Are companies losing the last bit of control over data protection related claims for damages? - The Federal Court of Justice issues judgement on damages due to loss of control in Facebook scraping cases

On 18 November 2024, the German Federal Court of Justice (Bundesgerichtshof, BGH) issued a judgement that makes it easier to prove damages in the form of loss of control in connection with data protection incidents. At least, the BGH considers the amount of damages to be rather low compared to sums frequently claimed. This will influence a large number of current and future claims for damages.

What are the proceedings before the BGH about?

On 18 November 2024, the BGH issued a judgement in one of the numerous cases on data loss through so-called scraping on Facebook (case no. VI ZR 10/24). The subject of the decision is the scraping of telephone numbers and other data about Facebook users in 2018 and 2019, which were publicly distributed on the internet in April 2021. This included the plaintiff's personal data, namely his telephone number in combination with his user account data, i.e. user ID, first name, surname, gender and place of work. The plaintiff filed a claim against the defendant for a breach of the GDPR, primarily for non-material damages in an amount of at least EUR 1,000, because he had suffered a noticeable loss of control over his data, which reportedly led to a massive increase in fraudulent contact attempts, as well as resulting fears and worries. In addition, the plaintiff sought a declaration regarding the obligation to compensate future damages, cease and desist and a subject access request. At first instance, the Regional Court awarded the plaintiff damages in the amount of EUR 250 and otherwise dismissed the action. The Higher Regional Court dismissed the action in its entirety on appeal.

The BGH has largely overturned the decision of the Higher Regional Court of Cologne and referred it back to that court for a new decision. The court must now first examine whether there was a GDPR breach at all (the indications of the BGH suggest that this is to be affirmed) and if so review the corresponding claims and amounts.

Why is the judgement relevant?

The judgement has caused a stir because a large number of similar individual lawsuits from consumers are pending before German courts. The plaintiffs' representatives are often specialised consumer law firms that lure users with the promise of non-material damages of up to EUR 5,000 for GDPR violations. The claims for damages are regularly accompanied by a number of other claims such as a declaration for compensation for future damages, cease and desist and subject access requests as well as compensation for pre-trial legal fees. It has already become apparent in the run-up to the decision that the courts dealing with comparable proceedings are waiting for the BGH judgement in order to base their judgements on it. However, the judgement will also foreseeably influence the future enforcement of claims for damages due to breaches of the GDPR.  

What has the BGH ruled on loss of control as damage?

It is of particular importance that the BGH categorises the loss of control over personal data as such to be an immaterial damage, subject to the condition that the data subject can prove such a loss of control, e.g., by demonstrating that it was in control beforehand. In contrast, it is not necessary for the loss of control to result in further damage, such as a specific misuse of the data or psychological impairment of the data subject.

It is unclear whether this interpretation of the BGH is fully compatible with the recent case law of the CJEU (judgment of 4 October 2024 - C-200/23), which requires proof of loss of control, but without giving further explanations. The CJEU has also clarified several times that the infringement cannot be the same as the damage. If, however, the infringement consists in unauthorised third parties having access to the personal data and this is accompanied by the loss of control of the data subject, the question arises as to what specific adverse consequences the plaintiff must demonstrate in order to avoid such an equation of infringement and damage. For example, the Federal Social Court has ruled that a "merely formulaic assertion of having suffered a 'loss of control' as a result of being in the dark about the processing of one's personal data" is not sufficient (BSG, 24 September 2024 - B 7 AS 15/23 R). In a more recent decision, the Federal Labour Court, referring to the loss of control, also required more extensive evidence of concrete negative consequences rather than merely formulaic assertions of concern (BAG, 20 June 2024, 8 AZR 124/23). The supreme federal courts are obviously not following a uniform line, which would actually have required a decision by the Joint Senate. Finally, in relation to a loss of control the required causality is not always easy to demonstrate. If, for example, an email address has already been lost and published in previous data leaks, applying a verbatim understanding a new loss of control cannot have occurred in a subsequent data leak. The topic of proof of the damage has therefore not been entirely resolved, even if the requirements have been relaxed.

Other than that, the BGH continues to require that specific negative consequences must be substantiated and, if necessary, proven, and thus continues to be in line with the CJEU. The mere formulaic assertion of "discomfort" and "concern" is not sufficient; rather, concrete circumstances must be submitted. This is often lacking, particularly in the case of mass action by consumer law firms.

What does the BGH say about the amount of damage?

The BGH has commented in detail on the assessment of the amount of damages and clarified that an estimate must be made in accordance with Sec. 287 Code of Civil Procedure. According to the BGH, the damage must be fully and effectively compensated, taking into account, however, that claims for damages under Art. 82 GDPR have a purely compensatory function, but no punitive or deterrent function.

If the damage results solely in a loss of control, the sensitivity and appropriate use of the specific data concerned must be taken into account, as well as the type and duration of the loss of control and the possibility of regaining control. In this context, the BGH considers measuring the damage on the basis of the hypothetical costs of regaining control over the lost data. These costs are likely to vary considerably in individual cases and depending on the data concerned, e.g. a passport number, credit card number, telephone number or email address. The BGH doubted that in this specific case a single-digit amount would be compatible with the principle of effectiveness, but considers an amount in the order of around EUR 100 to be appropriate.

What else did the BGH decide?

Other findings of the BGH were more predictable. The BGH affirms the admissibility of applications for declaratory judgement if an infringement and damage have already been established and the possibility of future damage can therefore be affirmed. If this is not the case, this is likely to remain a difficult issue. Motions for cease and desist are only sufficiently specific if they contain a reference to the specific act of infringement or if the specific form of infringement is the subject of the motion. Furthermore, the demand for relief, at least on the basis of the statement of claim, needs to clearly show, which characteristics of the disputed behaviour form the basis and connecting factor for the infringement and thus the injunction. Particularly in the case of data leaks as a result of cyber attacks by unknown third parties, it will rarely be possible to formulate specific cease and desist motions. Claims for information under Art. 15 GDPR will often be fulfilled at an early stage. In this regard, the BGH has clarified that information about specific recipients of the stolen data cannot and must not be provided if unknown third-party offenders are involved.

Will an even bigger wave of lawsuits follow?

The BGH's guiding judgement only at first glance is a win for plaintiffs and consumer lawyers. The loss of control may constitute immaterial damage per se, but the damages will generally be in the rather manageable range of EUR 100. This takes away the foundation for mass litigation aimed at non-material damages of several thousand euros per case. The same applies to enticing advertising promises made by consumer lawyers, who up to now have often been able to count on their business model being supported by legal expenses insurers. Following the guiding decision, it will no longer be possible to justify promises of cover for excessive claims.

It remains to be seen whether the prospect of a compensation of around EUR 100 in the future will motivate data subjects to file individual lawsuits. In any case, due to the lower value in dispute, the district courts rather than the regional courts would then have jurisdiction. Presumably, class actions in the form of model declaratory actions or redress actions will now become an alternative. Class actions are designed to enforce the claims of a large number of similarly aggrieved consumers without major (financial) expenditure by consumer associations – which also includes to help consumers affected by data leaks to enforce their rights.

The decision of the Federal Court of Justice will therefore cause the huge numbers of individual lawsuits to subside and – likely – lead to the bundling of consumer claims in class actions. This will at least protect the interests of consumers and the courts. Companies must be prepared for the fact that in the future they will be confronted with a class action instead of a large number of individual claims. The best protection against that is to be compliant with its GDPR obligations.

Back to list