LG Augsburg - 022 O 2669/22
LG Augsburg - 022 O 2669/22 | |
---|---|
Court: | LG Augsburg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 13 GDPR Article 14 GDPR Article 17 GDPR Article 25(2) GDPR Article 82(1) GDPR § 1004 Abs. 1 S. 2 BGB § 823 Abs. 2 BGB Art. 1 Abs. 1 GG Art. 2 Abs. 1 GG |
Decided: | 09.06.1923 |
Published: | |
Parties: | |
National Case Number/Name: | 022 O 2669/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | Bayern.Recht (in German) |
Initial Contributor: | Ludwig Ederle |
No obligation for a social media platform under GDPR to set the default setting such that the search function for users' telephone numbers is blocked.
English Summary
Facts
The plaintiff was a user of the defendant's social media plattform. He registered his profile with his phone number and didn't change the preset visibility option to "not visible". This option is set to "visible" in order to get found by phone number, the users get informed about this during registration. Business Insider on 4/3/2021 published an article reporting about scraping of phone numbers from the defendant's platform by unknown third parties. On July 2, 2021, The plaintiff sent a letter to the defendant demanding payment of damages and a cease and desist order, the defendant responded to the plaintiff's letter on September 30, 2021. On November 25, 2022, The Irish Data Protection Commission fined the defendant for violating the GDPR with €265 million for violating the GDPR and ordered the defendant to take remedial action. The plaintiff has not yet been the victim of identity theft; her account at the defendant's platform has also not been taken over by unknown third parties. The plaintiff has since changed the settings in her account so that her telephone number can no longer be accessed via the contact import tool. The plaintiff argues that she has been victim of a data breach, received (but did not answer) several calls from outside the country, that she lost control over her data and was in big worries about misuse of her data. She mentioned that she's getting a lot of strange short messages with apparent fraud attempts. This was due to missing security controls on the defendant's platform. The defendant argues, that the claim was to dismiss as the claims were too vague and the claim for a declaratory judgment lacked interest. The requirements for a claim for damages under Article 82 GDPR were not met since scraping was not hacking. In addition the defendant argued the loss of control alleged by the plaintiff was not sufficient.
Holding
The claim is inconcise: text messages and calls from the beginning to mid-2019 described by the plaintiff are not necessarily causally attributable to the data scraping before September 2019. The scraped data from the defendant's platform got published on the internet by unknown third parties only from April 2021, as the plaintiff itself stated in her claim. Any calls and text messages in early to mid-2019 as submitted by the plaintiff could therefore not be based on the mentioned incident. However, the plaintiff wouldn't be entitled to claim non-material damages from the defendant: this would have to be based on Article 82 GDPR. Since GDPR was not applicable in the first place, no damages can be claimed. The court argues: there has not been a breach of transparency obligations Articles 5, 13, 14 GDPR), also the defendant clearly and in ease language pointed to the default settings, so no breach of Article 25 GDPR or Article 32 GDPR either. This was not a incident subject to notification to the supervising authority and the defendant informed the plaintiff according to Article 15 with a letter on Sept 9 2021. Hence, there can't be a claim for non material damages according to Article 82 GDPR.
The scope of application of the GDPR has not been opened.
