OLG Stuttgart - 4 U 97/24
| OLG Stuttgart - 4 U 97/24 | |
|---|---|
 | |
| Court: | OLG Stuttgart (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 99 GDPR |
| Decided: | 04.12.2024 |
| Published: | |
| Parties: | Plaintiff (User of the social network Fxxx), Defendant (Operator of the platform) |
| National Case Number/Name: | 4 U 97/24 |
| European Case Law Identifier: | ECLI:DE:OLGSTUT:2024:1204.4U97.24.00 |
| Appeal from: | LG Heilbronn (Germany) 6 O 297/23 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Baden-Württemberg State law BW (in German) |
| Initial Contributor: | Shravan |
A court held that a data subject failed to demonstrate that an alleged data breach on a large social network occurred after the GDPR went into effect. Thus, the court rejected the data subject’s damages claims arising from the incident.
English Summary
Facts
The parties were involved in a legal dispute regarding a data breach resulting from a scraping incident on the controller’s social network. The data subject, a user of the controller’s social network, claimed that their personal data was unlawfully accessed through the controller's contact importer tool. The alleged data scraping incident occurred in 2019, but the exact timeline was disputed between the parties.
The controller initially disputed the details of the data breach, stating that no concrete evidence could be provided to confirm the timing of the breach. The data subject claimed that the breach occurred after the entry into force of the GDPR on 25 May 2018, and sought compensation for damages resulting from the unauthorized access to their data.
The Regional Court (Landgericht Heilbronn - LG Heilbronn) initially ruled in favor of the data subject, awarding €500 in damages and recognizing the controller’s obligation to compensate for future damages. However, the controller appealed the decision, arguing that the breach could have occurred before the GDPR’s enforcement date.
Holding
The court held that the controller’s appeal was successful. It found that the data subject failed to provide sufficient evidence to prove that the data access occurred after 25 May 2018, the date when the GDPR came into effect. The court emphasized that it was the data subject’s responsibility to prove that the breach occurred within the applicable time-frame for the GDPR and that it did not provide adequate evidence to support this claim.
The court also noted that while the controller had more knowledge of the data breach, they had satisfied their secondary burden of presenting details of the event, including references to the press release, which indicated the data scraping occurred "before September 2019." The court clarified that this formulation remained uncertain as to whether the breach occurred before or after the GDPR's entry into force.
Given the lack of evidence from the data subject, the court ruled that the GDPR did not apply to the incident. As a result, the action was dismissed, and the controller’s appeal was upheld.
Comment
In this case, the burden of proof was placed on the data subject to demonstrate that the breach occurred after the GDPR came into effect. However, this raises concerns, as users typically lack access to internal systems or evidence to prove the timing of such breaches. The data controller, having better access to relevant information, would be in a stronger position to prove whether the breach occurred within or outside the scope of GDPR.
