintiff requests,
 
1.
 
The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations with regard to the random monitoring of chat messages sent and received by the plaintiff via the ... messenger service as well as the collection, use and analysis of the plaintiff's "off-... data", the amount of which is left to the discretion of the court, but must be at least EUR 1,500.00, plus interest of five percentage points above the respective base interest rate since the action was brought.
 
2.
 
The defendant is further ordered to pay the plaintiff non-material damages as compensation for data protection violations with regard to the passing on and transmission of personal data of the plaintiff to the USA, in particular to the NSA there, the amount of which is left to the discretion of the court, but must be at least EUR 1,500.00, plus interest of five percentage points above the respective base interest rate since the action was brought.


3.
Statement of Facts:


It is determined that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered and/or will suffer a) as a result of the random monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use and evaluation of the "off-... data" and b) as a result of the passing on and transmission of personal data of the plaintiff to the USA, in particular to the NSA there.
1. The plaintiff is suing the defendant for damages, an injunction, deletion, and information due to violations of the General Data Protection Regulation (GDPR), particularly in connection with the monitoring of the ... messenger service, processing of "Off-... Data," and data transfer to the USA.


4.
2. The defendant operates the social network "...". The plaintiff maintains a user profile there, where the name, gender, and user ID are always publicly visible, and other data provided by the user is visible depending on the selected settings.


The defendant is further ordered to refrain from, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director) or a term of imprisonment of up to six months, in the event of a repeat offense up to two years,
3. The "...” also includes a messenger service through which "...” users can exchange messages and files.


a) monitoring chat messages of the plaintiff which are and were sent via the "... messenger" service without cause,
4. The plaintiff claims that there is no valid consent for data processing by the defendant. The plaintiff suffers from a loss of control over their data and is concerned about potential misuse of their data. The plaintiff had provided their phone number for security purposes only and assumed they could access this information exclusively. The pre-litigation information provided by the defendant was inadequate. Additionally, the messenger service is systematically and automatically monitored (“crawling” of content), which cannot be disabled by the user and is not necessary for contract fulfillment.


b) collecting, using and evaluating "off-... data" of the plaintiff,
5. Data related to activities outside the social network ("Off-... Data") is collected, stored, and evaluated by "..." on a large scale and shared within the ... group. User consent is not obtained. The defendant has forwarded all personal data of the plaintiff from and in connection with the plaintiff's "...” account to the United States of America (USA), specifically to the NSA for random checks and investigations. This is unlawful, as the USA does not guarantee a level of protection equivalent to the GDPR. Moreover, the plaintiff did not consent to the transfer of their data. The data transmitted in enormous quantities practically represents the entire social life of the user. This has caused significant anxiety and stress for the plaintiff. The plaintiff bases the asserted claims for information, injunction, and deletion on Articles 15, 17, and 18 GDPR, Sections 1004 analog, 823(1), and 823(2) of the German Civil Code (BGB) in conjunction with Article 6 GDPR, and the claims for damages on Article 82 GDPR.


c) transmitting personal data of the plaintiff to the USA, in particular to the NSA.
6. The plaintiff requests:
  1. The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations concerning the indiscriminate monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use, and evaluation of the plaintiff's "Off-... Data," with the amount to be determined at the discretion of the court, but not less than €1,500.00, plus interest at five percentage points above the respective base rate from the date of pendency.
  2. The defendant is further ordered to pay the plaintiff non-material damages as compensation for data protection violations concerning the transfer and transmission of the plaintiff's personal data to the USA, particularly to the NSA, with the amount to be determined at the discretion of the court, but not less than €1,500.00, plus interest at five percentage points above the respective base rate from the date of pendency.
  3. It is declared that the defendant is obliged to compensate the plaintiff for all future damages arising from a) the indiscriminate monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use, and evaluation of the plaintiff's "Off-... Data" and b) the transfer and transmission of the plaintiff's personal data to the USA, particularly to the NSA, that have occurred and/or will occur.
  4. The defendant is further ordered, under penalty of a fine of up to €250,000.00 for each case of infringement, alternatively to be enforced by custodial detention of the defendant's legal representative (Director) for up to six months, in the event of repeated infringement up to two years, to refrain from:
      a) indiscriminately monitoring chat messages of the plaintiff sent via the "...-Messenger" service,
      b) collecting, using, and evaluating the plaintiff's "Off-... Data,"
      c) transferring the plaintiff's personal data to the USA, particularly to the NSA.
  5. The defendant is ordered to provide the plaintiff with information:
      a) about the monitored, evaluated, and stored data from the monitoring of the ... messenger, specifically to present chat logs and disclose their internal evaluation, as well as delete this data if stored indiscriminately,
      b) about which "Off-... Data" was collected at the plaintiff's IP address by the defendant and for what purpose it was stored and used, as well as delete this data if stored indiscriminately,
      c) about the specific manner in which the plaintiff was affected by the transfer of their personal data to the USA, particularly to the NSA, i.e., who accessed the plaintiff's data and when, and which exact personal data of the plaintiff was viewed by whom.


5. The defendant is ordered to provide the plaintiff with information
7. The defendant requests the dismissal of the lawsuit.


a) about the monitored, evaluated and stored data from the monitoring of the ... messenger, namely to present chat logs and disclose their internal evaluation, and to delete these if they were stored without reason,
8. The defendant objects to the indeterminacy of the plaintiff's claims and the lack of interest in declaratory relief and need for legal protection. The defendant denies any data protection violation. The defendant argues that its transparency obligations are fulfilled. All users are adequately informed about the settings to protect their privacy (in particular, audience selection and searchability settings) according to the defendant's data policy. The purpose of the "...” platform is to find and connect with other people, which would be counteracted by pre-setting the searchability settings to "Friends" instead of "All". There was no obligation to report or notify. The defendant provided pre-litigation information about its data processing activities, and it is not obliged to provide information about third-party data processing activities. The plaintiff did not suffer any noticeable impairment; loss of control or discomfort does not constitute damage.


b) to provide information about which "off-... data" was collected by the defendant at the plaintiff's IP address and for what purpose it was stored and used, and to delete these if they were stored without reason,
9. The defendant further argues that it treats all messages transmitted via the messenger service confidentially. The ePrivacy Directive is followed by the defendant. The defendant conducts a so-called CSAM scanning according to Article 3 of the CSAM Regulation to identify child pornographic content. The data processing in connection with the messenger service is explained in the defendant's privacy policy. "Off-... Data," i.e., information about activities outside the ... technologies, is obtained by the defendant from third-party providers, who are responsible for ensuring that the collection and transfer of data is based on a valid legal basis, particularly obtaining any necessary consent. Additionally, the defendant uses the data only if the user has agreed via a cookie banner unless the processing is necessary for security and integrity purposes. The settings can be changed subsequently. The transfer of data by the defendant to ..., Inc. in the USA is based on Chapter V of the GDPR, the Commission's 2023 Adequacy Decision, and the Standard Contractual Clauses of 2010 and 2021. "...” is a global service, so cross-border data exchange is necessary for contract fulfillment. Specific requests from US government agencies under Section 702 of the Foreign Surveillance Act (FISA) are reviewed for legality before being answered. As ..., Inc. is prohibited by US law from disclosing information about such requests, the defendant is also not obliged to do so.


c) to provide information about the specific respect in which the plaintiff was affected by the transmission of the plaintiff's personal data to the USA, in particular to the NSA there, i.e. who accessed which data of the plaintiff and when, and which precise personal data of the plaintiff was viewed by whom.
10. The defendant objects to the lack of specificity in the plaintiff's claims and the lack of need for legal protection or interest in declaratory relief. The defendant raises the defense of limitation.


