LG Ravensburg - 2 O 228/22
LG Ravensburg - 2 O 228/22 | |
---|---|
Court: | LG Ravensburg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 15 GDPR Article 15(1) GDPR Article 32(1) GDPR Article 33 GDPR Article 34 GDPR Article 82(1) GDPR |
Decided: | 13.06.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 2 O 228/22 |
European Case Law Identifier: | ECLI:DE:LGRAVEN:2023:0613.2O228.22.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Baden-Württemberg Landesrecht BW (in German) |
Initial Contributor: | lacrosse |
Facebook committed various breaches of the GDPR by failing to adequately protect user data from a web scraping attack. Data subject is entitled to claim non-material damages.
English Summary
Facts
The parties were in dispute over claims for damages, injunctive relief and information in relation to the use of the social media platform Facebook operated by Facebook (now: Meta) and a data scraping incident. The data subject is a Facebook user.
Facebook operates a social media platform and is the data controller. Among other features, Facebook provides its users with the ability to import contacts from their address book, called the Contact Import Tool. The purpose of the tool is to allow users to import contacts and thus find friends on Facebook's social media platform. The Contact Import Tool has been abused by unauthorised third parties to harvest contact information from Facebook users. By enumerating batches of possible phone numbers, it was possible to manipulate the tool to return personal information about Facebook users. The data queries were automated. This made it possible to extract large amounts of data from Facebook's user database. Unauthorised third parties were able to match the phone numbers on Facebook with certain publicly available data to further identify specific individuals. At an unknown time, presumably between January 2018 and September 2019, third parties read personal data (specifically name, gender and user ID) from Facebook's database and were able to associate specific phone numbers with each record. At the beginning of April 2021, the data sets obtained in this way were made available for download on the Internet in a well-known "hacker forum", including the data set of the data subject.
The data subject is of the opinion that he is entitled to non-material under Article 82(1) GDPR, because Facebook made the plaintiff's personal data available to unauthorised third parties.
In particular, Facebook did not adequately protect personal data from web-scraping attacks, for example by using "security captchas" to make it more difficult for software to make automated queries.
The data subject further argued that Facebook failed to comply with its obligation to notify the data breach under Article 34 GDPR. The company also failed to adequately respond to the request for access under Article 15 GDPR. Compensation of at least €1,000 would be appropriate, as well as an injunction against Facebook to prevent it from making the data subject's personal data available to unauthorised third parties in the future.
Facebook admitted that between January 2018 and September 2019, a data scraping incident took place on the Facebook platform. However, the company claimed that it was not responsible for any GDPR breaches as there was no unauthorised disclosure of data or unauthorised access to personal data. Facebook argued that the data accessed during the incident was publicly available data in the plaintiff's Facebook user profile.
Facebook therefore argued that it was not obliged to notify the data subject under Article 34 GDPR or the data protection supervisory authority under Article 33 GDPR because the requirements of the legal definition in Article 4(12) GDPR were not met. There was no breach of security and no unauthorised disclosure (or access) of personal data.
The data controller stated that it had duly complied with the data subject's request for access pursuant to Article 15 GDPR.
Facebook believed that the data subject's allegations of a lack of adequate security were unfounded. The company argued that the absence of individual technical security measures, such as "security captchas" to prevent automated queries of records, does not indicate an overall lack of reasonable security measures. Facebook claimed to support a variety of security features to prevent data scraping. It would therefore be necessary to have an overall view of the company's security measures. Therefore, the absence of an individual security measure did not constitute a breach of the GDPR.
Holding
The Regional Court Ravensburg held that the data subject's complaint was partially justified.
The data subject is entitled to non-material damages under Article 82(1) GDPR for the data scraping incident and Facebook's failure to provide a data breach notification.
The company’s failure to adequately respond to the data subject's request for access under Article 15 GDPR cannot give rise to a claim for damages under Article 82(1) GDPR, as it did not cause any additional non-material damage to the data subject. Thus, it remains undecided whether Facebook has infringed Article 15(1) GDPR by failing to provide sufficient information.
