BGH - VI ZR 10/24

From GDPRhub
BGH - VI ZR 10/24
Courts logo1.png
Court: BGH (Germany)
Jurisdiction: Germany
Relevant Law: Article 82(1) GDPR
§ 287 ZPO
§ 552b ZPO
Decided: 18.11.2024
Published:
Parties: Facebook/Meta
National Case Number/Name: VI ZR 10/24
European Case Law Identifier:
Appeal from: OLG Köln (Germany)
15 U 67/23
Appeal to: Not appealed
Original Language(s): German
Original Source: Bundesgerichtshof (in German)
Initial Contributor: la

The Federal Court of Justice held that under Article 82(1) GDPR, a loss of control over personal data in itself amounts to a non-material damage. A concrete adverse effect for the data subject is not necessary.

English Summary

Facts

The data subject is a user of Facebook (the controller). In April 2021, data of approx. 533 Mio. Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method they were able to obtain user profiles with matching phone numbers.

The data subject in this case was also among the people affected by this scraping incident; user ID, first and last name, workplace and gender of the data subject were included in the data set and were therefore linked to his phone number.

The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed to find users through their phone number. The data subject sued the controller for damages as well as, by the way of a declaratory judgement, wants the court to acknowledge his future right for compensation. This declaratory judgement concerning damages is a standard in German law due to statutory limitation that would otherwise prevent the person claiming damages from bringing any claims after a period of three years (such as for long-term consequences of a car accident).

After the data subject was granted €250 in non-material damages by the Regional Court of Bonn (Landgericht Bonn – LG Bonn), the controller appealed to the Higher Regional Court of Cologne (Oberlandesgericht Köln – OLG Köln) which then overrode LG Bonn’s decision and fully dismissed the action. The data subject in return appealed the case to the German Supreme Court (Bundesgerichtshof – BGH).

Holding

In its first decision under the new leading decision procedure, the BGH partially overrode the decision of the OLG Köln. It held that the reasoning for negating the data subject’s right to non-material damages was not sufficient. Rather, the BGH held that under the relevant CJEU case law even a sole and temporary loss of control over personal data following a GDPR infringement can be a non-material damage under Article 82(1) GDPR. The data subject does not need to show neither a concrete misuse of the personal data nor other negative consequences for them.

Additionally, the BGH held that the dismissal of the declaratory judgement for future damages was not justified because the data subject had a sufficient interest in such a declaratory judgement. This was due to the fact that a possibility of further future damages was obvious.

The BGH partially (insofar as it overrode the OLG judgement) referred the action back to the OLG Köln notifying the court that the controller’s standard setting of “all” for searchability on the platform was probably not in line with the data minimisation principle. The BGH added that the OLG Köln would need to assess the question whether there had been a valid consent by the data subject. The BGH further instructed the OLG Köln about how to properly assess the damages under § 287 of the German Civil Process Order (Zivilprozessordnung – ZPO) and informed the court that the BGH had no legal concerns about a non-material damage of about €100 for the sole loss of control.

Comment

  • This article is based on a press release of the BGH. The final decision will be available soon.
  • This judgement can be considered very important and is likely to change the German jurisprudence on non-material damages that has been rather restrictive in the past.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Federal Court of Justice decides on claims in connection with a data protection incident on the social network Facebook (so-called scraping)

Year of issue 2024
Publication date 11/18/2024

No. 218/2024

Judgment of November 18, 2024 - VI ZR 10/24
Facts:
The defendant operates the social network Facebook. At the beginning of April 2021, data from around 533 million Facebook users from 106 countries was publicly distributed on the Internet. Unknown third parties had previously taken advantage of the fact that the defendant makes it possible for the user's Facebook profile to be found using their telephone number, depending on the user's searchability settings. The unknown third parties assigned telephone numbers to the associated user accounts by entering randomized sequences of numbers on a large scale via the contact import function and accessed the public data available for these user accounts (so-called scraping).
This scraping incident also affected the plaintiff's data (user ID, first and last name, place of work and gender), which was thus linked to his telephone number. The plaintiff claims that the defendant did not take sufficient security measures to prevent the contact tool from being exploited. He is entitled to compensation for non-material damages due to the annoyance he suffered and the loss of control over his data. In addition, the plaintiff requests a declaration that the defendant is obliged to compensate him for all future material and non-material damages in this context and is suing the defendant for an injunction and information.
Procedure to date:
The regional court partially upheld the claim and awarded the plaintiff damages of €250 under Art. 82 Para. 1 GDPR; it dismissed the rest of the claim. On appeal by the defendant, the higher regional court dismissed the claim in its entirety, rejecting the plaintiff's cross-appeal. Neither is the mere loss of control sufficient to assume non-material damage within the meaning of Art. 82 (1) GDPR, nor has the plaintiff sufficiently substantiated that he was psychologically impaired beyond the loss of control as such.
By order of October 31, the Federal Court of Justice designated the appeal proceedings as the leading decision procedure in accordance with Section 552b of the Code of Civil Procedure (new version) (press release 206/24). However, after the appeal was not withdrawn or was otherwise resolved, the Federal Court of Justice held oral proceedings on November 11, 2024 and ruled on the plaintiff's appeal by judgment in accordance with general rules.
Decision of the Federal Court of Justice:
The plaintiff's appeal was partially successful.
The plaintiff's claim for compensation for non-material damage cannot be denied on the grounds of the appeal court. According to the ECJ's case law, which is decisive for the interpretation of Article 82 (1) GDPR, the mere and short-term loss of control over one's own personal data as a result of a violation of the General Data Protection Regulation can also constitute non-material damage within the meaning of the standard. In this respect, neither a specific misuse of this data to the detriment of the person concerned must have occurred, nor are there any other additional noticeable negative consequences required.
The appeal was also successful insofar as the appeal court rejected the plaintiff's applications for a declaration of liability for future damages, for an injunction against the use of his telephone number insofar as this is not covered by his consent, and for reimbursement of his pre-trial legal costs. Contrary to the opinion of the appeal court, the plaintiff does not lack the necessary interest in a declaration, since the possibility of future damage occurring under the circumstances of the dispute is readily apparent. The injunction mentioned is sufficiently specific and the plaintiff does not lack a need for legal protection in this respect. In other respects (further injunction and information request), the appeal was unsuccessful.
To the extent that the appeal was successful, the Federal Court of Justice referred the matter back to the Court of Appeal for a new hearing and decision. For further examination, the Federal Court of Justice pointed out to the Court of Appeal that the defendant's default search setting to "all" may not have complied with the principle of data minimization, whereby the Court of Appeal will also have to examine the question of whether the plaintiff had given effective consent to the data processing by the defendant. On the other hand, the Federal Court of Justice provided guidance on the assessment (Section 287 of the Code of Civil Procedure) of the non-material damage arising from Article 82 (1) of the GDPR and explained why, under the circumstances of the dispute, there were no legal objections to assessing the compensation for the mere loss of control in the order of €100.
Lower courts:
LG Bonn - judgment of March 29, 2023 - 13 O 125/22
OLG Cologne - judgment of December 7, 2023 - 15 U 67/23
The relevant provision is:
Article 82 General Data Protection Regulation (GDPR) - Liability and right to compensation
(1) Any person who has suffered material or immaterial damage as a result of a breach of this Regulation shall have the right to compensation from the controller or the processor.
(…)
Karlsruhe, November 18, 2024
Press office of the Federal Court of Justice
76125 Karlsruhe
Telephone (0721) 159-5013
Fax (0721) 159-5501
Supplementary documents
Decision of the VI Civil Senate of October 31, 2024 - VI ZR 10/24 -