7
11. The plaintiff had previously filed a lawsuit against the defendant under file number 9 O 989/23, including a claim for non-material damages in connection with so-called "web scraping," which was largely dismissed by a (non-final) judgment on 17 January 2024.
The defendant requests,


8
12. The court held an oral hearing on the matter on 17 June 2024 and informally heard the plaintiff. For further details, reference is made to the exchanged pleadings and the hearing record.
It complains about the vagueness of the claims and the plaintiff's lack of interest in establishing the facts and need for legal protection. The defendant denies that there was a data protection violation. The transparency obligations are fulfilled by the defendant. All users are sufficiently informed about the setting options for protecting their privacy (in particular target group selection and searchability settings) in accordance with the defendant's data policy. The purpose of the "..." platform is to find other people and to get in touch with them, which is counteracted by the searchability settings being pre-set to "Friends" instead of "Everyone". There was no obligation to report or notify. The defendant provided information about its data processing activities before the court case, but is not obliged to provide information about the data processing activities of third parties. The plaintiff did not suffer any noticeable impairment; a loss of control or feeling unwell does not constitute damage.


9
Reasons for the Decision:
The defendant further states that it treats all messages transmitted via the messenger service confidentially. The defendant complies with the ePrivacy Directive. The defendant carries out so-called CSAM scanning in accordance with Article 3 of the CSAM Regulation in order to identify child pornography content. The data processing in connection with the messenger service is set out in the defendant's data protection policy. The defendant receives "off-... data", i.e. information about activities outside of the ... technologies, from third parties who are responsible for ensuring that the collection and transmission of data is based on a valid legal basis, in particular for obtaining any necessary consent. In addition, the defendant only uses the data if the user has consented via a cookie banner, unless the processing is necessary for security and integrity purposes. The settings can be changed subsequently. The transmission of data by the defendant to ..., Inc. in the USA is based on Chapter V of the GDPR, the Commission's 2023 adequacy decision and the 2010 and 2021 standard contractual clauses. "..." is a global service, which is why cross-border data exchange is necessary to fulfill the contract. Targeted requests from US government agencies under Section 702 of the Foreign Surveillance Act (FISA) are checked for legality before being answered. Since ..., Inc. is prohibited under US law from disclosing information about such requests, the defendant is not obligated to do so either.


10
13. The partially inadmissible lawsuit is entirely unfounded.
The defendant complains about the lack of specificity of the claims and the plaintiff's lack of need for legal protection or interest in establishing the facts. It raises the statute of limitations defense.


11
A.
The plaintiff here had filed a lawsuit against the defendant under case number 9 O 989/23, among other things for non-material damages in connection with so-called "web scraping", which was essentially dismissed by a (non-final) judgment of January 17, 2024.


12
14. The lawsuit is
The court held oral proceedings on the matter on June 17, 2024 and heard the plaintiff for information. To supplement and complete the facts of the case, reference is made to the exchanged written submissions and attachments as well as the minutes of the meeting.


Reasons for the decision
only partially admissible.


13
15. I. The Regional Court Traunstein has jurisdiction under Sections 1 of the Code of Civil Procedure (ZPO), 71(1), 23 of the Courts Constitution Act (GVG), and internationally under Article 79(2) Sentence 2, Article 82(6) GDPR and locally under Section 44(1) Sentence 2 of the Federal Data Protection Act (BDSG).
The partially inadmissible lawsuit is completely unfounded.


14
16. II. The plaintiff's claim for a declaratory judgment on the defendant's liability for future damages is not sufficiently specific under Section 253(2)(2) ZPO. The claim for a declaratory judgment on the defendant's liability for future damages is not sufficiently specific under Section 253(2)(2) ZPO. The claim refers to "future damages" that "have occurred and/or will occur." Even considering the entire plaintiff's submissions, it is unclear to the court whether the claim relates only to future damages or also to already incurred but possibly not yet known damages.
The lawsuit is only partially admissible.


15
17. III. There is also no sufficient interest in declaratory relief (Section 256(1) ZPO) concerning the declaratory judgment claim. A declaratory interest must be denied if, from the perspective of the injured party, there is no reason to expect that damage may at least be anticipated (Federal Court of Justice, NJW-RR 2007, 601). The court cannot see, nor is it plausibly explained, what damage the plaintiff is supposed to suffer from the defendant's unlawful monitoring of their messenger messages, processing of "Off-... Data," and data transfer to the USA.
I. The Traunstein Regional Court has jurisdiction in accordance with Sections 1 of the Code of Civil Procedure, 71 Paragraph 1, 23 of the Court Constitution Act, internationally in accordance with Art. 79 Paragraph 2 Sentence 2, 82 Paragraph 6 of the GDPR and locally in accordance with Section 44 Paragraph 1 Sentence 2 of the Federal Data Protection Act.


16
18. IV. The plaintiff's request for an injunction under point 4(a) of the claims is not sufficiently specific under Section 253(2)(2) ZPO. The word "indiscriminately" limits the request for an injunction in an objectively indeterminable way. A corresponding ruling would not be enforceable.
II. The application aimed at establishing the defendant's liability to pay compensation to the plaintiff for future damages is not sufficiently specific. Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The application aimed at establishing the defendant's liability to pay compensation to the plaintiff for future damages is not sufficiently specific. Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The application refers to "future damages" "that the plaintiff (...) has suffered and/or will suffer in the future." Even taking into account the plaintiff's entire submission, the court cannot determine whether the application should only cover future damages or also damages that have already occurred but are not yet known.


17
19. V. The plaintiff lacks the need for legal protection concerning the request for an injunction under point 4(b). The plaintiff has the option to control the handling of "Off-... Data" or "Activities outside ... technologies" through the settings. The plaintiff must have been aware of this at the latest due to the defendant's submissions in the legal dispute. Since a simpler way is available to achieve their legal protection goal, the plaintiff lacks the need for an injunction.
III. With regard to the application for a declaratory judgment, there is also no sufficient interest in a declaratory judgment (Section 256, paragraph 1 of the Code of Civil Procedure). An interest in a declaratory judgment must be denied if, from the injured party's point of view, there is no reason, after a reasonable assessment, to at least expect damage to occur (BGH NJW-RR 2007, 601). The court cannot determine what damage the plaintiff is supposed to suffer as a result of the defendant illegally monitoring their messenger messages, processing OffF data and transmitting data to the USA, and this is also not plausibly explained.


18
20. VI. The request for deletion of "indiscriminately stored" data (points 5(a) and (b) of the claims) is inadmissible due to indeterminacy for the reasons mentioned above under point IV.
IV. The injunction application under item 4 a) of the claims is not sufficiently specific, Section 253 Paragraph 2 No. 2 ZPO. The word "without cause" restricts the injunction request in an objectively indefinable manner. A corresponding ruling would not be enforceable.


19
21. VII. Otherwise, the lawsuit is admissible.
V. With regard to the injunction application under item 4b), the plaintiff lacks the need for legal protection. The plaintiff has the option of controlling the treatment of "off-... data" or "activities outside of the ... technologies" itself via the settings. The plaintiff must also be aware of this at the latest based on the defendant's statement in the legal dispute. Since it has an easier way of achieving its legal protection goal, it lacks the need for legal protection to file an injunction.