The Regional Court decided that the data subject is entitled to claim non-material damages in the amount of €1,000 under Article 82(1) GDPR against Facebook due to various violations of the GDPR. The court considered the company to be data controller within the meaning of Article 4(7) GDPR.
The Court also held that the injunctive relief sought by the data subject was justified.
In its overall assessment, the Court took into account that there were different breaches of data protection law. On the one hand, the lack of protection before the data leak and, on the other hand, the lack of information afterwards.
Facebook infringed Article 32(1) by failing to adequately protect the data subjects personal data against web scraping attacks. By using “security captchas”, an automated data querying by entering number sequences would have been prevented or at least made significantly more difficult. Facebook only provided general security measures and did not specifically state that it uses "security captchas" to protect data subject’s personal data from web scraping attacks.
The company has also not specifically stated that it has taken equivalent measures to prevent the obvious possibility of misuse of the Contact Import Tool. Technical measures, such as limiting the amount of requests from a given IP address in a given period of time, were clearly not sufficient.
Facebook infringed Article 33(1) GDPR by not immediately reporting the data protection incident to the competent data protection authority within 72 hours of becoming aware of it. It also violated Article 34(1) GDPR by not informing the data subject immediately after becoming aware of the data protection incident. The Court considered that the additional requirement of Article 34(1) had been met. The web scraping attack posed a high risk to the personal rights and freedoms of the data subject. The personal data collected in relation to the telephone number could be misused by unauthorised persons, in particular in commercial transactions. This posed a risk of financial loss to the data subject.
The Regional Court Ravensburg took into account the decision of the Court of Justice of the European Union (C-300/21), according to which a mere breach of the GDPR is not sufficient to give rise to a claim for damages under Article 82(1) GDPR. However, the data subject has suffered specific and individual damage as a result of the data breach. The data subject's personal data was actually disclosed to unauthorised persons and published on the Internet in a public forum.
The damage caused by the disclosure of data to unauthorised third parties is also significant enough to justify a claim for damages. The Court of Justice of the European Union stated in the same decision (C-300/21) that compensation for non-material damage does not depend on a certain threshold of significance.
Comment
For further information to the incident see: https://www.wired.com/story/facebook-data-leak-contact-import-flaws/ and https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court: LG Ravensburg 2nd Civil Chamber Decision date: June 13, 2023 File number: 2 O 228/22 ECLI: ECLI:DE:LGRAVEN:2023:0613.2O228.22.00 Document type: Judgment Source: Standards: Art. 32 para. 1 letter b EUV 2016/679, Art. 33 para. 1 EUV 2016/679, Art. 34 para. 1 EUV 2016/679, Art. 82 para. 1 EUV 2016/679 Violation of the General Data Protection Regulation by Facebook Guiding principle The defendant, as the operator of the Facebook platform, violated Art. 32 para. 1 GDPR because it did not adequately protect the plaintiff's data set against an attack by "web scraping". By using "security captchas", an attack by mechanically querying data by entering number sequences would have been prevented or at least made significantly more difficult. (para. 22) Tenor 1. The defendant is ordered to pay the plaintiff €1,000 plus interest of five percentage points above the base interest rate since November 3, 2022. 2. The defendant is ordered to refrain from making the plaintiff's personal data accessible without taking adequate security precautions against the retrieval of data by unauthorized third parties, as happened on the occasion of the so-called Facebook data leak, which according to the defendant took place between January 2018 and September 2019. 3. The defendant is ordered to indemnify the plaintiff for pre-trial legal costs of €453.87 to the plaintiff's legal representatives. 4. The action is otherwise dismissed. 5. The plaintiff shall bear 38% of the costs of the legal dispute and the defendant shall bear 62%. 