German Federal Court of Justice on GDPR mass actions – all clarity gone!

German Federal Court of Justice, Judgement of 18 November 2024, case no. VI ZR 10/24

Against the background of the Facebook scraping incident, the Federal Court of Justice (Bundesgerichtshof – BGH) has for the first time ruled on a GDPR mass litigation case. In doing so, the BGH also commented on whether the mere loss of control over personal data as such constitutes a non-material damage and how this is to be calculated. (This Insight is based on a German language article published in the December issue of “Datenschutz-Berater”.)

The Case

The defendant is the operator of the social network Facebook. For a period of time, it was possible to find Facebook profiles using a mobile phone number, depending on the users' contact settings. Unknown third parties used Facebook’s contact import function to assign telephone numbers to the associated user accounts by entering large numbers of randomised mobile phone numbers using corresponding number sequences. The treat actors then scraped the public data available for these user accounts, such as user ID, first and last name, place of work and gender. This data was then published on the internet together with the associated mobile phone number. Approximately 533 million Facebook users in 106 countries are affected by the incident, including approximately six million in Germany. As a result of the scraping incident, thousands of largely standardised lawsuits with identical wording are pending before German courts alone, seeking compensation for damages, an acknowledgement of liability for future damages, injunctive relief, data subject access under Article 15 GDPR, and reimbursement of pre-trial legal fees. In the case decided by the Federal Court of Justice, the plaintiff claimed compensation for non-material damage allegedly incurred in the amount of at least EUR 1,000. After the Regional Court in Bonn had awarded the plaintiff damages in the amount of EUR 250 and dismissed the action in all other respects (judgment of 29 March 2023 – 13 O 1 25/22), the Higher Regional Court of Cologne dismissed the action in its entirety on appeal (judgment of 7 December 2023 – 15 U 67/23). The Higher Regional Court of Cologne argued that the plaintiff had not demonstrated any non-material damage. A mere loss of control over personal data was not sufficient.

The Reasons

In response to the plaintiff's appeal, the Federal Court of Justice repealed the appellate judgment and referred the case back to the Cologne Higher Regional Court for a final decision.

The Federal Court of Justice considers the action to be admissible with respect to most claims. This is based on a very broad understanding of the subject matter of the dispute, which encompasses all of the alleged violations of the GDPR associated with the incriminated data processing. The uniform claim for damages can therefore be based both on the violation of GDPR provisions in connection with the scraping and on the defendant's alleged failure to provide complete information. The application for acknowledgment is also admissible: there is an interest in a declaratory judgment if there is a mere possibility of future damage, provided that the application covers not only material but also non-material future damage. However, the court considers one of the two applications for injunctive relief to be inadmissible. The wording ‘unauthorised third parties’, ‘state-of-the-art security measures’ and ‘exploitation of the system for purposes other than establishing contact’ are too vague and lack legal certainty.

In the matter, the Federal Court of Justice once again summarises the requirements for a claim for damages under Art. 82 GDPR: a violation of the GDPR, material or non-material damage, and a causal link between the violation and the damage. The person claiming damages bears the burden of presentation and proof that all three conditions are met. Furthermore, the claim is fault-based (i.e. requiring negligence or intent), whereby the defendant controller must exculpate himself.

The Federal Court of Justice interprets the concept of non-material damage in terms of Art. 82 GDPR very broadly. Even the mere loss of control over personal data can constitute non-material damage, without the need to prove additional noticeable negative consequences. The loss of control itself is the non-material damage. In addition, a well-founded fear on the part of a person that their personal data may be misused by third parties as a result of a breach of the GDPR is sufficient to substantiate a claim for damages – even if a loss of control cannot be proven.

The BGH also construes the requirements for the depth of presentation of the non-material damage in a very plaintiff-friendly way. For a claim for damages to be deemed valid, the affected person must only demonstrate that and in what way they were affected by the scraping incident and what consequences this had for them. In the case of mass claims, this can be done – at least initially – by means of standardised submissions.