20
B.
VI. The application for deletion of "unfounded stored" data (sections 5a and b of the claims) is inadmissible due to the reasons mentioned above under section IV due to its vagueness.


21
22. The lawsuit is – insofar as it is inadmissible, in any case – also unfounded.
VII. Otherwise, the claim is admissible.


22
23. I. The plaintiff has no claims against the defendant concerning the alleged violations regarding the ... messenger service. There is already no relevant violation of the GDPR.
The claim is - to the extent that it is inadmissible - unfounded.


23
24. The plaintiff has not plausibly demonstrated that the defendant systematically and automatically monitors the content exchanged via the ... messenger service in the sense of "crawling" the content. This is not evident from the defendant's privacy policy. The defendant has plausibly explained that it treats the transmitted messages in accordance with legal requirements, particularly the ePrivacy Directive, and conducts permissible CSAM (Child Sexual Abuse Material) scanning to identify child pornographic content. The court also sees no violation of Articles 13 and 14 GDPR, despite the plaintiff's complaint about the length and complexity of the defendant's privacy policy. The extensive data protection requirements imposed by law, combined with the complexity of the services provided by the defendant, do not allow for a shorter or simpler presentation of the data protection framework. That the defendant stores and transmits the content exchanged via the messenger service to the recipient is necessary for providing this service, according to Article 6(1)(b) GDPR. Therefore, the court also sees no indication of a violation of the principle of data minimization (Article 5(1)(c) GDPR). The CSAM scanning is covered by Article 6(1)(f) GDPR. Moreover, it is up to the plaintiff – like any "f-user" – to decide whether or not to use the messenger service.
I. The plaintiff has no claims against the defendant in connection with the alleged allegations regarding the ... messenger service. There is already no relevant violation of the provisions of the GDPR.


24
25. II. The plaintiff also has no claims against the defendant concerning the alleged violations regarding "Off-... Data."
The plaintiff has not provided a convincing explanation of how it should be concluded that the defendant systematically and automatically monitors the content exchanged via the ... messenger service in the sense of "crawling" the content. In any case, this does not follow from the defendant's data protection policy. Rather, the defendant has plausibly demonstrated that it treats the transmitted messages in accordance with the legal requirements, in particular the ePrivacy Directive, and carries out permissible CSAM (child sexual abuse material) scanning to identify child pornography content. To the extent that the plaintiff complains about the length and lack of clarity of the defendant's data protection policy, no violation of Art. 13 and 14 GDPR can be identified. The extensive data protection requirements that are legally imposed on the defendant, in conjunction with the complexity of the services provided by the defendant, do not allow for a more concise or simpler presentation of the data protection framework. The fact that the defendant stores the content exchanged via the messenger service as such and transmits it to the addressee is unavoidable in order to provide this service, Art. 6 Para. 1 Letter B GDPR. The court therefore also sees no evidence of a violation of the data minimization requirement (Art. 5 Para. 1 Letter c GDPR). CSAM scanning is covered by Art. 6 (1) (f) GDPR. Furthermore, it is up to the plaintiff - like every "f" user - whether they want to use the messenger service at all or not.


25
26. 1. No data protection violation is evident in this regard either. The processing of data in connection with "Activities outside ... technologies" ("Off-... Data") is covered by the user's consent, Article 6(1)(a) and Article 9(2)(a) GDPR. According to the defendant's submission, which the court has no reason to doubt, the defendant obtains the user's consent via a cookie banner depicted on page 11 of the defendant's brief dated 04 March 2024. The corresponding settings are described transparently and can be changed by the user afterward. The plaintiff is registered with "...,” so they can make the corresponding settings themselves. How this applies to people who are not registered with "...,” is irrelevant, as the plaintiff is not part of this group. The fact that the button "Allow all cookies" is highlighted in blue does not violate Article 25(2) GDPR (privacy-friendly default settings). It is not a "default setting" but a common and permissible visual emphasis that does not affect the user's ability to make an active decision. As far as the defendant receives information from cookies and similar technologies from third parties, it processes this data according to its statements only for security and integrity purposes without the user's consent, which is covered by Article 6(1)(b) GDPR and Article 9(2)(b) GDPR. The plaintiff has not brought any substantial contrary arguments into the legal dispute.
II. The plaintiff also has no claims against the defendant in connection with the alleged allegations regarding the "off-... data".


26
27. 2. As far as the defendant may have processed "Off-... Data" without the necessary consent until the Federal Cartel Office's decision of 06 February 2019 (see press release of 07 February 2019, Annex KE-4), it has not been claimed that the defendant still holds "Off-... Data" from this period concerning the plaintiff. Moreover, any claims arising from this would be time-barred in any case, Sections 195, 199(1), 214(1) BGB. The plaintiff must have been aware of the factual requirements for the claim due to the aforementioned press release or be accused of gross negligence in being unaware. Limitation would have occurred by the end of 2022.
1. In this respect, too, no violation of data protection law is apparent. The processing of data in connection with "activities outside of the ... technologies" ("off-... data") is covered by the user's consent, Art. 6 (1) (a) and Art. 9 (2) (a) GDPR. According to the defendant's statement, the accuracy of which the court has no doubts about, it obtains the consent of the users by means of a cookie banner shown on page 11 of the written submission dated March 4, 2024. The relevant settings are described in a comprehensible manner by means of notes and can be subsequently changed by the user. The plaintiff is registered with "..." so that he can make the relevant settings himself. The situation with people who are not registered with "..." is irrelevant because the plaintiff does not belong to this group of people. The fact that the "Allow all cookies" button is colored blue does not constitute a violation of Art. 25 Para. 2 GDPR (data protection-friendly default setting). This is because it is not a "default setting", but a usual and permitted visual highlight that does not affect the user's active decision-making ability. To the extent that the defendant receives information from cookies and similar technologies from third parties, it processes this without the user's consent, according to its own statements, only for security and integrity purposes, which is covered by Art. 6 Para. 1 Letter b ff. GDPR or Art. 9 Para. 2 Letter B ff. GDPR. The plaintiff did not bring any substantively contradictory information into the legal dispute.


27
28. III. The plaintiff finally has no claims against the defendant concerning the alleged violations in connection with data transfer to the USA.
2. To the extent that the defendant processed the "Off-... data" without the required consent until the decision of the Federal Cartel Office of February 6, 2019 (see press release of February 7, 2019, Appendix KE-4), it is not stated that the defendant still retains "Off... data" from this period in relation to the plaintiff. Moreover, the plaintiff's resulting claims would in any case be time-barred, Sections 195, 199 Para. 1, 214 Para. 1 BGB. In any case, the plaintiff had to know the actual requirements for the claim as a result of the aforementioned press release or expose itself to the accusation of grossly negligent ignorance. The statute of limitations would therefore have expired at the end of 2022.


28
29. 1. The court cannot recognize any unlawful data transfer. The platform "..." and the MGroup originate from the USA. "..." is designed as a global platform. To maintain this worldwide network, data must necessarily be exchanged internationally. The fact that data is also transferred to the USA by the defendant in this context is therefore obvious. This necessity is also independent of whether the plaintiff is "friends" with US-American "..." users or not. Because the search for users in other jurisdictions can only work if cross-border data exchange takes place. All this must be well known to any "...," including the plaintiff. The plaintiff has no claim that "...," be operated in such a way that all data is stored and processed in Europe in the sense of a purely European "...". The business decision of the platform operator "...,” to process data in the United States of America, must be accepted by the users, especially since no one is forced to use the platform "...”.
III. Finally, the plaintiff has no claims against the defendant in connection with the alleged allegations in connection with the data transfer to the USA.


