AG München - 178 C 13527/22: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 62: | Line 62: | ||
}} | }} | ||
A Bavarian court rejected a claim for non-material damages pursuant to [[Article 82 GDPR|Article 82 GDPR]] in the context of the 2021 Facebook data breach. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a Facebook user. | The data subject was a Facebook user. While using the service, the data subject provided different personal information, including their city of residence, “relationship status” (both publicly visible on their Facebook profile) and phone number (not immediately visible on the platform). However, according to the privacy settings selected at the moment of the facts, the phone number could be used by a third person to find the data subject’s profile on Facebook. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. | ||
In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. | In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. | ||
The data subject lamented that since then they received anonymous calls and a huge amount of spam. This entailed negative psychological consequences for them. Thus, the data subject asked for €1,000 in non-material damages under [[Article 82 | The data subject lamented that since then they received anonymous calls and a huge amount of spam. This entailed negative psychological consequences for them. Thus, the data subject asked for €1,000 in non-material damages under [[Article 82 GDPR]]. | ||
The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented. In Facebook’s view, third parties merely had access to publicly available information. | The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented. In Facebook’s view, third parties merely had access to publicly available information. | ||
Line 78: | Line 78: | ||
The court rejected the request for damages under [[Article 82 GDPR|Article 82 GDPR]]. Pursuant to this provision, any data subject has the right to receive compensation for material or non-material damages whenever their rights under the GDPR were infringed by a controller or processor. | The court rejected the request for damages under [[Article 82 GDPR|Article 82 GDPR]]. Pursuant to this provision, any data subject has the right to receive compensation for material or non-material damages whenever their rights under the GDPR were infringed by a controller or processor. | ||
In assessing the oral declarations of the data subject, the court held that the data breach, despite annoying, did not seriously | In assessing the oral declarations of the data subject, the court held that the data breach, despite annoying, did not seriously harm the data subject. As a matter of fact, the data subject was only concerned about the possibility that their data could be misused in the future. According to the court, such a concern was too general to give rise to non-material damages. In the words of the judges, the data subject did not spend any “sleepless night” because of the data breach. As further evidence of the limited impact of the data breach on the data subject’s life, the court pointed out to the fact that the user did not change their Facebook setting after the events. | ||
In addition, the court argued that the causal link between controller’s conduct and damage could not be proved. As the data subject was active on other social networks, the court held that that the spam and the anonymous calls may originate from facts other than the Facebook’s data breach. | In addition, the court argued that the causal link between controller’s conduct and damage could not be proved. As the data subject was active on other social networks, the court held that that the spam and the anonymous calls may originate from facts other than the Facebook’s data breach. | ||
== Comment == | == Comment == |
Latest revision as of 15:04, 18 April 2023
AG München - 178 C 13527/22 | |
---|---|
Court: | AG München (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 82 GDPR |
Decided: | 08.02.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 178 C 13527/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | AG München (Germany) (in German) |
Initial Contributor: | mg |
A Bavarian court rejected a claim for non-material damages pursuant to Article 82 GDPR in the context of the 2021 Facebook data breach.
English Summary
Facts
The data subject was a Facebook user. While using the service, the data subject provided different personal information, including their city of residence, “relationship status” (both publicly visible on their Facebook profile) and phone number (not immediately visible on the platform). However, according to the privacy settings selected at the moment of the facts, the phone number could be used by a third person to find the data subject’s profile on Facebook. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.
In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.
The data subject lamented that since then they received anonymous calls and a huge amount of spam. This entailed negative psychological consequences for them. Thus, the data subject asked for €1,000 in non-material damages under Article 82 GDPR.
The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented. In Facebook’s view, third parties merely had access to publicly available information.
Holding
The court rejected the request for damages under Article 82 GDPR. Pursuant to this provision, any data subject has the right to receive compensation for material or non-material damages whenever their rights under the GDPR were infringed by a controller or processor.
In assessing the oral declarations of the data subject, the court held that the data breach, despite annoying, did not seriously harm the data subject. As a matter of fact, the data subject was only concerned about the possibility that their data could be misused in the future. According to the court, such a concern was too general to give rise to non-material damages. In the words of the judges, the data subject did not spend any “sleepless night” because of the data breach. As further evidence of the limited impact of the data breach on the data subject’s life, the court pointed out to the fact that the user did not change their Facebook setting after the events.