Translated with DeepL.com (free version)
Comment
The CJEU has ruled (e.g. C-300/21 and C340/21): not every breach of an obligation of the GDPR automatically constitutes damage eligible for compensation under GDPR. Rather, material or immaterial damage based on a GDPR infringement must be established and proven.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: No user claims against Facebook operators due to scraping incident Norm chains: GDPR Art. 5 Para. 1 lit. a and lit. f, Art. 6 Para. 1, Art. 13, Art. 14, Art. 17, Art. 25 Para BGB § 823 paragraph 2, § 1004 paragraph 1 sentence 2 GG Art. 1 Para. 1, Art. 2 Para. 1 Guiding principles: 1. A social media platform whose aim is to search for and find contacts is not obliged in accordance with Article 25 Para. 2 GDPR to set the default settings in such a way that the searchability function is blocked for users' telephone numbers is. (Rn. 36) (editorial principle) 2. A scraping incident does not constitute a reportable violation under Article 33 of the GDPR. (No. 37) (editorial principle) 3. Non-material damage that can be compensated for under Article 82 (1) of the GDPR must at least constitute real and certain emotional damage and not just an annoyance or other inconvenience. (Rn. 40) (editorial principle) Tags: Data protection default, data protection violation Locations: LSK 2023, 13763 ZD 2024, 118 GRUR-RS 2023, 13763 tenor 1. The lawsuit is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. Facts of the case 1 The plaintiff is demanding damages, injunctive relief and information from the defendant due to violations of the General Data Protection Regulation. 2 The defendant is the provider of the F. platform on the territory of the European Union. The plaintiff is a German user of this platform; she logs in with her email address…. Your name, gender and user ID were publicly visible on the user account (Appendix B 1 5), because this information is always public user information. The visibility of the plaintiff's other data (telephone number, email address, place of residence, date of birth, city, relationship status) depended on the plaintiff's target group selection. The data “country”, “state”, “place of birth” and “other correlating data” do not correspond to any profile fields on the F. platform. 3 When registering for the first time, the user enters their personal data, specifically first and last name, mobile phone number or email address, gender and date of birth, into the registration mask. The user's attention is drawn to the terms of use and, after registration, to a wealth of settings and sub-settings. In this respect, the defendant has made default settings. 4 The telephone number can be used for a security query (password reset). In the plaintiff's profile, the telephone number used in this regard was publicly shared with her friends and was therefore partially publicly viewable. In addition, the plaintiff could be found via her telephone number. This setting was predetermined, but could be changed so that the user could not be found using their phone number. The defendant uses a contact importer (contact import tool; Cl T). This is used to synchronize the personal contacts stored in a user's smartphone with users on F.; This is done via the stored mobile phone number. The F. Messenger app operated by the defendant works in the same way. Any automated collection of data (scraping) without permission was prohibited by the defendant's terms of use. 5 Before September 2019, unknown persons generated telephone numbers and synchronized them with profiles of F. users via the contact importer or the F. messenger app. The data publicly stored there was subsequently scraped and merged with the cell phone numbers (Appendix B 11). 6 On April 3, 2021, Business Insider published an article according to which information from a large number of F. users had been made accessible on the Internet by third parties. The defendant addressed its users with an article accessible in F. on April 6, 2021 (Appendix B 10). 7 In a lawyer's email dated July 2, 2021, the plaintiff asked the defendant to pay damages of €500 as well as to cease and desist and provide information (Appendix K 1). The defendant responded with a lawyer's letter dated September 30, 2021 (Appendix B 16). 8th In a decision dated November 25, 2022, the Irish data protection authority DPC imposed a fine of EUR 265 million on the defendants for violating Articles 25 I and 2 of the GDPR and ordered the defendant to take remedial action (Appendix K 3). 9 The plaintiff has not yet been a victim of identity theft; Her account with F. was also not taken over by unknown third parties. The plaintiff has since changed the settings in her account so that her phone number can no longer be accessed via the contact import tool. 10 The plaintiff essentially claims: 11 Your email address, place of residence, date of birth, city, relationship status, telephone number were included in the data retrieved through scraping. 