29
30. 2. Data transfer is therefore generally necessary for contract fulfillment under Article 6(1)(b) GDPR. There are no sufficient factual indications that the defendant, as the plaintiff ultimately claims, provides its entire data stock to the US foreign intelligence service without any prerequisites. What the US government is said to have "admitted" in this regard is not specifically explained by the plaintiff. The defendant has denied such claims, and no evidence was provided by the plaintiff.
1. The court cannot identify any illegal data transfer. The platform "..." and the MGroup originate from the USA. "..." is designed as a global platform. In order to maintain this worldwide network, data must necessarily be exchanged internationally. It is therefore obvious that in this context data is also transferred by the defendant to the USA. This requirement is also independent of whether the plaintiff is "friends" with US "..." users or not. The search for users in other legal areas alone can only work if there is a cross-border data exchange. All of this must be sufficiently known to every "..." user, including the plaintiff. The plaintiff has no right to expect that "..." is operated in such a way that all data is stored and processed in Europe in the sense of a purely European "...". The entrepreneurial decision of the operator of the "..." platform to process data in the United States of America must be accepted by the users, especially since no one is forced to use the "..." platform.


30
31. 3. The defendant complies with the requirements for data transfer to third countries under Chapter V of the GDPR.
2. The data transfer is therefore fundamentally necessary for the performance of the contract, Art. 6 Para. 1 Letter b GDPR. There is no sufficient factual evidence that the defendant, as the plaintiff ultimately claims, also makes its entire data set freely available to the American foreign intelligence service without any conditions. The plaintiff has not specifically explained what the US government is supposed to have "admitted" in this regard. In any case, the defendant has denied this and no evidence has been provided by the plaintiff.


31
32. a) Currently, data transfer is based on the Commission's Adequacy Decision of 10 July 2023. This provides a valid basis for data transfer under Article 45(3) GDPR. Therefore, a further review of the adequacy of the protection level is unnecessary.
3. The defendant complies with the requirements for data transfer to third countries under Chapter V of the GDPR.


32
33. b) For the preceding period, the Standard Contractual Clauses issued by the Commission in 2010 and 2021, in conjunction with Article 46(1) and (2)(c) GDPR, provide a sufficient legal basis. Under Article 46(1) GDPR, the data subjects must have enforceable rights and effective legal remedies to ensure a level of protection equivalent to EU law. The plaintiff complains that the US legal remedy mechanism is based on a government regulation and not on formal law. However, a regulation is also a law in the material sense. It is not apparent why this should not provide equivalent legal protection.
a) The data transfer is currently taking place on the basis of the Commission's adequacy decision of July 10, 2023. This represents a suitable basis for the data transfer, Art. 45 (3) GDPR. A further review of the adequacy of the level of protection is therefore unnecessary.


33
34. c) Finally, as already stated above, the data transfer is necessary for contract fulfillment and thus permissible under Article 49(1)(1)(b) GDPR.
b) For the previous period, the standard contractual clauses adopted by the Commission in 2010 and 2021 in conjunction with Art. 46 (1), (2) (c) GDPR provide a sufficient legal basis. According to Art. 46 (1) GDPR, those affected must have enforceable rights and effective legal remedies at their disposal in order to ensure a level of protection equivalent to EU law. The plaintiff complains that the US legal remedy mechanism is based on a government regulation and not on formal law. However, even a regulation is a law in the substantive sense. It is not clear why this cannot provide equivalent legal protection.


34
35. d) As far as data protection authorities hold differing views, they are not binding on the court.
c) Finally, as already explained above, the data transfer is necessary for the performance of the contract and is therefore permissible on the basis of Art. 49 (1) sentence 1 b GDPR.


35
36. 4. There is no conclusive evidence of a violation of Article 5(1)(f) or Article 32 GDPR. It is not apparent from the plaintiff's submissions why there should be reason to believe that the defendant does not adequately protect the plaintiff's data in technical or organizational terms.
d) If data protection authorities hold different opinions, these are not binding on the court.


36
37. 5. The court also cannot see a violation of Article 13 GDPR. The defendant has provided the references where the user can find information about the necessity of data transfer to foreign companies, particularly ..., Inc., as well as about the disclosure of
4. There is no conclusive evidence of a violation of Art. 5 Paragraph 1 Letter f or Art. 32 GDPR. The statement of claim does not provide any reason to believe that the defendant does not adequately protect the plaintiff's data in technical or organizational terms.


37
government requests. It is not apparent that the defendant failed to fulfill its information obligation.
5. The court cannot identify a violation of Art. 13 GDPR either. The defendant has provided the sources where users can find out about the need to transfer data to foreign companies, namely .., Inc., as well as about the provision of information in response to government requests. It is not apparent that the defendant has not complied with its obligation to provide information.


38
38. 6. As far as US government agencies, including intelligence services, can request information from ..., Inc. under US law, this is a consequence of the lawful data transfer to the jurisdiction of the United States of America. This possibility does not conflict with the guarantee of an essentially equivalent level of protection, as it would also be permissible under the European data protection regime according to Article 6(1)(c) GDPR (fulfillment of a legal obligation).
6. To the extent that US government agencies, including the secret services, can request information from .., Inc. under US law, this is a consequence of the lawful transfer of data to the territory of the United States of America. This possibility does not conflict with the guarantee of an essentially equal level of protection, as it would also be permissible under the European data protection regime under Art. 6 Para. 1 Letter c GDPR (fulfillment of a legal obligation).


39
39. IV. The plaintiff also lacks a causal damage for a claim for damages under Article 82 GDPR. During their informal hearing, the plaintiff only stated that they had been informed about possible data protection violations concerning data transfer or the messenger by their legal representatives. Only after the court's indication did it become apparent that the present lawsuit does not relate to the scraping cases. Reference is made to the decision of the Higher Regional Court of Munich, case number 14 U 3359/23 e, order of 19 December 23, which states:
IV. In order to claim damages under Art. 82 GDPR, there is also no causal damage to the plaintiff. During its informative hearing, the plaintiff merely stated that it had only been made aware of possible data protection violations in connection with the transfer of data or the messenger by the plaintiff's representatives. It was only after the court pointed this out that it became clear to it that the current lawsuit did not relate to the scraping cases. Finally, reference is made to the decision of the Higher Regional Court of Munich, case no. 14 U 3359/23 e, order of December 19, 2023, in which the following is stated:
"The fear (even more clearly: English 'fear' and French 'crainte'), in which the CJEU sees non-material damage, can only be something that the injured party (a) personally experiences and (b) mentally burdens them, thus psychologically affecting them. If the trial court cannot recognize anything of the sort, the occurrence of non-material damage is not more likely than not in the sense of Section 287(1) ZPO."


“The fear (even more clearly: English “fear” and French “crainte”), in which the ECJ sees material damage, can only be something that the injured party (a) experiences personally and which (b) burdens him mentally, thus impairs him psychologically. If the trial court is unable to identify anything of the sort, the occurrence of non-material damage is not predominantly probable within the meaning of Section 287 Paragraph 1 of the Code of Civil Procedure.
40. This is the case here: the "great concern" initially indicated only after being prompted by their legal representative during the informal hearing (after initially stating that they "also find it bad") does not constitute non-material damage.


