News from the Federal Court of Justice on damages in the case of scraping – a lose/lose situation for companies and consumers?

In its ruling of November 18, 2024 (case no. VI ZR 10/24), the German Federal Court of Justice ("BGH") issued a landmark judgment on claims for damages under Art. 82 of the General Data Protection Regulation ("GDPR"). The background to the proceedings was a data leak at Facebook, in which masses of user data were accessed through so-called scraping.

After the ECJ had outlined its position on claims for damages under data protection law in various rulings in recent years, there is now a supreme court ruling in German case law that takes up this ECJ case law. In doing so, the BGH does not merely apply the ECJ's requirements, but accentuates them even further – with potentially significant consequences for legal practice and the companies affected.

I. Facts of the case

The ruling concerns a data leak at the internet company Meta and its social network Facebook.

The plaintiff in these proceedings had a user account on Facebook and had entered personal data there. This included mandatory information such as name and gender when registering, but also the user ID assigned to him. This data is always publicly accessible on Facebook. For his telephone number, which the plaintiff also entered, he had configured the data protection settings so that the number was only visible to him and not to other users. In the search settings of his profile, however, the plaintiff had left the default setting "all". This meant that he could be found via the Facebook search function using all the data he had entered in his account - including his phone number, even if it was not otherwise displayed publicly.

This default setting allowed Facebook users, for example, to import stored telephone numbers into Facebook using the so-called contact import function and to find the corresponding users.

In 2018 and 2019, unknown third parties used this contact import function to assign telephone numbers to user accounts by entering random sequences of digits and to access the associated data (known as scraping). This data, which included information from around 533 million users, was distributed on the internet in April 2021. The plaintiff's personal data, including telephone number, user ID, name, gender and place of work, was also affected.

In addition to other data protection claims, the plaintiff then demanded non-material damages in court, as the defendant had violated the GDPR and failed to adequately protect his data. This had led to a loss of control over his data and an increase in fraudulent contact attempts. The Higher Regional Court initially dismissed the action at second instance.

II. (No) premiere for the leading decision procedure

In response to the plaintiff's appeal, the Federal Court of Justice designated the proceedings as so-called leading decision proceedings. This type of procedure enables the BGH to decide on key legal issues in the proceedings even if the parties have previously withdrawn the appeal, for example due to a settlement or for tactical reasons. In accordance with Section 552b of the German Code of Civil Procedure (ZPO), this option can be used if the appeal raises legal issues whose clarification is important for a large number of proceedings. This option was newly introduced on November 1, 2024, and the BGH used it for the first time in the present proceedings, as thousands of lawsuits are currently pending before German courts due to the same scraping incident. In the present case, there was ultimately no such leading decision, but only a normal appeal judgment because the proceedings were not settled beforehand. Nonetheless, the judgment deals with key legal issues that are relevant to a large number of proceedings.

III. European legal background

Before looking at the decision of the BGH, the background of European case law must be taken into account.

In particular, the European Court of Justice ("ECJ") recently issued two rulings on claims for damages under data protection law:

The judgment of the ECJ of May 4, 2023 (Case C-300/21) was based on the following questions of the referring Austrian court: Is a mere GDPR infringement sufficient to justify a claim for damages? Can a non-material claim for damages be made dependent on the damage reaching a certain degree of materiality and how is the non-material damage to be determined?

The ECJ then clarified that a GDPR infringement in itself is not sufficient to justify a claim. Rather, the infringement must result in causal damage for the data subject. However, it would be contrary to Art. 82 para. 1 GDPR to make compensation for damage dependent on the damage to the data subject reaching a certain degree of significance. Finally, the amount of damages must only fully compensate for the damage suffered, without the damages having a punitive character.

The ECJ also ruled in its judgment of December 14, 2023 (case C-340/21) that compensable non-material damage may already exist if a data subject fears that their personal data could be misused by third parties as a result of the breach. Worries, fears and anxieties can therefore also fall under the concept of non-material damage in the context of Art. 82 para. 1 GDPR (see Update Data Protection No. 163 for details).

IV. Decision of the BGH

In its ruling of November 18, 2024, the BGH initially took up the recognized principles of European case law on claims for damages under Art. 82 para. 1 GDPR. This requires a breach of the GDPR, the existence of material or immaterial damage and a causal link between the breach and the damage.

When determining the scope of the claim for damages, the BGH, like the ECJ, first clarifies that the claim for damages under Art. 82 para. 1 GDPR only has a compensatory function. It does not serve as a deterrent or punishment. Therefore, multiple infringements would not lead to higher damages.

The Federal Court of Justice then went on to substantiate European case law on non-material damages. In its ruling, the BGH expressly stated that even the loss of control over one's own personal data can constitute non-material damage. This does not require any misuse of the data concerned to the detriment of the person concerned in the specific case. Even the mere loss of control is to be included in the concept of damage under EU law.

However, this does not exempt a plaintiff from having to prove that he has suffered such damage, which merely consists of the loss of control as such. Going beyond the previous case law of the ECJ, the BGH expressly states here that no particular fears or anxieties are required to assume damage if the loss of control is proven.

However, if such a loss of control cannot be proven, it may be sufficient, according to the BGH, if a data subject has a well-founded fear that their data is being misused.

With these statements, the BGH goes further than the ECJ. The latter had previously not clearly formulated whether the loss of control itself constitutes non-material damage or whether the loss of control can be sufficient to cause non-material damage, provided that the person concerned proves that he or she has actually suffered such damage, however minor it may be (e. g. in the form of well-founded fears).

V. Effects on legal practice

The ruling will have a significant impact on legal practice. It should give rise to ambivalent feelings on the part of both plaintiffs and defendants, and therefore companies and private individuals alike.

For plaintiffs in scraping proceedings or similar data protection damages proceedings, the decision of the Federal Court of Justice initially represents a considerable relief. They no longer have to demonstrate and, if necessary, prove at least concrete fears or anxieties about the loss of control. The loss of control in itself is sufficient. It has therefore become easier to establish a claim for damages under Art. 82 (1) GDPR.

The prospect for claimants is clouded, however, by the fact that the BGH has given the Higher Regional Court, to which the proceedings are now being referred back, a suggestion as to an appropriate assessment of damages. According to the BGH, an amount of € 100 is appropriate as non-material damages for the loss of control in the present case. This means that the BGH has set the non-material damages here at a lower level than the courts of lower instances have done in some cases.

However, this does not change the fact that the ruling is bad news for the defendant and for companies in general. In this scraping case alone, the number of potential plaintiffs against Meta is estimated at around 6 million people. As it is now considerably easier for the plaintiff to substantiate the claim, the judgment may result in a massive liability for the company overall, despite the low amount of damages in the individual case.

These considerations can also be applied to similar cases of data leaks. As soon as a large number of people are affected, there is a considerable financial risk for companies. This is because the amount of damages may be small in each individual case, but making it easier for plaintiffs to substantiate their claims may ultimately lead to an increase in liability risk. In particular, mass litigation providers or consumer protection associations could now play a greater role in data protection litigation. A look at the handling of mass proceedings for air passenger rights can serve as an indicator. Here, too, there are a large number of claims that are easy to substantiate, the assertion of which may not always be profitable for individual plaintiffs due to the low amount of the individual claims, but the mass assertion of which is profitable for mass providers due to the simple substantiation of claims.

Against this background, the ruling of the Federal Court of Justice shows once again that a robust approach to data protection compliance is not a "nice-to-have" for companies, but is essential for economic success and the avoidance of significant liability risks.