Facebook scraping: BGH awards users damages

Facebook users receive compensation for scraping.
Categories:

The Federal Court of Justice (BGH) has made a leading decision in connection with a far-reaching data protection incident at Facebook: Even the mere loss of control over personal data can constitute non-material damage within the meaning of Art. 82 (1) GDPR. What consequences the ruling has.

This is what Facebook scraping is all about

This decision by the Federal Court of Justice (VI ZR 10/24) concerns not only claims for damages, but also claims for declaratory and injunctive relief arising from a data protection incident. The case, in which data from around 533 million Facebook users was stolen at the beginning of April 2021 through so-called "scraping", is of considerable importance due to the increasing dissemination of personal data in the digital space.

The defendant, operator of the social network Facebook, made it possible for users to make their profile findable using their telephone number. This friend search function was misused by unknown third parties via the contact import function. The unknown parties used random phone number sequences to assign publicly accessible user data (such as name, gender and employer) to the phone numbers. In this way, they gained access to a large amount of personal data.

The plaintiff's data, including his user ID, name, workplace and gender, were also linked to his telephone number and thus made accessible to an uncontrolled group of people.

The plaintiff then filed a lawsuit and demanded non-material damages for loss of control and inconvenience. He also asserted claims for a declaratory judgment that Facebook should be liable for future material and immaterial damages, as well as claims for injunctive relief against data processing and reimbursement of pre-trial legal fees.

Loss of data control: lower courts disagree

The Regional Court of Bonn initially awarded the plaintiff a claim for damages in the amount of 250 euros, as Facebook had, in his opinion, taken inadequate security measures. On appeal, however, the Cologne Higher Regional Court (OLG) dismissed the claim in its entirety. It argued that the mere loss of control was not sufficient to justify non-material damage pursuant to Art. 82 para. 1 GDPR. Furthermore, the plaintiff had not suffered any psychological impairment beyond the loss of control.

By order dated October 31, 2024, the BGH determined the proceedings to be a reference order. At the hearing on 11 November 2024, the BGH came to a differentiated conclusion and ruled partly in favor of the plaintiff.

Federal Court of Justice rules against Facebook

  1. Claim for immaterial damages Following the decision of the BGH, the Higher Regional Court of Cologne incorrectly assessed the question of damages. According to the case law of the European Court of Justice (ECJ), the mere and short-term loss of control over personal data can already constitute non-material damage within the meaning of Art. 82 para. 1 GDPR. Neither a specific misuse of the data nor further demonstrable negative consequences are required. The loss of control alone can therefore be sufficient to justify a claim for damages. This interpretation is noteworthy, as it emphasizes the data subject's right to protection under the GDPR and clarifies that immaterial damage does not necessarily require a deeper or longer-lasting burden on the data subject. Rather, the loss of data sovereignty is already recognized as an adverse circumstance that can justify a claim for compensation.

  2. Assessment of the damage The BGH referred the proceedings back to the Court of Appeal with regard to the amount of damages, but provided guidance on the assessment of damages. It clarified that compensation for the loss of control in the order of around 100 euros could be appropriate. Reference is made to Section 287 of the German Code of Civil Procedure (ZPO), according to which the court is free to assess the amount of damages if there are no concrete indications for an exact figure.

  3. Determination of the obligation to pay compensation for future damages The plaintiff also sought a declaration of liability for future damages. The OLG had denied this because there was no interest in a declaratory judgment. The BGH disagreed and emphasized that the possibility of future damages due to the loss of data and the continued risk of misuse was certainly present. The plaintiff's interest in a declaratory judgment was therefore affirmed.

  4. Injunctive relief and right to information The plaintiff also requested that Facebook be ordered to refrain from continuing to use his telephone number without his consent. The BGH considered this injunctive relief to be sufficiently specific and affirmed the plaintiff's need for legal protection. The appeal was successful in this respect. However, the appeal was unsuccessful with regard to the further claim for injunctive relief and information. The BGH confirmed the opinion of the OLG that the plaintiff's claims were unfounded in this respect.

Principle of data minimization and consent

For the retrial, the Federal Court of Justice provides the Court of Appeal with instructions for examining Facebook's default settings. It points out that the default setting, according to which the telephone number is publicly visible by default, may not comply with the principle of data minimization. In addition, the Court of Appeal will have to examine whether the plaintiff has effectively consented to the processing of his data.

This information clarifies the requirements that the Federal Court of Justice places on social networks with regard to the design of default settings. In Art. 25 "Data protection by default", the GDPR requires that only the data required for the respective purpose is processed. Providers such as Facebook are therefore obliged to design the default settings of their platforms in a data protection-friendly manner and to ensure that users give their informed consent.

Reading tip: ECJ interprets "legitimate interest" in accordance with Art. 6 para. 1 lit. f GDPR

These are the consequences of the BGH ruling on Facebook scraping

The decision of the Federal Court of Justice significantly strengthens the non-material claims for damages of those affected by data protection breaches. By recognizing the mere loss of control as damage, there is no need to prove concrete psychological or material consequences. This approach is in line with the case law of the ECJ, which emphasizes the protection of data sovereignty. It is to be expected that this ruling will have a significant impact on the practice of companies that process large amounts of personal data.

The ruling also clarifies that future damages from data protection violations may also fall under the claim for damages, which is particularly relevant in light of the ongoing digitalization and networking of personal data. Companies must adapt their data protection strategies and handle the processing and storage of personal data in a particularly restrictive manner in order to prevent claims for damages in the future.

Source: Judgment of the VI Civil Senate of 18.11.2024 - VI ZR 10/24 -

Tags:
Share this post :
en_USEnglish