40
41. V. The plaintiff has no claims for information against the defendant under Article 15 GDPR.
This is the case here: the “great concern” stated (only) in the context of the information hearing when presented by her attorney (after initially stating that she “also finds it bad”) does not constitute non-material damage.


41
42. 1. As far as information is requested regarding the data "from the monitoring of the FMessenger," to "present chat logs and disclose their internal evaluation," the chat logs can be downloaded by the plaintiff themselves. The information claim is thereby fulfilled, Section 362(1) BGB. The court does not understand what is meant by "internal evaluation"; a subsumption under one of the categories of Article 15(1) GDPR is not possible in this regard.
V. The plaintiff is not entitled to information claims against the defendant under Article 15 of the GDPR.


42
43. 2. As far as information is requested about which "Off-... Data" was collected at the plaintiff's IP address by the defendant and for what purpose it was stored and used, the defendant rightly refers to the self-information option it provides and, concerning the processing purposes, to a specific page in the help section. The information is thereby provided, Section 362(1) BGB.
1. If information is requested regarding the data “from the monitoring of the FMessenger”, “chat logs are to be presented and their internal evaluation disclosed”, the chat histories can be downloaded by the plaintiff themselves. The right to information is thereby fulfilled, Section 362 Paragraph 1 of the German Civil Code. What is meant by an “internal evaluation” is not clear to the court; a subsumption under one of the categories of Art. 15 Para. 1 GDPR is not possible in this respect.


43
44. 3. Regarding any data transferred to the NSA, the defendant can refuse to provide information because, on the one hand, there is a confidentiality obligation under US law, and on the other hand, it is inherently confidential information, Article 23 GDPR in conjunction with Section 29(1)(2) BDSG. The latter provision is not limited to professional secrecy holders, contrary to the plaintiff's view. It goes without saying that the information on whether and what information is provided to intelligence services is inherently confidential. Moreover, the information is not provided by the defendant but by ..., Inc., so the defendant would not be liable to provide information.
2. Insofar as information is requested as to which "off-... data" was collected by the defendant at the plaintiff's IP address and for what purpose it was stored and used, the defendant rightly refers to the self-disclosure option it has made available and, with regard to the processing purposes, to a specific page in the help section. The information is thus provided, Section 362 Para. 1 BGB.


44
45. VI. The deletion requests under Article 17 GDPR (points 5(b) and (c) of the claims) are futile because they are conditional on the data processing being "indiscriminate." Even if one were to interpret this term as meaning "unnecessary" (Article 17(1)(a) GDPR), "without a legal basis" (Article 17(1)(b) GDPR), or "unlawful" (Article 17(1)(d) GDPR), these conditions, as outlined under points I and II, do not apply.
3. With regard to any data transmitted to the NSA, the defendant can refuse to provide information because, on the one hand, there is a duty of confidentiality under US law and, on the other hand, the information is of a confidential nature, Art. 23 GDPR in conjunction with Section 29 Para. 1 Sentence 2 BDSG, whereby, contrary to the plaintiff's opinion, the latter provision is not limited to those who are bound by professional secrecy, even based on its wording. It goes without saying that the information as to whether and what information is provided to secret services is, by its nature, confidential. Furthermore, the information provided to the NSA is not provided by the defendant, but by .., Inc., so that the defendant would not be liable with regard to a claim for information.


45
46. VII. All injunction claims fail due to the absence of a violation of the GDPR, as mentioned under points I to III. Regarding the "Off-... Data," it also adds that the user can manage the relevant settings. The plaintiff acts inconsistently if they leave the settings as they are and, on the other hand, demand that the defendant not process the data based on these settings.
VI. The requests for deletion pursuant to Art. 17 GDPR (points 5 b and c of the claims) are ineffective because they are made under the condition that the data processing is carried out “without cause”. Even if one wanted to give this term the meaning “not necessary” (Art. 17 para. 1 letter a GDPR), “without legal basis” (Art. 17 para. 1 letter b GDPR), or “unlawful” (Art. 17 para. 1 letter d GDPR), these conditions are not met, as explained in points I to II.


46
47. VIII. In the absence of a principal claim, there is also no claim for procedural interest under Section 291 BGB.
VII. All claims for injunctive relief fail due to the lack of a violation of the GDPR, see above, sections I to III. With regard to the "off-... data", it is also up to the user to manage the relevant settings. The plaintiff acts inconsistently if it leaves the settings as they are and, on the other hand, demands that the defendant not process the data on the basis of these settings.


47
C.
VIII. In the absence of a main claim, there is also no claim to litigation interest under Section 291 of the German Civil Code.


48
48. I. The cost decision is based on Section 91(1) ZPO.
I.The decision on costs is based on Section 91 Paragraph 1 of the Code of Civil Procedure.


49
49. II. The provisional enforceability is based on Section 709 ZPO.
II.The provisional enforceability arises from Section 709 of the Code of Civil Procedure.


50
50. III. The determination of the amount in dispute is based on Sections 39(1), 43(1), 48(1)(1) GKG, and 3 ZPO.
III.The determination of the value in dispute is based on Sections 39 Paragraph 1, 43 Paragraph 1, 48 Paragraph 1 Sentence 1 of the Code of Civil Procedure.


51
51. The court values the claims as follows:
The Court assesses the applications as follows:
Item / Value
1. 1,500
2. 1,500
3. a) 500
3. b) 500
4. a) 500
4. b) 500
4. c) 500
5. a) 500
5. b) 500
5. c) 500
</pre>
</pre>

Latest revision as of 09:33, 4 September 2024

LG Traunstein - 9 O 173/24
Courts logo1.png
Court: LG Traunstein (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(f) GDPR
Article 6(1)(a) GDPR
Article 13 GDPR
Article 14 GDPR
Article 45(3) GDPR
Article 46(2)(c) GDPR
Article 49(1)(b) GDPR
Article 3 Regulation (EU) 2021/1232
Decided: 08.07.2024
Published:
Parties:
National Case Number/Name: 9 O 173/24
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bayern.Recht (in German)
Initial Contributor: fb

In a case about non-material damages, a court ruled that a controller that manages a social media platform can lawfully transfer data to the USA relying on an adequacy decision and, before the approval of the latter, on SCCs.

English Summary

Facts

The data subject is a user of a social network platform, which also provides a messaging service. This platform is managed by a company with its headquarter in the USA.

The data subject initiated a lawsuit before the Regional Court of Traunstein (Landesgericht Traunstein – LG Traunstein).

Firstly, she argued that the controller is constantly monitoring her private messages and that the privacy policy is not transparent and is too complex.

Secondly, she argued that, through cookies, the controller is collecting data relating to activities that happen outside the social network without her consent.

Thirdly, she claimed that the controller forwarded all her personal data from and in connection with her account to the USA. She argued that this transfer is unlawful since the USA did not guarantee a level of protection equivalent to the GDPR.

Therefore, the data subject asked the court to order the controller to pay non-material damages.

As for the first argument, the controller pointed out that it conducts scans on the private messages only when to detect child sexual abuse material (CSAM) in compliance with the ePrivacy Directive 2002/58/EC (see Article 3 Regulation (EU) 2021/1232).