In addition, the court argued that the causal link between controller’s conduct and damage could not be proved. As the data subject was active on other social networks, the court held that that the spam and the anonymous calls may originate from facts other than the Facebook’s data breach.
Comment
This judgement is one of several German decisions involving a claim for non-material damages and originating from the 2021 Facebook data breach. In most of the cases, courts rejected as not credible the argument based on a loss of control over personal data as a source on non-material damages, since data were already publicly available and therefore “out of control” (see e.g. par. 46, LG Offenburg of 28.02.2023, 2 O 98/22 and LG Bielefeld of 10.03.2023, 19 O 147/22).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: No claims for damages due to "discomfort" after data scraping chains of standards: GDPR Art. 15, Art. 82 BGB § 254, § 280 paragraph 1, § 362 paragraph 1, § 1004 ZPO § 141, § 286, § 287 Motto: The occurrence of immaterial damage that is fundamentally compensable under the GDPR cannot be assumed simply because those affected by data scraping feel a general and not further tangible malaise because of a possible misuse of their data (connection to LG Kassel GRUR-RS 2022, 30480 para. 18 f.; LG Essen GRUR-RS 2022, 34818 Rn. 72 ff.; see also LG Bielefeld GRUR-RS 2022, 38375). (Rn. 25) (editorial guiding principle) tags: Facebook, data, mobile number, scraping, information, compensation, causality Source: BeckRS 2023, 2115 tenor 1. The lawsuit is dismissed. 2. The plaintiff has to bear the costs of the legal dispute. 3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. facts 1 The parties dispute claims in connection with the General Data Protection Regulation (GDPR). 2 The defendant operates the Facebook platform on the territory of the European Union, the plaintiff has been using the Facebook platform for several years, as well as other social media. The plaintiff also used the Facebook Messenger app, but not since 2019. As part of the registration on the Facebook platform, the plaintiff provided various data, i.e. his date of birth, the city and the relationship status, with the last two being publicly visible in the plaintiff’s Facebook profile via the plaintiff’s target group selection. In addition, the plaintiff stored the number of his mobile phone that is still in use today, which is not necessary to use the platform, and chose the setting that via the target group selection - i.e. the settings that determine who can see individual information in a user's Facebook profile - the Cell phone number was not visible on the plaintiff's profile. In the searchability criteria - i.e. the setting that determines who can find a user's profile using a phone number - the search for the plaintiff's profile using a mobile phone number was activated, specifically: the privacy settings ("privacy_setting") pointed to findability by anyone ( "Everyone") recorded the phone number ("SEARCH_BY_PHONE") so that anyone who knew the plaintiff's number could find his Facebook profile to make a "friend request," for example. Reference is made to Annex B 17. 3 In 2019, unknown third parties used automated procedures to collect a large amount of the public information available on the defendant's platform (so-called "scraping") and correlated this data with the telephone numbers of the users concerned. The exact procedure is not known. It is suspected that a large number of possible telephone numbers from third parties were automatically combined and compared with the Facebook profiles, whereby at least with the appropriate searchability setting, hits were found for the respective profile and the telephone number could be assigned to the respective profile with its publicly visible data. even if the user had not made the telephone number publicly visible on his profile. In April 2021, the data sets of around 533 million users from 106 countries were made available on the Internet for retrieval. The plaintiff's mobile phone number was also found on the Internet. How the unknown third party got hold of the phone number is unclear. After the incident became known and until the end of the oral hearing, the plaintiff did not change his settings on Facebook. 4 Prior to the trial, the plaintiff requested information about the data relating to the plaintiff on the defendant's platform via his legal representative. Reference is made to Annex K 1. The defendant's attorneys-in-fact sent a reply dated November 11, 2021. Reference is made to Annex B 16. 5 The plaintiff claims he is unwell because he fears his phone number will be misused in the future. Since the incident, he has increasingly received spam messages and anonymous calls – which the defendant denies with ignorance. 6 The plaintiff claims that the defendant has repeatedly violated the plaintiff's rights under the GDPR. For details on the actual submission, reference is made to the written presentation. 7 The plaintiff requests 1. The defendant is sentenced to pay the plaintiff a reasonable amount of immaterial damages, the amount of which is at the discretion of the court, but at least EUR 1,000.00 plus interest since lis pendens at a rate of 5 percentage points above the base rate. 2. It is established that the defendant is obliged to compensate the plaintiff for all future damage that the plaintiff has suffered and/or will suffer from unauthorized access by third parties to the defendant's data archive, which, according to the defendant, took place in 2019 become. 