LG Lübeck - 15 O 74/22: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Lübeck |Court_Original_Name=Landgericht Lübeck |Court_English_Name=Regional Court Lübeck |Court_With_Country=LG Lübeck (Germany) |Case_Number_Name=15 O 74/22 |ECLI=ECLI:DE:LGLUEBE:2023:0525.15O74.22.00 |Original_Source_Name_1=LG Lübeck (Germany) |Original_Source_Link_1=https://www.gesetze-rechtsprechung.sh.juris.de/bssh/document/JURE230048215 |Original_Sour...") |
No edit summary |
||
Line 65: | Line 65: | ||
=== Facts === | === Facts === | ||
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, | The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. | ||
In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. | In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. | ||
According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the | |||
Facebook replied that it was up to the data subject to change their privacy settings. Moreover | According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the settings just described were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside wiht the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under [[Article 82 GDPR]]. | ||
Facebook replied that it was up to the data subject to change their privacy settings. Moreover, and despite Facebook’s subsequent attempts to prevent and mitigate risks, no measure could entirely protect users from scraping. | |||
=== Holding === | === Holding === | ||
The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 | The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 of compensation. | ||
According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. | |||
The court found that the controller contravened to its duty to adopt technical and organizational measures under [[ | According to the court, the processing was neither based on consent ([[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]), nor contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]), nor legitimate interest of the controller ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]). With specific regard to consent, the court found that it was not informed informed within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]]. Indeed, finding information about the possibility to connect a phone number with other personal data as a default option was very hard. | ||
The court found that the controller contravened to its duty to adopt technical and organizational measures under [[Article 32 GDPR]] and did not take precautions to make scraping by third parties more difficult. | |||
In assessing the existence of non-material damages, the court referred to [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-300%252F21&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=20574739 C-300/21], where the CJEU held that no minimum threshold is necessary to grant compensation pursuant to [[Article 82 GDPR]]. | |||
Importantly, the court also found that in the present case an evaluation of the data subject's psychological state was not necessary for the claim to be successful. As a matter of fact, after the data breach, the data subject’s personal information was traded on the internet by third parties. This entailed an actual – and not merely potential – infringement of the data subject’s personality rights, in particular their fundamental right to informational self-determination. | |||
In light of the above, the court ordered Facebook to compensate the data subject €500,00. | In light of the above, the court ordered Facebook to compensate the data subject €500,00. | ||
Revision as of 09:02, 9 June 2023
LG Lübeck - 15 O 74/22 | |
---|---|
Court: | LG Lübeck (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 82 GDPR |
Decided: | 25.05.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 15 O 74/22 |
European Case Law Identifier: | ECLI:DE:LGLUEBE:2023:0525.15O74.22.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | LG Lübeck (Germany) (in German) |
Initial Contributor: | mg |
Assessing the data subject’s psychological suffering in the context of a claim for non-material damages is not necessary if an actual - and not merely potential - infringement of their personality rights occurred.
English Summary
Facts
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.
In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.
According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the settings just described were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside wiht the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR.
Facebook replied that it was up to the data subject to change their privacy settings. Moreover, and despite Facebook’s subsequent attempts to prevent and mitigate risks, no measure could entirely protect users from scraping.
Holding
The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 of compensation.
According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed informed within the meaning of Article 4(11) GDPR. Indeed, finding information about the possibility to connect a phone number with other personal data as a default option was very hard.
The court found that the controller contravened to its duty to adopt technical and organizational measures under Article 32 GDPR and did not take precautions to make scraping by third parties more difficult.
In assessing the existence of non-material damages, the court referred to C-300/21, where the CJEU held that no minimum threshold is necessary to grant compensation pursuant to Article 82 GDPR.
Importantly, the court also found that in the present case an evaluation of the data subject's psychological state was not necessary for the claim to be successful. As a matter of fact, after the data breach, the data subject’s personal information was traded on the internet by third parties. This entailed an actual – and not merely potential – infringement of the data subject’s personality rights, in particular their fundamental right to informational self-determination.
In light of the above, the court ordered Facebook to compensate the data subject €500,00.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If you see this message, you have not activated JavaScript in your browser. Please activate JavaScript in order to use the citizen service.