Moreover, the controller argued that it is respecting its transparency obligations and that the transfer of data to the US is legal since there is an adequacy decision and, before that, there were SCCs.

Holding

First of all, the court ruled that the data subject has not demonstrated that the controller is systematically and automatically monitors the content exchanged via the messenger service. In every case, it found that the controller has proven that it carries out only permissible CSAM scanning. According to the court, this processing is covered by the legal basis provided for by Article 6(1)(f) GDPR.

Secondly, it held that, due to the extensive data protection requirements that are imposed on the controller, the privacy policy cannot be more concise or simpler. Therefore, it found no violation of Article 13 and 14 GDPR.

Thirdly, it did not uphold the data subject’s argument about cookies. It found that the controller could rely on consent under Article 6(1)(a) and 9(2)(a) GDPR to collect this data.

Fourthly, the court noted that the social media platform at hand is designed as a global platform whose aim is to allow users to have a worldwide network and allow users to have “friends” from all over the World. Therefore, according to the court, it is obvious – and also the data subject should know this – that data is also transmitted to the USA, especially since the search for users in other jurisdictions can only work if there is a cross-border exchange of data.

Moreover, the court believed that the business decision of the controller transfer data to the USA is to be accepted by the data subject since no one is forced to use the platform.

Furthermore, it held that the data transfer at hand is necessary for the performance of a contract and, therefore, lawful under Article 6(1)(b) GDPR.

Finally, as for Chapter V GDPR, the court pointed out that currently the controller can rely on the Commission Implementing Decision EU 2023/1795 which allows data transfers to the USA under Article 45(3) GDPR.

As for the preceding period, it found that the standard contractual clauses adopted by the European commission in 2010 and 2021 according to Article 46(2)(c) GDPR provide a sufficient legal basis. According to the court, the fact the US government authorities can access the data transferred by the controller does not prevent the guarantee of an essentially equal level of protection since it is also possible for EU authorities to have such an access under Article 6(1)(c) GDPR.

Moreover, the court ruled that the data transfer is however lawful since it is necessary for the performance of the contract under Article 49(1)(b) GDPR.

On these grounds, the court dismissed the data subject's requests.

Comment

This judgement seems not to be consistent with the settled case law of the CJEU. In particular, in C-311/18, Schrems II, the CJEU ruled that when personal data are transferred to a third country pursuant to standard data protection clauses, a level of protection essentially equivalent to that guaranteed within the European Union must be afforded. To operate this assessment, not only the content of the SCCs must be taken into account, but also the relevant aspects of the legal system of that third country, as regards any access by the public authorities of that third country to the personal data transferred (para. 105).

In the same case, the CJEU found that the legal system of the USA does not guarantee an equivalent level of protection (paras. 198-199).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Key Points:
1. The extensive data protection requirements imposed by law, including those on operators of social networks, combined with the complexity of the services regularly provided by these networks, do not allow for a concise or simple presentation of the data protection framework. Therefore, lengthy and seemingly confusing data protection policies generally do not constitute a violation of Articles 13 and 14 of the GDPR. (Paragraph 24) (Editorial Guideline)
2. A global social network based in the USA cannot be accused of unlawful data transfer to the USA. If the social network is designed as a global platform, data must necessarily be exchanged internationally to maintain the worldwide network. Data transfer is thus generally required for contract fulfillment under Article 6(1)(b) GDPR. (Paragraphs 29-30) (Editorial Guideline)
3. A user of a globally operated social network cannot demand that all data of the network in question be stored and processed in Europe. The business decision of the platform operator to process the relevant data outside Europe must be accepted by the users, especially since no one is forced to use such platforms. (Paragraph 29) (Editorial Guideline)

Judgment:
1. The lawsuit is dismissed.
2. The plaintiff shall bear the costs of the legal dispute.
3. The judgment is provisionally enforceable for the defendant against security in the amount of 110% of the amount to be enforced.

Order:
The amount in dispute is set at €7,000.00.

Statement of Facts:

1. The plaintiff is suing the defendant for damages, an injunction, deletion, and information due to violations of the General Data Protection Regulation (GDPR), particularly in connection with the monitoring of the ... messenger service, processing of "Off-... Data," and data transfer to the USA.

2. The defendant operates the social network "...". The plaintiff maintains a user profile there, where the name, gender, and user ID are always publicly visible, and other data provided by the user is visible depending on the selected settings.

3. The "...” also includes a messenger service through which "...” users can exchange messages and files.

4. The plaintiff claims that there is no valid consent for data processing by the defendant. The plaintiff suffers from a loss of control over their data and is concerned about potential misuse of their data. The plaintiff had provided their phone number for security purposes only and assumed they could access this information exclusively. The pre-litigation information provided by the defendant was inadequate. Additionally, the messenger service is systematically and automatically monitored (“crawling” of content), which cannot be disabled by the user and is not necessary for contract fulfillment.

5. Data related to activities outside the social network ("Off-... Data") is collected, stored, and evaluated by "..." on a large scale and shared within the ... group. User consent is not obtained. The defendant has forwarded all personal data of the plaintiff from and in connection with the plaintiff's "...” account to the United States of America (USA), specifically to the NSA for random checks and investigations. This is unlawful, as the USA does not guarantee a level of protection equivalent to the GDPR. Moreover, the plaintiff did not consent to the transfer of their data. The data transmitted in enormous quantities practically represents the entire social life of the user. This has caused significant anxiety and stress for the plaintiff. The plaintiff bases the asserted claims for information, injunction, and deletion on Articles 15, 17, and 18 GDPR, Sections 1004 analog, 823(1), and 823(2) of the German Civil Code (BGB) in conjunction with Article 6 GDPR, and the claims for damages on Article 82 GDPR.

6. The plaintiff requests:
   1. The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations concerning the indiscriminate monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use, and evaluation of the plaintiff's "Off-... Data," with the amount to be determined at the discretion of the court, but not less than €1,500.00, plus interest at five percentage points above the respective base rate from the date of pendency.
   2. The defendant is further ordered to pay the plaintiff non-material damages as compensation for data protection violations concerning the transfer and transmission of the plaintiff's personal data to the USA, particularly to the NSA, with the amount to be determined at the discretion of the court, but not less than €1,500.00, plus interest at five percentage points above the respective base rate from the date of pendency.
   3. It is declared that the defendant is obliged to compensate the plaintiff for all future damages arising from a) the indiscriminate monitoring of chat messages sent and received by the plaintiff via the ... messenger service and the collection, use, and evaluation of the plaintiff's "Off-... Data" and b) the transfer and transmission of the plaintiff's personal data to the USA, particularly to the NSA, that have occurred and/or will occur.
   4. The defendant is further ordered, under penalty of a fine of up to €250,000.00 for each case of infringement, alternatively to be enforced by custodial detention of the defendant's legal representative (Director) for up to six months, in the event of repeated infringement up to two years, to refrain from:
      a) indiscriminately monitoring chat messages of the plaintiff sent via the "...-Messenger" service,
      b) collecting, using, and evaluating the plaintiff's "Off-... Data,"
      c) transferring the plaintiff's personal data to the USA, particularly to the NSA.
   5. The defendant is ordered to provide the plaintiff with information:
      a) about the monitored, evaluated, and stored data from the monitoring of the ... messenger, specifically to present chat logs and disclose their internal evaluation, as well as delete this data if stored indiscriminately,
      b) about which "Off-... Data" was collected at the plaintiff's IP address by the defendant and for what purpose it was stored and used, as well as delete this data if stored indiscriminately,
      c) about the specific manner in which the plaintiff was affected by the transfer of their personal data to the USA, particularly to the NSA, i.e., who accessed the plaintiff's data and when, and which exact personal data of the plaintiff was viewed by whom.