6. The judgment is provisionally enforceable for the plaintiff with regard to the tenor of item 2 against security in the amount of the fine to be determined and otherwise against security in the amount of the respective amount to be enforced. The plaintiff is permitted to avert enforcement by the defendant against security in the amount of the respective amount to be enforced, unless the defendant provides security in the amount of the respective amount to be enforced before enforcement. - Page 1 of 7 - Amounts in dispute: Claim no. 1 €2,000 Claim no. 2 €1,000 Claim no. 3 €500 Claim no. 4 €3,000 Total: €6,500 Facts 1 The parties are in dispute over claims for damages, injunctive relief and information in connection with the use of the Facebook platform operated by the defendant and a data scraping incident. 2 At an unknown point in time, presumably between January 2018 and September 2019, third parties read personal data (in particular name, gender and user ID) from Facebook's database and were able to assign specific telephone numbers to the individual data sets. These third parties had presumably entered fictitious numbers in the Facebook tool CIT (Contact Import Tool or Contact Importer) by means of the "number list" and were thus able to assign the telephone numbers on Facebook to certain publicly accessible data of certain people. At the beginning of April 2021, data records obtained in this way were made available for download on the Internet in a well-known "hacker forum", including the plaintiff's data record. 3 The plaintiff is of the opinion that he is entitled to a claim for damages under Art. 82 (1) GDPR because the defendant made the plaintiff's personal data accessible to unauthorized third parties. In particular, it did not sufficiently protect the data against an attack by "web scraping", for example by using "security captchas" that make automatic queries by software more difficult. Due to the unauthorized publication of his personal data, the plaintiff suffered a specific, compensable non-material damage in the form of a loss of control over his data. A compensation amount of at least EUR 2,000 is appropriate. 4 The plaintiff also believes that the defendant did not fulfill its obligation to provide information under the GDPR. It did not adequately comply with the plaintiff's request for information. A compensation amount of at least EUR 1,000 is appropriate for this. 5 The plaintiff also believes that he is entitled to an injunction against the defendant, so that his personal data is not made accessible to unauthorized third parties in the future. 6 The plaintiff requests: 7 1. The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations and the enabling of unauthorized determination of the telephone number (+49…) - Page 2 of 7 - and other personal data of the plaintiff such as first name, last name, e-mail address, gender, date of birth, the amount of which is left to the discretion of the court, but should not be less than the amount of EUR 2,000.00, plus interest at a rate of 5 percentage points above the base interest rate since the action was brought. 8 2. The defendant is ordered to pay the plaintiff further non-material damages for failure to provide extrajudicial data information in accordance with the statutory requirements within the meaning of Article 15 of the GDPR, the amount of which is left to the discretion of the court, but should not be less than EUR 1,000, plus interest of 5 percentage points above the base interest rate since the action was brought. 9 3. The defendant is ordered to provide the plaintiff with information about the other personal data concerning the plaintiff that could be obtained by unauthorized persons, namely which data other than the plaintiff's telephone number could be obtained from the defendant by which recipients at what time through "web scraping", the use of the contact import tool or in any other way without authorization. 10 4. The defendant is ordered to refrain from making personal data of the plaintiff, in particular the telephone number, accessible to unauthorized third parties, as happened on the occasion of the so-called Facebook data leak, which according to the defendant took place in 2019, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director), or a term of imprisonment to be enforced on its legal representative (director) for up to six months, or up to two years in the event of a repeat offense. 11 5. The defendant is ordered to indemnify the plaintiff from pre-trial legal costs of EUR 800.39 plus interest since the action was brought in the amount of 5 percentage points above the base interest rate to the plaintiff's legal representatives. 12 The defendant requests that 13 the action be dismissed. 14 The defendant is of the opinion that the action is already partially inadmissible and that claims 1 and 4 are not sufficiently specific. 