12 The plaintiff further claims that she was affected by a data protection incident; the defendant made its data accessible to unauthorized third parties. A database that can be accessed by anyone on the Darknet contains your telephone number, your name, your place of residence and your email address. These data sets were made public and allowed malicious actors to carry out a wide range of criminal activities, such as identity theft, account takeover, targeted phishing messages or "sim swap" attacks to change passwords protected by phone number-based authentication. 13 The plaintiff further states that she suffered a significant loss of control due to the publication of the scraped data and was left in a state of great discomfort and great concern about possible misuse of her data. Since publication, she has been receiving occasional unknown contact attempts via SMS. These contained messages with obvious attempts at fraud. Specifically, since the beginning to mid-2019, she has received text messages several times a week saying, for example, that packages could not have been delivered or that something was wrong with her P. account. 14 She also initially received calls from abroad, which she did not accept and which quickly stopped. They assume that these are due to data scraping by the defendant. She has not suffered any damage so far. 15 Finally, the plaintiff claims that the defendant did not take any security precautions against the exploitation of the contact import tool, in particular did not ensure that the request for synchronization was a request from a human being and not a computer program; The plausibility of the requests was also not checked, for example by automatically rejecting an unusually large number of requests from the same IP address or with unusual telephone number sequences. 16 The defendant also never informed the plaintiff that her data had been stolen and published by third parties; She also did not inform the relevant data protection authority in Ireland about the incident. 17 The plaintiff is essentially of the opinion: 18 The lawsuit is admissible, in particular it is specific enough and there is an interest in declaratory judgment. The claim for damages arises from Art. 82 GDPR. The scope of protection has been opened, the defendant has violated several obligations of the GDPR (violation of the transparency obligations, violation of the obligation to ensure appropriate technical and organizational measures, violation of the obligation to provide data protection-friendly default settings, violation of the notification and reporting obligation and the obligation to provide information) 19 Due to the plaintiff's lack of effective consent, the defendant processed her data without a legal basis and sufficient information; The defendant bears the burden of presentation and proof. 20 The plaintiff requests to recognize: 1. The defendant is ordered to pay the plaintiff an appropriate amount of non-pecuniary damages, the amount of which is at the discretion of the court, but at least €1,000.00 plus interest since the action was brought in the amount of five percentage points above the base interest rate. 2. It is established that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered as a result of unauthorized third-party access to the defendant's data archive, which, according to the defendant's statement, occurred in 2019 and/or still will arise. 3. The defendant is sentenced, if he avoids an administrative fine to be set by the court for each case of violation of up to € 250,000.00, or, alternatively, to his legal representative (director), or to his legal representative (director). To refrain from arrest for a period of up to six months, or in the event of a repeat offense up to two years, a) to make personal data of the plaintiff, namely, telephone number, F.-ID, last name, first name, gender, federal state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without the security measures possible according to the state of the art to prevent the use of the system for purposes other than establishing contact, b) to process the plaintiff's telephone number on the basis of consent that was obtained from the defendant because of the confusing and incomplete information, in particular without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". , unless authorization is explicitly denied for this and in the case of using the F. Messenger app, authorization is also explicitly denied here. 4. The defendant is ordered to provide the plaintiff with information about personal data relating to the plaintiff that the defendant processes, namely which data could be obtained from the defendant by which recipients and at what point in time through scraping or by using the contact import tool. 5. The defendant is ordered to pay the plaintiff's pre-trial legal fees amounting to €887.03, plus interest from the time of litigation amounting to five percentage points above the base interest rate. 21 The defendant requests 22 The defendant is essentially of the opinion: 23 The lawsuit is largely inadmissible because the claims 1) to 3) are too vague and the action for a declaratory judgment lacks the interest in declaratory judgment. The requirements for a claim for damages according to Art. 82 GDPR do not exist. Scraping is not hacking. The protection area has not been opened, nor are there any violations of the GDPR. In addition, there is no causal immaterial damage; in particular, the loss of control alleged by the plaintiff is not sufficient. The plaintiff bears the burden of presentation and proof. Furthermore, there is no fault on the part of the defendant. 