7. The defendant requests the dismissal of the lawsuit.

8. The defendant objects to the indeterminacy of the plaintiff's claims and the lack of interest in declaratory relief and need for legal protection. The defendant denies any data protection violation. The defendant argues that its transparency obligations are fulfilled. All users are adequately informed about the settings to protect their privacy (in particular, audience selection and searchability settings) according to the defendant's data policy. The purpose of the "...” platform is to find and connect with other people, which would be counteracted by pre-setting the searchability settings to "Friends" instead of "All". There was no obligation to report or notify. The defendant provided pre-litigation information about its data processing activities, and it is not obliged to provide information about third-party data processing activities. The plaintiff did not suffer any noticeable impairment; loss of control or discomfort does not constitute damage.

9. The defendant further argues that it treats all messages transmitted via the messenger service confidentially. The ePrivacy Directive is followed by the defendant. The defendant conducts a so-called CSAM scanning according to Article 3 of the CSAM Regulation to identify child pornographic content. The data processing in connection with the messenger service is explained in the defendant's privacy policy. "Off-... Data," i.e., information about activities outside the ... technologies, is obtained by the defendant from third-party providers, who are responsible for ensuring that the collection and transfer of data is based on a valid legal basis, particularly obtaining any necessary consent. Additionally, the defendant uses the data only if the user has agreed via a cookie banner unless the processing is necessary for security and integrity purposes. The settings can be changed subsequently. The transfer of data by the defendant to ..., Inc. in the USA is based on Chapter V of the GDPR, the Commission's 2023 Adequacy Decision, and the Standard Contractual Clauses of 2010 and 2021. "...” is a global service, so cross-border data exchange is necessary for contract fulfillment. Specific requests from US government agencies under Section 702 of the Foreign Surveillance Act (FISA) are reviewed for legality before being answered. As ..., Inc. is prohibited by US law from disclosing information about such requests, the defendant is also not obliged to do so.

10. The defendant objects to the lack of specificity in the plaintiff's claims and the lack of need for legal protection or interest in declaratory relief. The defendant raises the defense of limitation.

11. The plaintiff had previously filed a lawsuit against the defendant under file number 9 O 989/23, including a claim for non-material damages in connection with so-called "web scraping," which was largely dismissed by a (non-final) judgment on 17 January 2024.

12. The court held an oral hearing on the matter on 17 June 2024 and informally heard the plaintiff. For further details, reference is made to the exchanged pleadings and the hearing record.

Reasons for the Decision:

13. The partially inadmissible lawsuit is entirely unfounded.

A.

14. The lawsuit is

 only partially admissible.

15. I. The Regional Court Traunstein has jurisdiction under Sections 1 of the Code of Civil Procedure (ZPO), 71(1), 23 of the Courts Constitution Act (GVG), and internationally under Article 79(2) Sentence 2, Article 82(6) GDPR and locally under Section 44(1) Sentence 2 of the Federal Data Protection Act (BDSG).

16. II. The plaintiff's claim for a declaratory judgment on the defendant's liability for future damages is not sufficiently specific under Section 253(2)(2) ZPO. The claim for a declaratory judgment on the defendant's liability for future damages is not sufficiently specific under Section 253(2)(2) ZPO. The claim refers to "future damages" that "have occurred and/or will occur." Even considering the entire plaintiff's submissions, it is unclear to the court whether the claim relates only to future damages or also to already incurred but possibly not yet known damages.

17. III. There is also no sufficient interest in declaratory relief (Section 256(1) ZPO) concerning the declaratory judgment claim. A declaratory interest must be denied if, from the perspective of the injured party, there is no reason to expect that damage may at least be anticipated (Federal Court of Justice, NJW-RR 2007, 601). The court cannot see, nor is it plausibly explained, what damage the plaintiff is supposed to suffer from the defendant's unlawful monitoring of their messenger messages, processing of "Off-... Data," and data transfer to the USA.

18. IV. The plaintiff's request for an injunction under point 4(a) of the claims is not sufficiently specific under Section 253(2)(2) ZPO. The word "indiscriminately" limits the request for an injunction in an objectively indeterminable way. A corresponding ruling would not be enforceable.

19. V. The plaintiff lacks the need for legal protection concerning the request for an injunction under point 4(b). The plaintiff has the option to control the handling of "Off-... Data" or "Activities outside ... technologies" through the settings. The plaintiff must have been aware of this at the latest due to the defendant's submissions in the legal dispute. Since a simpler way is available to achieve their legal protection goal, the plaintiff lacks the need for an injunction.

20. VI. The request for deletion of "indiscriminately stored" data (points 5(a) and (b) of the claims) is inadmissible due to indeterminacy for the reasons mentioned above under point IV.

21. VII. Otherwise, the lawsuit is admissible.

B.

22. The lawsuit is – insofar as it is inadmissible, in any case – also unfounded.

23. I. The plaintiff has no claims against the defendant concerning the alleged violations regarding the ... messenger service. There is already no relevant violation of the GDPR.

24. The plaintiff has not plausibly demonstrated that the defendant systematically and automatically monitors the content exchanged via the ... messenger service in the sense of "crawling" the content. This is not evident from the defendant's privacy policy. The defendant has plausibly explained that it treats the transmitted messages in accordance with legal requirements, particularly the ePrivacy Directive, and conducts permissible CSAM (Child Sexual Abuse Material) scanning to identify child pornographic content. The court also sees no violation of Articles 13 and 14 GDPR, despite the plaintiff's complaint about the length and complexity of the defendant's privacy policy. The extensive data protection requirements imposed by law, combined with the complexity of the services provided by the defendant, do not allow for a shorter or simpler presentation of the data protection framework. That the defendant stores and transmits the content exchanged via the messenger service to the recipient is necessary for providing this service, according to Article 6(1)(b) GDPR. Therefore, the court also sees no indication of a violation of the principle of data minimization (Article 5(1)(c) GDPR). The CSAM scanning is covered by Article 6(1)(f) GDPR. Moreover, it is up to the plaintiff – like any "f-user" – to decide whether or not to use the messenger service.

25. II. The plaintiff also has no claims against the defendant concerning the alleged violations regarding "Off-... Data."

26. 1. No data protection violation is evident in this regard either. The processing of data in connection with "Activities outside ... technologies" ("Off-... Data") is covered by the user's consent, Article 6(1)(a) and Article 9(2)(a) GDPR. According to the defendant's submission, which the court has no reason to doubt, the defendant obtains the user's consent via a cookie banner depicted on page 11 of the defendant's brief dated 04 March 2024. The corresponding settings are described transparently and can be changed by the user afterward. The plaintiff is registered with "...,” so they can make the corresponding settings themselves. How this applies to people who are not registered with "...,” is irrelevant, as the plaintiff is not part of this group. The fact that the button "Allow all cookies" is highlighted in blue does not violate Article 25(2) GDPR (privacy-friendly default settings). It is not a "default setting" but a common and permissible visual emphasis that does not affect the user's ability to make an active decision. As far as the defendant receives information from cookies and similar technologies from third parties, it processes this data according to its statements only for security and integrity purposes without the user's consent, which is covered by Article 6(1)(b) GDPR and Article 9(2)(b) GDPR. The plaintiff has not brought any substantial contrary arguments into the legal dispute.

