LG Bielefeld - 19 O 147/22
|LG Bielefeld - 19 O 147/22|
|Court:||LG Bielefeld (Germany)|
|Relevant Law:||Article 24 GDPR|
Article 25(2) GDPR
Article 32 GDPR
Article 33 GDPR
Article 82 GDPR
§ 1004 BGB
§ 823 BGB
|National Case Number/Name:||19 O 147/22|
|European Case Law Identifier:||ecli:DE:LGBI:2023:0310.19O147.22.00|
|Original Source:||Landgericht Bielefeld, 19 O 147/22 (in German)|
A North Rhine-Westphalia court rejected a claim for non-material damages pursuant to Article 82 GDPR in the context of consciously and voluntarily published personal data on a social media platform.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject was a computer scientist and Facebook user. While using Facebook's social media services, the data subject provided several mandatory personal data, including their first name, last name and sex.. These data points, including the system generated "Facebook ID", were publicly visible by default on the user profile. In addition the data subject added his mobile phone number. The mobile phone number was also visible by default but the user could change the visibility in the settings. The data subject limited the visibility to the "target group search“ setting, but left the searchability option for his mobile phone number visible.
In 2021, unknown “third parties” published data, that has been scraped from the website in 2019.
The data subject lamented that since then he received anonymous calls and spam emails. This entailed negative psychological consequences for him. Thus, the data subject asked for €500 in non-material damages under Article 82 GDPR.
The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented and the plaintiff made an informed decision to voluntarily share their phone number on the site.
Holding[edit | edit source]
The court rejected the request for damages under Article 82 GDPR.
The court held that there was no breach of duty by the controller that could trigger damages. The publication of the mobile phone number wasn‘t mandatory and the data subject had the (unused) option to hide the phone number on their profile.
The court was of the opinion, that the controller did not breach its duty to adequately protect the personal data of users in accordance with Article 32 GDPR. The controller was not obliged to take protective measures to prevent the collection of already publicly accessible information.
The controller also did not violate the principle of "privacy by default" enshrined in Articles 24 and 25(2) GDPR. It was undisputed that only the name, gender and Facebook ID of the data subject choosing to register with the platform were mandatorily visible to the public. If a user then decided to enter their phone number, the visibility setting was initially set to "everyone". The technically inexperienced user was nevertheless adequately informed about the corresponding information and about setting options and their limitations. In addition, every Internet user who uses a social network like Facebook must be aware that there are Internet customs with which one has to become familiar with if one wants to use such communication platforms. This applied in particular to the plaintiff as a computer scientist.
The controller also proved that, contrary to the data subject's general assertion, it had taken technical measures to make scraping more difficult, namely by implementing a hurdle, according to which queries to a certain extent from one and the same IP address were not possible or stopped for a certain period of time, as well as informing the users, and finally by having a team dedicated solely to prevent misuse of users' data. In view of these specific statements, the data subject was expected to explain further why he nevertheless assumed that Article 25 GDPR was violated, which they did not.
Comment[edit | edit source]
The court is of the opinion that the "privacy by default“ principle was not infringed, even though all additional (and voluntary) data points were set to "public" by default and the user had to actively change the settings to "private".
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.