24 For further details, reference is made to the exchanged pleadings and the minutes of the oral hearing from May 5, 2023. Reasons for the decision 25 I. The admissible lawsuit is unfounded. 26 The lawsuit is admissible. 27 1. The Augsburg Regional Court has international jurisdiction in accordance with Art. 79 II GDPR and Art. 18 I Alt. 2 in conjunction with Art. 17 I lit. c) Regulation (EU) 1215/2012. The plaintiff has her usual place of residence or residence in ... and therefore in the local judicial district. The defendant operates the platform commercially; the plaintiff uses the platform for private purposes and is therefore a consumer. 28 2. The applications are sufficiently specific within the meaning of Section 253 II No. 2 ZPO. This applies to both the application number 1 and the application numbers 3a and 3b (see: LG Kiel GRUR-RS 2023, 328 Rns. 25 to 29 and LG Aachen GRUR-RS 2023, 2621 Rns. 32 to 36 and 38 bis 40 on the identical claims as in the present case). The interest in declaratory judgment regarding application number 2 must also be affirmed (LG Kiel GRUR-RS 2023, 328 Rn. 30 and LG Aachen GRUR-RS 2023, 2621 Rn. 37). 29 II. The lawsuit is unsuccessful on the merits. 30 1. The lawsuit is already inconclusive because the text messages and calls described by the plaintiff from the beginning to mid-2019 cannot be causally traced back to the defendant's data scraping before September 2019. The data of the defendant's users - as stated by the plaintiff herself in the statement of claim - was only published on the Internet by unknown third parties from April 2021. Any calls and text messages in early to mid-2019 - as presented by the plaintiff in her informational hearing at the oral hearing - cannot therefore be based on the incident. 31 2. However, the plaintiff would not otherwise be entitled to payment of non-material damages against the defendant. 32 a) Such a claim would not arise from Art. 82 I GDPR. 33 aa) Based on the plaintiff's submissions, there would already be no violation of the provisions of the General Data Protection Regulation. 34 (1) There is no violation of the transparency obligations under Article 5 I lit. a), 13, 14 GDPR. The screenshots presented by the plaintiff of the processes and substructures of the defendant's website are sufficiently understandable and transparent. The plaintiff as a user is obliged to carefully examine the information in order to make a decision for herself as to the extent to which she will release information and how extensively she wants to use the defendant's communication platform (also: LG Aachen GRUR-RS 2023, 2621 Rn . 49 to 55 as well as LG Kiel GRUR-RS 2023, 328 paras. 37 to 41). 35 (2) There is also no violation of the data protection obligations under Article 5 I lit. f), 32 GDPR. Because it was expressly stated that name, profile picture, cover photo, gender, username and user ID are visible to everyone; There was therefore no reason to protect this data since it was public anyway. With regard to the plaintiff's telephone number, the defendant has adequately fulfilled its protection obligations by adequately pointing out that the plaintiff can change the searchability settings (also: LG Aachen GRUR-RS 2023, 2621 paras. 56 to 63 and LG Kiel GRUR-RS 2023, 328 Rn. 42f). In addition, the defendant's terms of use prohibited any automated collection of data (scraping) without the defendant's permission. 36 (3) The defendant has also not violated the obligation to provide data protection-friendly default settings in accordance with Article 25 I, II GDPR. In particular, the defendant was not obliged to set the default so that a telephone number entered by the plaintiff would not be used to find her using a search function. The platform operated by the defendant is a social media platform whose goal is to search for and find contacts. Blocking the searchability function would diametrically contradict this goal (also: LG Aachen GRUR-RS 2023, 2621 paragraph 64f and LG Kiel GRUR-RS 2023, 328 paragraphs 44 to 47). This assessment does not change because the Irish data protection authority DPC imposed a fine of EUR 265 million on the defendants in a decision dated November 25, 2022 for violating Articles 25 I and 2 of the GDPR (Appendix K 3). It remains to be seen whether this decision has a binding effect, since it is undisputed that it is not yet final (also: LG Aachen GRUR-RS 2023, 2621 paragraph 66). 