15 The defendant admits that data scraping took place on Facebook between January 2018 and September 2019. However, the defendant is of the opinion that it cannot be blamed for any violations of the GDPR, as neither unauthorized disclosure of data nor unauthorized access to personal data took place. In this regard, it claims that the data retrieved during the scraping was publicly accessible data in the plaintiff's Facebook profile, which was either necessarily public user information (name, gender and user ID) or was publicly accessible according to the plaintiff's respective target group selection. The defendant considers the plaintiff's claim that the defendant has not taken any security precautions such as captcha queries to be not only incorrect but also unsubstantiated. Insofar as the lack of individual technical and organizational measures such as captcha queries is claimed, an overall assessment of all measures is important, so that a missing individual measure cannot in itself constitute a violation. The defendant maintains a large number of measures to prevent scraping and is continually developing them, including captchas. 16 The defendant considers that it was not obliged to notify the plaintiff under Art. 34 GDPR or the supervisory authority under Art. 33 GDPR, since the requirements of the legal definition in Art. 4 No. 12 GDPR were not met. There was no breach of security and no unauthorized disclosure (or unauthorized access) of personal data. 17 The defendant continues to take the view that it did not violate Art. 15 GDPR with its information. The defendant duly answered the plaintiff's request for information dated April 4, 2022 on May 2, 2022 (Appendix B 16). 18 To supplement the facts and the state of the dispute, reference is made to the written submissions exchanged between the parties and the attachments. Reasons for the decision 19 The action is admissible. The international jurisdiction of German courts follows from Article 6 paragraph 1, Article 18 paragraph 1 of the Brussels I Regulation. The Ravensburg Regional Court also has local jurisdiction pursuant to Article 18 paragraph 1 Alt. 2 of the Brussels I Regulation and Article 79 paragraph 2 sentence 2 of the GDPR. The claim under 1 and no. 4 are also sufficiently defined, in that in no. 1 the amount of the damages and the specific underlying facts are described and in no. 4 the behavior to be avoided is specifically described. 20 However, the claim is only partially justified. I. 21 According to claim no. 1, the plaintiff is entitled to non-material damages in the amount of EUR 100 against the defendant, who is to be regarded as the responsible party within the meaning of Article 4 no. 7 of the GDPR.1,000 euros from Art. 82 (1) GDPR due to various violations of the GDPR. 22 1. The defendant violated Art. 32 (1) GDPR because it did not adequately protect the plaintiff's data set against an attack by "web scraping". The use of "security captchas" would have prevented an attack by machine querying data by entering number sequences or at least made it significantly more difficult. The defendant did not specifically claim that "security captchas" were used in this respect. On page 80, paragraph 62 of its statement of defense, it only stated in general terms: 23 "During the relevant period, as already explained, the defendant maintained a large number of measures to prevent scraping and is continuously developing these. These include, among other things, captchas, (....).“ 24 This blanket denial is irrelevant according to Section 138 Paragraph 3 of the Code of Civil Procedure. 25 The defendant has also not specifically stated that it has taken equivalent measures to prevent the obvious possibility of misuse of the CIT (Contact Import Tool). The transmission restrictions that were imposed according to the defendant's statement, which reduce the number of requests that can be made per user or a specific IP address in a certain period of time, were clearly inadequate. 26 2. In addition, the defendant violated Article 33 (1) GDPR by not immediately reporting the data protection violation to the competent authority within 72 hours of becoming aware of it, as the plaintiff claims, and also Article 34 (1) GDPR by not immediately informing the plaintiff after becoming aware of it. The defendant did not dispute this statement in a qualified manner, so that the plaintiff's corresponding statement is deemed to be admitted in accordance with Section 138 (3) ZPO. The additional requirement of Article 34 (1) GDPR also applies, namely that the violation of the protection of personal data must probably result in a high risk to the personal rights and freedoms of natural persons, because the plaintiff's personal data in connection with the telephone number could be misused by unauthorized persons, particularly in business transactions, with the risk of financial loss for the plaintiff. 