3. The defendant is sentenced to avoid a fine of up to EUR 250,000.00 to be imposed by the court for each case of infringement, alternatively to be enforced on their legal representative (director), or to be enforced on their legal representative (director). to 6 months, in case of recurrence up to 2 years, to refrain a. personal data of the plaintiff's side, namely telephone number, Facebook ID, surname, first name, gender, state, country, city, relationship status to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art in order to to prevent the exploitation of the system for purposes other than contacting, b. to process the plaintiff's telephone number on the basis of a consent obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". , unless authorization is explicitly denied for this and, if the Facebook Messenger app is used, authorization is also explicitly denied here, 4. The defendant is sentenced to provide the plaintiff with information about personal data relating to the plaintiff, which the defendant processes, namely which data could be obtained from the defendant by which recipient and for what purpose by scraping or by using the contact import tool. 5. The defendant is sentenced to pay the plaintiff pre-trial legal fees of EUR 887.03 plus interest since pendency of 5 percentage points above the base interest rate. 8th The defendant requests The charges get dismissed. 9 The defendant claims that the scraping – which is not hacking – does not constitute a data protection violation. There is no breach of security, since only publicly accessible profile information of the plaintiff was retrieved and no specific security measures or access authorizations were circumvented or overcome. There was no unauthorized disclosure of or access to the plaintiff's data. 10 In addition, the plaintiff did not suffer any causal damage. 11 The lawsuit dated April 7th, 2022 was pending at the Munich I Regional Court. In a decision dated September 20th, 2022, the Munich I Regional Court referred the legal dispute to the Munich District Court, which it believes to be competent, because the value of the jurisdiction in dispute was €4,500. 12 In addition, reference is made to the written submissions of the parties and the minutes of the oral hearing of February 1, 2023 as well as the remaining content of the files. Reasons for decision 13 The admissible action is unfounded. 14 I. The action is admissible. 15 1. The international jurisdiction of German courts follows from Art. 18 Para. 1 Alt. 2 EuGVVO and Art. 79 Para. 2 S. 2 DSGVO, the plaintiff is a consumer from Munich. 16 2. The Local Court of Munich has local jurisdiction according to Art. 18 Para. 1, Alt. 2 EuGVVO, since the plaintiff is domiciled in Munich. 17 3. The substantive jurisdiction of the district court results from § 281 para. 2 sentence 4 ZPO as a result of the referral decision of the LG Munich I, which is binding for the district court. 18 4. Claim 1) is sufficiently specific within the meaning of Section 253 (2) No. 2 ZPO, since the court, after evaluating it, assumes that the facts of life are uniform, i.e. an application is not made that is alternatively based on several causes of action and the court to choose which it bases its decision on the application on - there is only one cause of action. 19 5. The court also considers the application for a declaratory judgment number 2) to be admissible and assumes that there is an interest in declaring it according to Section 256 (1) ZPO, which, however, is only a real procedural requirement for an affirmative judgment, cf. BGH NJW 2018, 227 para. 16. 20 6. The cease and desist application number 3) is sufficiently specific. An application wording that requires interpretation, such as “state of the art” in this case, is to be accepted if this is necessary to ensure effective legal protection, i.e. the plaintiff cannot formulate its application more specifically. According to the court, this is how it is here (also LG Bielefeld Rn 21f.) 21 II. The lawsuit is entirely unfounded. 22 1. No Claim for Damages 23 The plaintiff is not entitled to payment of immaterial damages in accordance with Art. 24 Due to the personal hearing of the plaintiff in the session, which took place in accordance with § 141 ZPO, the court is convinced that in any case there is no damage - which must be added to a data protection violation or other breach of duty and cannot be equated - so that the other legal issues in dispute need not be decided here. The extent to which the plaintiff's representatives' written submissions can be reconciled with the plaintiff's personal submissions in the oral hearing does not need to be discussed further here. It is therefore irrelevant whether the plaintiff's written submissions are text modules that are used in hundreds of lawsuits - as the defendant's representatives submit - or not. The personal statement of the plaintiff (§ 141 ZPO) in the oral hearing is decisive for the court, which it uses as a basis for its legal assessment according to §§ 286, 287 ZPO and the following results from this: 25 When asked by the court, the plaintiff personally explained that the incident did not cause him sleepless nights, that he was not even excited after