In a landmark ruling on 18 November 2024 (case no. VI ZR 10/24), the Federal Court of Justice ruled on claims for damages under Art. 82 GDPR. The judgement was based on a potential data protection breach by Facebook, through which user data could be tapped on a massive scale in 2018-2019 through so-called scraping. The data protection incident became public knowledge when this data was published in April 2021. Since then, there have been hundreds of cases with different outcomes before German courts.
After the European Court of Justice had outlined its position on claims for damages under data protection law in various judgements in recent years, the aforementioned judgement is now a supreme court ruling in German jurisdiction - with potentially significant consequences for affected companies in Germany and Europe.
Background
The plaintiff in these proceedings was one of the approximately 533 million Facebook users (including around 6 million German users) whose data was made publicly available on the internet following a data leak at the beginning of April 2021. In 2018 - 2019, unknown persons had exploited a setting on Facebook that allowed users to be searched for and found using their telephone number (contact import function). By entering random sequences of numbers, telephone numbers were linked to user accounts and thus publicly accessible data of these Facebook users (including name and gender) was tapped (so-called scraping).
The plaintiff had configured the data protection settings on Facebook for his telephone number so that the number was only visible to him and not to other users. However, the plaintiff had left the default setting ‘all’ in the search settings of his profile. This meant that he could be found via the Facebook search function using his telephone number, even if it was not otherwise displayed publicly. By using the contact import function, the plaintiff's telephone number, user ID, name, gender and place of work were accessed and published.
In addition to other data protection claims, the plaintiff then demanded non-material damages in court, as the defendant had violated the GDPR and failed to adequately protect his data. This had led to a loss of control over his data and an increase in fraudulent contact attempts. At first instance, the Regional Court of Cologne awarded a claim for damages in the amount of 250 euros. Following an appeal by the defendant, the Cologne Higher Regional Court dismissed the claim at second instance.
Decision of the BGH
In recent months, the European Court of Justice has developed principles on the claim for damages under Art. 82 para. 1 GDPR. This requires a breach of the GDPR, the existence of material or non-material damage and a causal link between the breach and the damage. The Federal Court of Justice took up these principles in its ruling of 18 November 2024.
Firstly, the Federal Court of Justice clarified that the claim for damages under Art. 82 para. 1 GDPR only has a compensatory function. It does not serve as a deterrent or punishment. Therefore, multiple infringements would not automatically lead to higher damages. Only the damage incurred must be compensated.
The Federal Court of Justice then clarified - in line with the case law of the European Court of Justice (judgment of 4 October 2024, C-200/23) - that even the short-term loss of control over one's own personal data can constitute non-material damage without the need to prove additional tangible negative consequences. It is therefore also not necessary for the data concerned to be misused to the detriment of the data subject in the specific case.
However, the plaintiff must prove that he has suffered non-material damage - in this case a loss of control (ECJ, judgment of 20 June 2024, C-590/22). If the plaintiff succeeds in proving this, no further fears or anxieties on the part of the person concerned are required in order to affirm the existence of damage.
Finally, the matter was referred back to the Higher Regional Court, as it still had to clarify whether a data protection breach had occurred at all and decide on the amount of damages. The Federal Court of Justice pointed out to the Higher Regional Court that the amount of damages must take into account that the compensation must be complete and effective. However, damages do not fulfil a deterrent or punitive function. Consequently, neither the severity of the breach of the GDPR that caused the damage in question may be taken into account, nor the fact whether a controller has committed several breaches against the same person and whether it has acted wilfully.
In its judgement, the Federal Court of Justice further states that in the event of damage in the form of a loss of control, the possible sensitivity of the specific personal data affected (see Art. 9 para. 1 GDPR) and its typical intended use must be taken into account when assessing the amount. Furthermore, the type of loss of control, the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet or changing the personal data (e.g. change of telephone number; new credit card number) must be taken into account. In cases where it would be possible to regain control with reasonable effort, the hypothetical effort required to regain control (here in particular a change of telephone number) could serve as an indication of effective compensation. For this reason, the Federal Court of Justice considers damages in the amount of EUR 100.00 to be appropriate in the case to be decided.
Practical tip
The judgement will have a significant impact on practice. On the one hand, it should be clear after this judgement that a mere loss of control is sufficient to have a claim for damages. However, this loss of control must be proven by the person concerned. The provisions of the ZPO must be observed here. Particularly in the case of mass claims, it must be carefully checked whether the proof has been provided.
Nevertheless, it is to be expected that affected persons will increasingly assert claims for damages in scraping cases or similar cases (e.g. phishing or hacker attacks). In any case, the Federal Court of Justice has made it considerably easier for data subjects to assert claims for damages following data protection breaches. In particular, providers for mass proceedings or consumer protection organisations could now play a stronger role in data protection claims for damages.
One positive aspect for companies, however, is the low amount of damages that the Federal Court of Justice considers appropriate. However, this can still lead to a high level of liability for many affected parties. The judgement of the Federal Court of Justice therefore shows once again that preventive data protection compliance is essential, especially in order to avoid the considerable liability risks.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