This decision is also interesting as presumably the same incident was already subject the Federal Court of Justice's (Bundesgerichtshof - BGH) decision in to BGH - VI ZR 10/24 where the BGH accepted the court of first instance's finding that the GDPR was applicable.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Course of procedure LG Heilbronn, 1. March 2024, 6 O 297/23, judgment Tenor 1. The defendant's appeal is upheld by the judgment of the Regional Court of Heilbronn of 01.03.2024, Az. Rt 6 O 297/23, as amended: The action is dismissed. 2. The plaintiff must bear the costs of the litigation in both instances. 3. The judgment of the Senate and - insofar as the action was dismissed there - the judgment of the Ulm Regional Court referred to in section 1 are provisionally enforceable without security. 4. The revision is not allowed. 5. The amount in dispute for the appeal proceedings is set at EUR 1,000. Reasons I. Margin number1 The parties are arguing for damages, determination, injunction and information claims under the General Data Protection Regulation (hereinafter: GDPR) from a scraping incident on the defendant's platform (the access to personal data from the defendant's contact importer tool), which became known in April 2021. Margin number 2 The plaintiff maintains a user account with the defendant, which operates the social network Fxxx. According to the plaintiff, their personal data was seized, whereby the procedure is disputed in detail between the parties. Number 3 With the judgment under appeal, the regional court ordered the defendant to pay an amount of € 500.00 plus interest, dismissing the claim and found that the defendant is obliged to compensate the plaintiff for all future damages incurred and/or still arise to the plaintiff as a result of the unauthorized access to the defendant's data archive of third parties, which, according to the defendant's statement, took place in 2019. Margin number 4 With regard to the time of data access, there are no concrete findings in the district court judgment. The regional court does not comment on the temporal applicability of the GDPR. Margin number 5 Because of the arguments of the parties in the first instance, the course of the proceedings and the content of the judgment, reference is made to the facts and the reasons for the decision of the contested decision (§ 540 para. 1 No. 1 ZPO). Margin number 6 The defendant appealed against the judgment and requested, Margin number 7 the judgment of the Regional Court of Heilbronn of 1. March 2024, Az. Rt 6 O 297/23 to be amended to the extent of the defendant's complaint and to dismiss the action. Border number 8 The plaintiff requests, Border number 9 dismiss the defendant's appeal. Margin number 10 Due to the further presentation of the parties, reference is made to the exchanged pleadings together with the annexes as well as to the minutes of the oral hearing. II. Margin number11 The defendant's appeal is admissible. It was filed and justified in due form and on time. Border number 12 The defendant's appeal is successful in its entirety. In the present case, it cannot be established with sufficient certainty that the data was only accessed after the entry into force of the GDPR (on 25.05.2018). A) Margin number13 The conclusiveness of a lawsuit - this also includes whether a claim norm is applicable in time at all - is assessed according to the plaintiff's arguments at the time of the last oral hearing of the facts (Zöller/Vollkommer, ZPO, 35. Rel. 2024, § 300 Rn. 3). A party is not prevented from changing its arguments in the course of the legal dispute, in particular to clarify, supplement or correct (BGH, decision of 24.07.2018, VI ZR 599/16 Rn. 12, WM 2018, 1833 [1834]; BGH, decision of 21.07.2011, IV ZR 216/09 Rn. 6). It is also not bound by its first-instance arguments in the appellate instance. Border number14 A party may also only present and prove presumed facts if it has or cannot have more precise knowledge about them, provided that it considers the facts to be likely according to the state of affairs (BGH NJW 2021, 1759 [1761 Rn. 18]; BGHZ 216, 245 [257 Rn. 33]). Such a procedure only becomes inadmissible where the party arbitrarily makes claims "for the sake of the right right" or "into the blue" without tangible evidence for the existence of a certain fact. The assumption of arbitrariness in this sense is necessary to exercise restraint; as a rule, it will only be justified in the absence of any factual indications (BGH NJW-RR 2015, 829 [830 Rn. 13]). Overall, it is necessary that it is clarified which claims should apply. B) Margin number 15 Based on this, the presentation of the plaintiff at the time of the access of their data is to be regarded as conclusive, since at the time of the last oral hearing it was made clear that a data transfer should be assumed in 2019 and thus after the entry into force of the GDPR. However, the presentation, which is to be treated as conclusive, does not in itself, lead to the fact that data is to be assumed during the temporal validity of the GDPR, because the plaintiff bears the burden of proof for this circumstance and has not - according to the secondary presentation of the defendant now held - this proof. Aa) Border number16 In