37 (4) Finally, the defendant cannot be accused of violating the reporting obligation according to Article 33 of the GDPR, since there is already no reportable violation of the General Data Protection Regulation (also: LG Aachen GRUR-RS 2023, 2621 Rn. 67 and LG Kiel GRUR-RS 2023, 328 para. 48). 38 (5) Finally, there is no violation of the defendant's obligation to provide information pursuant to Article 15 GDPR. The defendant provided information to the plaintiff in a lawyer's letter dated September 30, 2021 (Appendix B 16). The defendant was not obliged to provide any additional information requested by the plaintiff; The defendant is also unable to provide any further information. 39 bb) Furthermore, there would be no non-material damage to the plaintiff. 40 (I) The eligibility requirements of Art. 82 I GDPR include, in addition to the violation of the General Data Protection Regulation, the occurrence of immaterial damage (cf. OLG Frankfurt GRUR 2022, 1252 paras. 61 to 64). In view of recitals 75, 85, 146 and 148 of the GDPR, the legislator had in mind discrimination, identity theft, identity fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages without excluding minor damage. With regard to possible future misuse of personal data, non-material damage will only be justified if it is real and certain emotional damage and not just an annoyance or inconvenience (cf. ECJ, Opinion of April 27, 2023 - C -340/21). 41 (2) Measured against these standards, non-material damage to the plaintiff can be denied. It is undisputed that the plaintiff has not yet been the victim of identity theft; Her account with F. was also not taken over by unknown third parties. As already stated above, the text messages and calls in 2019 cannot be attributed to data scraping. Even if any calls and text messages had only taken place in 2021, it would remain controversial and unclear whether they could be attributed to data scraping, and in particular whether there would have been a temporal connection. This is all the more true since the plaintiff publicly posted her telephone number on the Facebook page for her friends. Since identity theft is unlikely simply through the knowledge of a telephone number (see: LG Karlsruhe, ZD 2022, 55) and the plaintiff's other data is public anyway with her consent, the possibility of future misuse of the plaintiff's data only represents an inconvenience just cannot justify non-material damage. Finally, it should not be lost sight of the fact that it was not the defendant, but unknown third parties who scraped the plaintiff's data and posted it on the dark web. 42 b) A claim for non-material damages would also not arise from national law. This follows from the fact that, according to Section 253 Paragraph 1 of the German Civil Code (BGB), claims can only be made for damage that is not financial loss in cases determined by law. However, the exceptions mentioned in the law (Section 253 Para. 2 BGB) do not exist, nor does there be a serious violation of the plaintiff's personal rights (Articles 1 I, 2 I GG). 43 2. The plaintiff's request for a declaration that the defendant is obliged to compensate for all future material damage would also be unfounded. This is because there is no violation of the provisions of the General Data Protection Regulation (see Section II 2 a aa above). 44 3. The plaintiff would also have no claim against the defendant to stop the use of the contact importer software from §§ 1004 1 2 BGB analogously in conjunction with Art. 1 I, 2 I GG or from § 823 II BGB in conjunction with Art. 6 I, 17 GDPR. In this respect, too, there is no violation of the provisions of the General Data Protection Regulation (see Section Il 2 a aa above). 45 4. The plaintiff would also have no claim against the defendant to stop the processing of her telephone number from SS 1004 Para GDPR to. In this respect, too, there is no violation of the provisions of the General Data Protection Regulation (see Section Il 2 a aa above). In addition, there is no risk of repetition. The plaintiff herself states that she has now changed the settings in her account so that her telephone number can no longer be accessed by the contact import tool. There is therefore no apparent risk of recurrence. 46 5. Finally, the plaintiff would not be entitled to information against the defendant in accordance with Article 15 I of the GDPR. This claim has expired in accordance with Section 362 I of the German Civil Code (BGB), since the defendant provided information in this regard in a lawyer's letter dated September 30, 2021 (Appendix B 16). To the extent that the plaintiff also requests information about the extent to which their data was processed by scraping and by which third parties, the plaintiff's claim must be denied on the merits. The defendant would also not be able to provide such information. 47 6. Due to the lack of a main claim, the plaintiff's claim for reimbursement of pre-trial legal fees must finally be denied. 48 7. No other, comprehensive basis for claims is apparent. 49 I. The cost decision results from Section 91 I ZPO. 50 2. The decision on provisional enforceability is based on Sections 708 I No. 1, 71 I 1 and 2 ZPO.