LG Gießen - 5 O 195/22

From GDPRhub
Revision as of 12:53, 15 November 2022 by SR (talk | contribs) (→‎Facts)
LG Gießen - 5 O 195/22
Courts logo1.png
Court: LG Gießen (Germany)
Jurisdiction: Germany
Relevant Law: Article 82(1) GDPR
Decided: 03.11.2022
Published:
Parties:
National Case Number/Name: 5 O 195/22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: REWIS (in German)
Initial Contributor: julia_kraemer

The Regional Court of Gießen held that no damages under Article 82(1) GDPR were awarded for the web-scraping of publicly accessible personal data as the mere infringement of the GDPR is not sufficient to claim non-material damages.

English Summary

Facts

The data subject registered at a platform which required her to enter her e-mail address, name, birthday, and gender. Additionally, she entered her phone number, which was an optional disclosure. The default privacy option of the platform disclosed the personal data to any person that has the data subject’s e-mail address or phone number.

Between 2018 and 2019, a third-party collected the personal data by web-scraping the controller's service. In practice, the third party created lists with potential phone numbers and uploaded them to the contact-importer of the platform to detect if the numbers could be associated with users who did not change the default privacy options of the platform. By guessing the correct phone number, this allowed the third party to connect the phone number with the data subject's profile and access all the provided information. In April 2021, the third party published all the scraped personal data.

The data subject filed an action against the platform, claiming that the latter did not take any security precaution to prevent the personal data form being scraped, for instance by means of a security captcha. The data subject asked the defendant to pay non-material damages. In its defense, the defendant argued that the scraping did not constitute a data protection breach because the information accessed was publicly available.

Holding

The court held that the action is admissible but unfounded. The data subject was not entitled to the payment of non-material damages pursuant to Art 82(1) GDPR.

The court noted that, according to the wording of the provision, the damage must be "suffered", from which it follows that the damage must actually have occurred and not merely be feared. The concept of damage is to be interpreted broadly according to Recital 146 GDPR, however, a mere infringement of the provisions of the GDPR is not sufficient to be able to claim non-material damages. Rather, concrete damage must be proven.

The data subject has not sufficiently demonstrated the existence of concrete, immaterial damage, which also includes fears, worries, stress and loss of comfort. Furthermore, the court considerably doubted the plaintiff's claimed "fears and worries"due to the fact that the mobile phone number was entered voluntarily and that the rest of the personal data was generally publicly accessible.

On the basis of the above, the question of whether and to what extent the defendant had violated the GDPR was irrelevant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

facts
The plaintiff asserts claims based on alleged violations of the General Data Protection Regulation (GDPR). He is a user of the X platform; the defendant is the provider of the same on the territory of the European Union. As part of the registration, the plaintiff gave his first name, last name, date of birth and gender. Providing a cell phone number is optional, but the plaintiff also provided this. The following passage was also found on the registration page: "By clicking on register [...] you agree to our terms of use. Our data policy explains how we collect, use and share your data”. For further details, reference is made to the registration figure (page 8 of the file). The data usage guidelines contain, among other things, information on which of the information provided by the user is always publicly accessible - namely name, profile and cover pictures, networks, gender, username and user -ID - and the statement that publicly available information can be seen by anyone, including people outside of the defendant's platform. The defendant provides its platform users with explanations as to what is public information and what information is public, and how the user can specify , who can see the information provided by him in addition to the public information (so-called target group selection) and who can find him using his e-mail address or his telephone number, if he has provided an e-mail address or telephone number on the platform can (so-called searchability settings) are available. If the user does not select a target group, the accessibility of his information that goes beyond the public information depends on the standard setting, after which friends of the user can see the further information. If the user does not adjust the searchability settings, the default setting is that everyone who has the user's email address or phone number will see the user's profile if the email address or phone number is provided has, find. The plaintiff had not made any changes to the searchability settings at the time of the scraping incident, so the default setting was active. Between January 2018 and September 2019, third parties used automated processes to collect a large amount of the public information available on the defendant's platform (so-called scraping ). In addition, the scrapers created lists of possible phone numbers and uploaded them to the platform's contact importer to determine if the uploaded phone numbers were linked to a user's account. The contact importer, if one of the uploaded phone numbers was linked to the account of a user who had provided their phone number and had not changed the default searchability settings, gave this information, i.e. the fact that the phone number and account were linked, to the scrapers The scrapers then added the phone number associated with the account to the publicly available information from the user's profile. In April 2021, the scraped records of over 500 million users and the phone numbers associated with those records were made freely available for download. This also included the always publicly accessible information of the plaintiff's profile and the telephone number linked to his account. The plaintiff first requested information about the data relating to the plaintiff on the defendant's platform via his legal representative. In a letter dated July 18, 2022, the defendant's attorneys-in-fact sent the plaintiff's attorney-in-fact instructions on how to inspect the information he had stored on the defendant's platform and how to use it. For the details in this regard, reference is made to Annex B16 (Annex B 16 to the brief of September 21, 2022, brief of July 18, 2022 there p. 7). The plaintiff claims that the defendant did not take any security precautions to prevent his data being tapped to prevent. No measures have been taken to prevent automated number queries, e.g. using a security captcha. The fact that an automated mass query was possible represents a security gap for which the defendant is responsible. The plaintiff suffered a significant loss of control over his data. He suffers from great discomfort and worries because he fears abuse. With his complaint served on the defendant on July 4th, 2022, the plaintiff requests: 1. the defendant is sentenced to pay the plaintiff a reasonable amount of immaterial damages, the amount of which is at the discretion of the court, but at least EUR 1,000.00 plus interest since pendency at a rate of 5 percentage points above the base rate.2. Only in the event that the claim for 1) is granted, will it be determined that the defendant is basically obliged to compensate the plaintiff for all future damage that the plaintiff suffers from the unauthorized access of third parties to the data archive of the defendant, the according to the defendant, took place in 2019, have arisen and/or will arise.3. The defendant is sentenced to avoid a fine of up to EUR 250,000.00 to be enforced by the court for each case of infringement, alternatively to their legal representative (director), or to imprisonment to be enforced on their legal representative (director). to refrain from doing so for up to six months, or up to two years in the event of a recurrence, a. to make personal data of the plaintiff's side, namely telephone number, [...]ID, surname, first name, gender, state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without the security measures possible according to the state of the art to prevent the exploitation of the system for purposes other than establishing contact,b. to process the telephone number of the plaintiff's side on the basis of a consent obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". the authorization for this is not explicitly denied and, if the [...] app is used, the authorization is also explicitly denied here,4. The defendant is sentenced to provide the plaintiff with information about personal data relating to the plaintiff which the defendant is processing, namely which data could be obtained from the defendant by which recipient and at what time by scraping or by using the contact import tool,5. The defendant is ordered to pay the plaintiff pre-trial legal fees of EUR 354.62 plus interest since pendency of five percentage points above the base rate. The defendant requests that the lawsuit be dismissed. The defendant claims that the scraping does not constitute a data protection violation There was no breach of security, since "only" publicly available profile information of the plaintiff was accessed and no specific security measures or access authorizations were circumvented or overcome. There was no unauthorized disclosure of or access to the plaintiff's data. In addition, the defendant cannot be accused of a security gap, since the link created between the plaintiff's telephone number and his user account can only be traced back to the plaintiff's searchability setting at the time. The defendant also claims that it is unable to disclose the recipients of the "scraped" data.