principle, the plaintiff bears the burden of presentation and proof that the temporal scope of the GDPR is open. This principle needs to be restricted, since the plaintiff, as the party primarily charged with presentation, is outside the relevant course of events and has no knowledge of the relevant facts and cannot determine the facts on its own own, while the defendant can easily provide the necessary actual clarification and also to be expected. It is also the responsibility of the disputer to undertake reasonable investigations within the scope of the secondary burden of presentation (BGH, judgment of 05.10.2023, III ZR 216/22 Rn. 31; BGH, judgment of 04.02.2021, III ZR 7/20 Rn. 19, NJW 2021, 1759; BGH BeckRS 2020, 36575 Rn. 26; BGH NJW 2016, 3244 [3245 Rn. 18]; also compare BGH NJW 1997, 128 [129]; BGH NJW 1996, 315 [317]). The "burden" consists in the duty to have to dispute the general arguments of the opponent burdened with the presentation (exceptionally) with further details. It is therefore up to the opponent - here the defendant - to present details of the claim of the data absorption in 2019 and to comment on the allegations in at least a substantiated manner. The extent of the secondary burden of presentation depends on the circumstances of the individual case. The explanations must be so concrete that the party burdened with evidence is capable of refuting (BGH, judgment of 04.02.2021, III ZR 7/20 Rn. 19, NJW 2021, 1759) bb) Margin number 17 The defendant has in any case satisfied the secondary burden of presentation that affects her with the arguments in the pleading of 18.11.2024 (P. 470). The plaintiff then remains in proof for the time of the withdrawal. Edge number 18 Thus, the defendant's press release of 06.04.2021 does not show that the abse can only have taken place in 2019. It states that "malicious actors scrapped the data from the platform before September 2019" by "using the contact importer before September 2019" and "the problem was fixed in 2019". However, an absap "before September 2019" - which is mentioned twice - may have already taken place in 2018, whereby this formulation remains open with regard to the exact time. Nor can the defendant be denied (especially after gaining further factual findings) in a process to give another (complemented, changed, corrected) presentation, especially if this is comprehensibly justified by the fact that the facts were still in the investigation at the time of the preparation of the press release and at the time it was a matter of reacting to various media reports in a timely manner. Border number 19 It also cannot be assumed to be a permanent offense, because the access of data to a certain profile from the CIT can only take place at a very specific time in the case of a hit with regard to the telephone number, namely when the specific data record is retrieved from the tool. If the data set was used before the validity of the GDPR, possible violations of the provisions of the GDPR cannot be the cause of this. Margin number20 In response to the Senate, the defendant also additionally stated that she was not in possession of the raw data that contained the data retrieved by the scraping and that, due to the time that has elapsed since the facts, no log files or the like would be kept available that could enable her to clarify exactly how the scraping facts had proceeded and when the data of the respective plaintiff had been accessed. According to the requirements of the GDPR, it is also not entitled to keep such log files available. She therefore did not know who the scrapers were or which Fxxx account was used to view the Fxxx profiles of the users. Margin number 21 In doing so, the defendant has satisfied the secondary burden of presentation that affects her and has done what is necessary in its part to dispute the presentation of the plaintiff in a qualified manner. cc) Margin number22 The plaintiff did not give any further presentation or even offer evidence. The unreclabability is at their expense and leads to the fact that it cannot be established with sufficient certainty that the concrete access of the data took place after the entry into force of the GDPR on 25.05.2018. III. Margin number 23 The decision on costs is based on § 97 ZPO. The decision on provisional enforceability is based on §§ 708 No. 10, 711, 713 ZPO and the determination of the value in dispute in §§ 47, 48 GKG. Edge number 24 The revision is not allowed. Since it cannot be established that the data was deleted during the validity of the GDPR, the matter has no fundamental importance, but is an isolated case. In particular, the Senate does not contradict the decision of the Federal Court of Justice of 18.11.2024 (BGH, judgment of 18.11.2024, Az. VI ZR 10/24, GRUR-RS 2024, 31967), in which it was clarified with regard to the question of the temporal validity of the GDPR that the time of the scraping incident is decisive and that this did not take place in any case before the entry into force of the GDPR in the case decided by the Federal Court of Justice in relation to the plaintiff there according to the binding findings of the Court of Appeal (BGH, judgment of 18.11.2024, Az. VI ZR 10/24, GRUR-RS 2024, 31967 Rn. 19). This finding cannot be made in the present case.