learning about the incident and that he had not subsequently changed his settings on Facebook. Overall, he is only uncomfortable because he fears his phone number, which can be found on the Internet, could be used for anonymous calls. This aspect was also taken up again later in the meeting by the plaintiff's representative, who emphasized that the incident was annoying but did not hurt the plaintiff, but that he had an uneasy feeling about future damages. The plaintiff also confirmed this statement by his legal representative in the oral hearing. However, a general and not further tangible malaise alone in the form presented is not enough for the court to assume immaterial damage, since the necessary noticeable impairment cannot be determined (also LG Essen, GRUR-RS 2022, 34818 para 72 et seq.; LG Gießen GRUR-RS 2022, 30480 para. 19). 26 Incidentally, there is also a lack of causality between alleged data protection violations and damage, even if one wanted to justify this differently, for example in the form of spam messages and calls alone and thus ultimately in a loss of control over one's own data. The plaintiff explained in his oral hearing that he also used and uses other social networks on the Internet - he himself listed five more - so that the court is not convinced that the alleged incident was the reason for the finding of the plaintiff's data on the Internet Internet and for alleged increased spam messages and calls - apart from the phone number, it was also publicly available data on Facebook that was deposited by the plaintiff. The plaintiff himself also explained credibly and realistically in the oral hearing that he himself could not say whether increased spam messages and anonymous calls came from the "Facebook incident" (also LG Essen, GRUR-RS 2022, 34818 marginal number 84 ). 27 2. Application for declaratory judgment unfounded 28 The application for a declaratory judgment is unfounded, since at least for the court the occurrence of future causal material or immaterial damage, for the latter cf. the reasons given above under 1., is not sufficiently probable (cf. also LG Bielefeld GRUR-RS 2022, 38375 marginal number 36 ). 29 3. No Injunctive Relief 30 The plaintiff also has no claim for injunctive relief under § 1004 Para. 1 BGB or any other standard against the defendant, regardless of the question of whether the rights of the data subjects of the GDPR are final and block a claim for injunctive relief under national law. 31 For a (future) impairment of the plaintiff's rights within the meaning of § 1004 Para. 1 BGB - if one wanted to assume this - the plaintiff would in any case be jointly responsible according to the legal concept of § 254 BGB, § 1004 Para. 2 BGB, which the claim completely would rule out: The plaintiff himself explained in the oral hearing that he did not change his data settings on the Facebook platform after the incident became known. According to his own admission, the plaintiff did not change his stored data, searchability settings and other settings that affect the findability and public visibility of his stored data until the end, despite the existing possibility - as the plaintiff himself explained in the oral hearing. He has to stick to that. 32 In addition, the plaintiff has not used the Facebook Messenger app, the contact details of which the plaintiff was also interested in, since 2019, according to his own statement in the oral hearing. (See also LG Gießen GRUR-RS 2022, 30480 Rn 23). 33 4. No further right to information 34 The plaintiff also has no right to further information pursuant to Art. 15 GDPR or any other basis for a claim. From the point of view of the court, the defendant has provided sufficient information about the data available to it and has made information available in an appropriate manner, cf. letter dated November 11, 2021 (Annex B 16). The right to information according to § 362 paragraph 1 BGB has already been fulfilled before lis pendens. Insofar as the plaintiff requests information about the recipients of the scraping files, a further claim for the information provided by the defendant also fails because the defendant is not able to do so because it does not hold any raw data in this regard, as the defendant has written in writing and for the court explained in a comprehensible and convincing manner. (So also LG Gießen GRUR-RS 2022, 30480 Rn 24). 35 5. The secondary claims share the fate of the main claim. 36 6. The plaintiff has to bear the costs of the legal dispute according to § 91 paragraph 1 ZPO, the decision on the provisional enforceability follows from §§ 708 No. 11, 711 ZPO. 37 7. According to § 296a S. 1 ZPO, new submissions in the pleadings of the plaintiff's representatives of February 6th, 2023 - i.e. after the end of the oral hearing - were no longer to be considered. The requirements of § 296a S. 2 ZPO are not met. The court did not grant a written submission deadline according to Section 283 ZPO due to the lack of an application by the plaintiff’s representatives (see minutes of February 1, 2023); moreover, the requirements of Section 283 ZPO were not met here either. The pleading of February 6, 20203 also contains no arguments that would make it necessary to reopen the oral hearing, since the requirements of Section 156 (2) ZPO are not met and the reopening is otherwise not required (Section 156 (1) ZPO). . A decision had been reached.