27 3. Due to the unauthorized publication of his personal data, the plaintiff has suffered compensable damage. A mere violation of the GDPR is not sufficient to justify a claim for damages pursuant to Art. 82 Para. 1 GDPR (ECJ, judgment of May 4, 2023 - C-300/21 -, juris para. 42). However, the plaintiff has suffered specific and individual damage, because as a result of the violation, his personal data was actually leaked to unauthorized persons and posted on the Internet in a public forum. This damage due to data loss to unauthorized third parties is also significant enough to award a claim for damages. This is because compensation for non-material damage does not depend on a certain significance threshold being reached (ECJ, judgment of May 4, 2023 - C-300/21 -, juris para. 51). 28 4. In an overall assessment, it must be taken into account that there are different data protection violations, namely, on the one hand, inadequate protection prior to the data leak and, on the other hand, the lack of information afterward. The latter is also serious. The injured party has a considerable interest in being informed of a violation at an early stage by himself and the competent authority. Overall, a moderate amount of damages of €1,000 was to be set. 29 The plaintiff can demand lis pendens interest from November 3, 2022 in accordance with Sections 291 (1), 288 (1) of the German Civil Code, since the lawsuit was served on November 2, 2022 at the latest (date of the statement of defense). II. 30 The claim for damages asserted with claim no. 2 in accordance with Art. 82 (1) GDPR does not exist. It can remain undecided whether the defendant violated Art. 15 (1) GDPR by providing insufficient information. Such a violation cannot give rise to a claim for damages because it did not cause any additional non-material damage to the plaintiff. III. - Page 5 of 7 - 31 The plaintiff is also not entitled to a claim for information in accordance with claim no. 3. In the event of a violation of Art. 34 GDPR, which is to be affirmed here (see I. above), the controller must inform the data subject which data is affected by a data protection incident. However, the defendant has fulfilled this requirement. In a letter dated May 2, 2022 (Appendix B 16), it informed the plaintiff both about the scraping and the suspected actions of the scrapers, as well as about the affected data categories (page 6 of this letter) that could be read out with the CIT. IV. 32 The claim for injunctive relief asserted by the plaintiff in claim no. 4 is founded. To the extent that there is no separate basis for a claim for preventive injunctive relief in the GDPR, Sections 823 Para. 2 and 1004 of the German Civil Code apply analogously (Munich Higher Regional Court, judgment of January 19, 2021 - 18 U 7243/19, juris para. 62). 33 However, the tenor of the injunction still needs to be clarified. Access is only to be omitted if adequate security precautions are not taken against the retrieval of data by unauthorized third parties. In addition, the addition “in particular the telephone number” must be omitted, since the telephone number was probably not retrieved from Facebook’s database, but could be assigned to a specific person using the method used (“number list”). And insofar as the claim in section 4 states "as happened on the occasion of the so-called Facebook data leak, which according to the defendant took place in 2019", this should be formulated more precisely to mean that the data leak "took place in the period from January 2018 to September 2019" (page 12/13 [para. 9] of the statement of defense dated January 26, 2023). 34 The risk of repetition required for an injunction exists because it is actually presumed in the case of an unlawful interference with a protected legal interest of the person concerned (Grüneberg/Herrler, BGB, 82nd edition 2023, § 1004 para. 32). 35 The threat of administrative sanctions follows from Section 890 of the Code of Civil Procedure. V. 36 As part of the claim for material damages pursuant to Art. 82 Para. 1 GDPR, the plaintiff can also claim exemption from the claim of the plaintiff's legal representatives for payment of pre-trial legal fees pursuant to claim no. 5. Default is not necessary for this, because the claim for damages arises with the infringement. Based on the object values to be taken into account for the respective claims no. 1 and no. 4 with a value of €4,000, this results in a 1.3 lawyer's fee including VAT and a flat rate postage of €453.87. The plaintiff cannot demand default interest in this respect, because he is responsible for any delay in payment. VI. 37 The decision on costs follows from §§ 91, 92 para. 1 ZPO, since the plaintiff was partially unsuccessful with claim no. 1 and completely with claims no. 2 and 3 (and thus in the ratio of €2,500: €6,500). - Page 6 of 7 - 38 The decision on provisional enforceability follows from §§ 708 no. 11, 709, 711 ZPO. - Page 7 of 7 -