The Federal Court of Justice also provides initial guidance on determining the amount of damages. If the only damage suffered is a loss of control, the Federal Court of Justice applies the following criteria: sensitivity of the personal data affected, the typical use of the data, the type of loss of control (limited/unlimited circle of recipients), duration of the loss of control and the possibility of regaining control, for example by removing a publication from the internet (including archives) or changing the personal data (e.g. changing phone number, new credit card number). In the present case, the Federal Court of Justice considers compensation of EUR 100 to be reasonable. If further consequences occur in addition to the mere loss of control, e.g. fear of future data misuse, the damage could also be higher. According to the BGH, the pre-trial legal fees can also be claimed as damages under Art. 82 GDPR, at least as long as a large number of legal issues in connection with Art. 82 GDPR have not yet been clarified.

The Federal Court of Justice does not base the application for injunctive relief on the GDPR, but solely on the Facebook user contract between plaintiff and defendant (Sections 280(1), 241(2) German Civil Code (Bürgerliches Gesetzbuch)). In this way, it avoids a suspension of the proceedings in light of the questions already submitted to the European Court of Justice (ECJ) as to whether the GDPR even grants the data subjects injunctive relief or whether recourse can be made to tortious claims under the law of the member states (BGH, decision of 26 September 2023 - VI ZR 97/22). However, the BGH considers the claim to access to be fulfilled due to the information provided prior to the proceedings. The only information that was not provided was the identity of the recipients of the personal data (meaning the scrapers). Yet this information is impossible for the defendant to provide due to the lack of knowledge of the identity of the scrapers.

Practical implications of the decision

The implications of the Federal Court of Justice’s ruling on a practical level will depend to a large extent on whether the court's view of mere loss of control as non-material damage will prevail.

Loss of control = damage?

The Federal Court of Justice deviates from the previous line of the European Court of Justice (ECJ) in significant aspects – without submitting the case for clarification. From the ECJ case law cited by the Federal Court of Justice, it does not support at all that the mere loss of control constitutes a non-material damage. A subsequent mistake made by the Federal Court of Justice is then to separate the loss of control from the data subject's fear that their personal data will be misused by third parties due to a violation of the GDPR. The ECJ, however, merely refers to loss of control in the relevant decisions to justify that the fear of future data misuse can also constitute non-material damage, and the data subject therefore does not have to prove that a corresponding misuse has already occurred.

In the landmark decision on Art. 82 GDPR, the case “Österreichische Post” (ECJ, judgment of 4 May 2023 – C-300/21), the ECJ stated that a data subject affected by an infringement of the GDPR which had negative consequences for them is not relieved of the need to demonstrate that those consequences constitute non-material damage in terms of Art. 82 GDPR. It is a direct consequence of the established burden of proof that not every negative consequence is automatically a non-material damage. If this were the case, no further proof would have to be provided if a negative consequence were present. The first decision in which the ECJ addresses the loss of control is “Natsionalna agentsia za prihodite” (ECJ, judgment of 14 December 2023 – C-340/21). Here, the concept of loss of control is only mentioned in the context of explaining why, in principle, the fear of a possible misuse of personal data can constitute a non-material damage – but only under specific circumstances and with regard to the specific person affected. It follows from the subsequent rulings that the ECJ regards the loss of control only as a possible cause for a non-material damage, but not as the non-material damage itself.

In the decision “Gemeinde Ummendorf” (ECJ, judgment of 14 December 2023 – C-456/22), the ECJ states that “the publication on the internet of personal data and the consequent loss of control over […] data for a short period of time” can cause a non-material damage within the meaning of Art. 82(1) of the GDPR. In the “MediaMarkSaturn” decision, (ECJ, judgment of 25 January 2024 - C-687/21), it is once again stated “that the loss of control of the personal data for a short period of time may cause the data subject ‘non-material damage’, within the meaning of Article 82(1) of the GDPR”. The ECJ also remains true to this line in its most recent decision on Art. 82 GDPR, “Agentsia po vpisvaniyata” (judgment of 4 October 2024 - C-200/23). Here, the ECJ once again stresses “that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’”. “Suffered by […], “cause” – those are clear phrases indicating that the loss of control can be the cause of non-material damage, but not the non-material damage itself. The Federal Court of Justice fails to recognise this distinction and mistakenly equates cause and effect.

Furthermore, the ECJ emphasises in all of the above-mentioned decisions that the data subject must prove that they have actually suffered a non-material damage. If the damage were loss of control, no further proof would be required. Insofar as the ECJ states in “Agentsia po vpisvaniyata” that the concept of ‘non-material damage’ does not require the demonstration of additional tangible adverse consequences, this is merely a further clarification that there is no threshold of seriousness within non-material damage.