27. 2. As far as the defendant may have processed "Off-... Data" without the necessary consent until the Federal Cartel Office's decision of 06 February 2019 (see press release of 07 February 2019, Annex KE-4), it has not been claimed that the defendant still holds "Off-... Data" from this period concerning the plaintiff. Moreover, any claims arising from this would be time-barred in any case, Sections 195, 199(1), 214(1) BGB. The plaintiff must have been aware of the factual requirements for the claim due to the aforementioned press release or be accused of gross negligence in being unaware. Limitation would have occurred by the end of 2022.

28. III. The plaintiff finally has no claims against the defendant concerning the alleged violations in connection with data transfer to the USA.

29. 1. The court cannot recognize any unlawful data transfer. The platform "..." and the MGroup originate from the USA. "..." is designed as a global platform. To maintain this worldwide network, data must necessarily be exchanged internationally. The fact that data is also transferred to the USA by the defendant in this context is therefore obvious. This necessity is also independent of whether the plaintiff is "friends" with US-American "..." users or not. Because the search for users in other jurisdictions can only work if cross-border data exchange takes place. All this must be well known to any "...," including the plaintiff. The plaintiff has no claim that "...," be operated in such a way that all data is stored and processed in Europe in the sense of a purely European "...". The business decision of the platform operator "...,” to process data in the United States of America, must be accepted by the users, especially since no one is forced to use the platform "...”.

30. 2. Data transfer is therefore generally necessary for contract fulfillment under Article 6(1)(b) GDPR. There are no sufficient factual indications that the defendant, as the plaintiff ultimately claims, provides its entire data stock to the US foreign intelligence service without any prerequisites. What the US government is said to have "admitted" in this regard is not specifically explained by the plaintiff. The defendant has denied such claims, and no evidence was provided by the plaintiff.

31. 3. The defendant complies with the requirements for data transfer to third countries under Chapter V of the GDPR.

32. a) Currently, data transfer is based on the Commission's Adequacy Decision of 10 July 2023. This provides a valid basis for data transfer under Article 45(3) GDPR. Therefore, a further review of the adequacy of the protection level is unnecessary.

33. b) For the preceding period, the Standard Contractual Clauses issued by the Commission in 2010 and 2021, in conjunction with Article 46(1) and (2)(c) GDPR, provide a sufficient legal basis. Under Article 46(1) GDPR, the data subjects must have enforceable rights and effective legal remedies to ensure a level of protection equivalent to EU law. The plaintiff complains that the US legal remedy mechanism is based on a government regulation and not on formal law. However, a regulation is also a law in the material sense. It is not apparent why this should not provide equivalent legal protection.

34. c) Finally, as already stated above, the data transfer is necessary for contract fulfillment and thus permissible under Article 49(1)(1)(b) GDPR.

35. d) As far as data protection authorities hold differing views, they are not binding on the court.

36. 4. There is no conclusive evidence of a violation of Article 5(1)(f) or Article 32 GDPR. It is not apparent from the plaintiff's submissions why there should be reason to believe that the defendant does not adequately protect the plaintiff's data in technical or organizational terms.

37. 5. The court also cannot see a violation of Article 13 GDPR. The defendant has provided the references where the user can find information about the necessity of data transfer to foreign companies, particularly ..., Inc., as well as about the disclosure of

 government requests. It is not apparent that the defendant failed to fulfill its information obligation.

38. 6. As far as US government agencies, including intelligence services, can request information from ..., Inc. under US law, this is a consequence of the lawful data transfer to the jurisdiction of the United States of America. This possibility does not conflict with the guarantee of an essentially equivalent level of protection, as it would also be permissible under the European data protection regime according to Article 6(1)(c) GDPR (fulfillment of a legal obligation).

39. IV. The plaintiff also lacks a causal damage for a claim for damages under Article 82 GDPR. During their informal hearing, the plaintiff only stated that they had been informed about possible data protection violations concerning data transfer or the messenger by their legal representatives. Only after the court's indication did it become apparent that the present lawsuit does not relate to the scraping cases. Reference is made to the decision of the Higher Regional Court of Munich, case number 14 U 3359/23 e, order of 19 December 23, which states:
"The fear (even more clearly: English 'fear' and French 'crainte'), in which the CJEU sees non-material damage, can only be something that the injured party (a) personally experiences and (b) mentally burdens them, thus psychologically affecting them. If the trial court cannot recognize anything of the sort, the occurrence of non-material damage is not more likely than not in the sense of Section 287(1) ZPO."

40. This is the case here: the "great concern" initially indicated only after being prompted by their legal representative during the informal hearing (after initially stating that they "also find it bad") does not constitute non-material damage.

41. V. The plaintiff has no claims for information against the defendant under Article 15 GDPR.

42. 1. As far as information is requested regarding the data "from the monitoring of the FMessenger," to "present chat logs and disclose their internal evaluation," the chat logs can be downloaded by the plaintiff themselves. The information claim is thereby fulfilled, Section 362(1) BGB. The court does not understand what is meant by "internal evaluation"; a subsumption under one of the categories of Article 15(1) GDPR is not possible in this regard.

43. 2. As far as information is requested about which "Off-... Data" was collected at the plaintiff's IP address by the defendant and for what purpose it was stored and used, the defendant rightly refers to the self-information option it provides and, concerning the processing purposes, to a specific page in the help section. The information is thereby provided, Section 362(1) BGB.

44. 3. Regarding any data transferred to the NSA, the defendant can refuse to provide information because, on the one hand, there is a confidentiality obligation under US law, and on the other hand, it is inherently confidential information, Article 23 GDPR in conjunction with Section 29(1)(2) BDSG. The latter provision is not limited to professional secrecy holders, contrary to the plaintiff's view. It goes without saying that the information on whether and what information is provided to intelligence services is inherently confidential. Moreover, the information is not provided by the defendant but by ..., Inc., so the defendant would not be liable to provide information.

45. VI. The deletion requests under Article 17 GDPR (points 5(b) and (c) of the claims) are futile because they are conditional on the data processing being "indiscriminate." Even if one were to interpret this term as meaning "unnecessary" (Article 17(1)(a) GDPR), "without a legal basis" (Article 17(1)(b) GDPR), or "unlawful" (Article 17(1)(d) GDPR), these conditions, as outlined under points I and II, do not apply.

46. VII. All injunction claims fail due to the absence of a violation of the GDPR, as mentioned under points I to III. Regarding the "Off-... Data," it also adds that the user can manage the relevant settings. The plaintiff acts inconsistently if they leave the settings as they are and, on the other hand, demand that the defendant not process the data based on these settings.

47. VIII. In the absence of a principal claim, there is also no claim for procedural interest under Section 291 BGB.

C.

48. I. The cost decision is based on Section 91(1) ZPO.

49. II. The provisional enforceability is based on Section 709 ZPO.

50. III. The determination of the amount in dispute is based on Sections 39(1), 43(1), 48(1)(1) GKG, and 3 ZPO.

51. The court values the claims as follows:
Item / Value
1. 1,500
2. 1,500
3. a) 500
3. b) 500
4. a) 500
4. b) 500
4. c) 500
5. a) 500
5. b) 500
5. c) 500