Incidentally, equating loss of control with damage is not the only point on which the BGH deviates from the ECJ's line. The ECJ does not consider the burden of proof for the causality between the GDPR violation and the damage, or for its absence, to lie with the data subject, but with the controller (ECJ, judgment of 14 December 2023 - C-340/21 – “Natsionalna agentsia za prihodit”).

Commercialisation of data protection incidents

Regardless of the fact that the Federal Court of Justice’s decision is substantively flawed, it will fuel the commercialisation of data leaks and data protection incidents in the short to medium term and lead to a further increase in GDPR mass claims. The BGH’s assessment of the amount of damages in the present case, EUR 100 for the pure loss of control, does reduce the attractiveness of standardised, individual lawsuits in which remuneration is based on the German Act on the Remuneration of Lawyers (Rechtsanwaltsvergütungsgesetz). This applies especially since according to more recent case law on GDPR mass claims the amounts in dispute for an application for acknowledgment, for injunctive relief and access, are only in between EUR 300 to 500 (Higher Regional Court of Frankfurt am Main, decision of 11 July 2024 – 6 W 36/24; Higher Regional Court of Celle, decision of 10 June 2024 – 5 W 46/24). Furthermore, it cannot be inferred from the Federal Court of Justiceruling that the lower limit for damages in the event of mere loss of control is EUR 100. The court merely considers a determination in the single digits to be questionable in light of the principle of effectiveness. The minimum amount therefore starts at a double-digit figure, i.e. EUR 10.

However, a more recent decision by the Higher Regional Court of Hamm has made the bundling of numerous individual claims by way of assignment more attractive (Higher Regional Court of Hamm, judgment of 24 July 2024 – 11 U 69/23). Regardless of the fact that the ECJ has yet to clarify whether the right to compensation for non-pecuniary loss is transferable or non-transferable due to its highly personal nature, this model is likely to enjoy great popularity for the time being following the Federal Court of Justicedecision. In the case of data leaks and data protection incidents, a large number of claims involving many data subjects can be bundled into a single lawsuit. This may also increase the pressure on the controller or processor to reach a settlement. The Federal Court of Justice’s comments on the degree of substantiation and on the criteria for calculating damages in the event of a loss of control also open the door to the assertion of GDPR claims by way of a remedial action under Section 14 of the Consumer Rights Enforcement Act (Verbraucherrechtedurchsetzungsgesetz – VDuG). The standardised approach of the BGH makes it easier to argue that the claims of consumers affected by the action are essentially similar in terms of the lower limit within the meaning of Section 15(1) VDuG. This has already proved to be partially true in this specific case. It has taken less than a month since the judgment of the Federal Court of Justice for the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv) to file a model declaratory action (Musterfeststellungsklage) with the Hanseatic Higher Regional Court of Hamburg. Consumers will most likely able to join the model declaratory action in the beginning of 2025.

Practical guidance and Conclusion

All in all, the decision raises more questions than it answers. One can hope that the Higher Regional Court of Cologne will take the remittal of the proceedings as an opportunity to refer the questions regarding the relationship between loss of control and damage as well as the distribution of the burden of proof with regard to a causal link to the ECJ. The judgment is also questionable from a civil procedural perspective. Classifying a data breach and a claim for access under data protection law (which exists without cause and completely independently of the data breach) as a single subject matter and therefore allowing a single claim for compensation for non-material damage crosses the line towards an impermissible alternative accumulation of claims. Rather, a clear separation of the claims is required.

The impending scenario of GDPR mass litigation in the event of a cyber-attack involving data exfiltration and publication on the darknet once again highlights the importance of risk-appropriate technical and organisational measures for the security of personal data processing (Article 32 GDPR). Even if an incident cannot be prevented in the end, it is important to document and regularly review the TOMs so that it can be demonstrated in court that they were appropriate from an ex ante perspective. Furthermore, every data breach and every alleged ‘data protection scandal’ must be immediately investigated, analysed and documented in such a way that a legally sound defence is possible. The criteria formulated by the Federal Court of Justice for assessing the amount of damages provide a good starting point for a risk analysis. In a mass action scenario, it is also important to already take the first claim seriously and defend it effectively. Under certain circumstances, it may also make sense to seek an early settlement in order to avoid unnecessary escalation.