Federal Court of Justice judgment on non-material damage under the GDPR in “scraping” cases

Today, the German Federal Court of Justice (“FCJ”) pronounced its landmark judgment in the “scraping” case and issued a press release on the decision. The Court ruled that data subjects affected by data protection infringements can, in some cases, claim damages even solely on the basis of the loss of control over their personal data. Previously, many German courts assumed that data subjects also have to prove that they suffered feelings of anxiety or fear. This often meant that judges had to carefully assess such alleged damage based on the claimant’s personality, the specific circumstances and the evidence offered by the claimant. Now that loss of control has been recognised as a potential form of damage, claimants have a new straightforward basis for pursuing claims for compensation under Article 82 GDPR. However, a claimant will still have to prove that such loss of control actually occurred, and the amount of compensation for this type of damage is likely to remain rather low.

The FCJ’s judgment comes after ten judgments handed down by the European Court of Justice (summarised here and here). European Court of Justice judgments are often brief and lack the structured legal reasoning typically used by German courts. As a result, German courts have interpreted these judgments in different ways. This FCJ’s judgment now provides more concrete guidance to German courts.

The procedure for precedents

The FCJ’s judgment concerns a “scraping” case where Facebook users are suing the operator of the social network for damages. In 2021, the data of approximately 533 million Facebook users was leaked online. Unknown parties were able to access the data because, depending on a user’s profile settings, profiles could be found by entering the phone numbers associated with them, using automated systems to upload a large number of phone numbers via the contact import feature. Where a phone number was linked to a profile, they combined the public information from the profile and the phone number and eventually published them.

The FCJ has designated this case as a procedure for precedents (Leitentscheidungsverfahren). This designation means that the FCJ can rule on the legal questions raised in the case, even where the parties later withdraw their appeal, for example because of a settlement or for tactical reasons. This procedure is intended for situations where a large number of cases raise similar legal issues and where a rapid, binding decision by the highest German court is required. Thousands of similar cases are currently pending before German courts. The procedure for precedents was recently introduced into the German Code of Civil Procedure and has only been applicable since 1 November 2024 This is the first case designated by the FCJ as a procedure for precedents.

Loss of control over data as damage

The FCJ has ruled that even the mere loss of control over one’s own data can constitute non-material damage. This judgment thereby brings a solution to an issue unresolved so far which resulted from an ambiguous formulation by the European Court of Justice, i.e. whether the loss of control itself constitutes damage, or whether damage arises only from the potential negative consequences of that loss.

The FCJ clarified that there need not be actual misuse of the data of the data subject for damage to be recognised. However, it did not specify what constitutes loss of control. In this particular case, the Court only had to decide whether the actual access to Facebook users’ data constituted damage. In other cases, courts will have to decide on a case-by-case basis whether there has been a loss of control that qualifies as damage.

The assessment will depend on the specific circumstances. It is important to note that loss of control is a question of fact and its existence must be assessed on a case-by-case basis. For example, there is the question of whether a claimant can even prove unauthorised access to data that was accessible on an unsecured server for a certain period of time. In addition, the FCJ left open the question of whether loss of control includes a qualitative element. This could be particularly relevant in cases of isolated unauthorised access, such as by “white hat hackers” or journalists who discover a data leak and delete the data immediately afterwards.

Furthermore, according to the wording, a loss of control requires that the data subject initially had control over the data and then lost this control. Since neither German nor European law recognises data as property, control can only relate to the actual and legal possibilities available to the data subject. This suggests that a data subject does not lose control over the data with every unauthorised access as long as he or she still has the possibility to exercise his or her control rights under the GDPR, for example by requesting the deletion of the data.

The above uncertainties are likely to raise further procedural questions, in particular regarding the substantiation required from claimants when alleging loss of control and the allocation of the burden of proof.

The FCJ did not provide a detailed definition of loss of control in its press release. We hope that the full text of the judgment will include such a definition, which will enable courts to assess uniformly when the threshold for actual loss of control has been crossed.

Determining the amount of damages

The FCJ decided that in this particular case, compensation of EUR 100,00 was appropriate for the mere loss of control experienced by the Facebook users affected.

In doing so, the FCJ is following the guidelines of the European Court of Justice and tailoring them to this specific situation where phone numbers were lost as a result of targeted, large-scale scraping. However, as there are currently few court decisions that provide guidance on what amounts of compensation are appropriate for loss of control in different scenarios, courts will continue to face challenges in determining exact amounts.

It is worth noting that the form of damage defined as “loss of control” is more objectively based on the practical ability to control the use of data, as opposed to damage associated solely with negative emotions following a data breach, which are purely subjective. Therefore, it seems reasonable to consider both the value of the data and the value of control when determining damage. One possible measure could be the market value of the data. The FCJ’s press release suggests that the court considers the amount of compensation for loss of control to be below the level of damage associated with the fears or other subjective feelings experienced by affected individuals, which lower courts have typically valued higher.

We hope that the full FCJ judgment will provide further guidance on the calculation of damages. This would help to establish a consistent legal approach and allow companies to realistically assess the financial risks associated with damage claims.

Outlook

The FCJ’s judgment provides German courts with a new standard for assessing non-material claims for damages relating to data protection infringements. Nevertheless, companies facing such claims still have options for defence. As the interpretation and scope of “loss of control” are not yet fully defined, the allocation of the burden of proof and requirements for substantiating claims provide further avenues for defence. Courts will now need to address whether a genuine loss of control has occurred in each case and how to quantify any resulting damage. It is expected that while courts will increasingly grant claims based on proven loss of control, the average amounts awarded will decrease, as the FCJ’s judgment suggests that only a modest amount of compensation is appropriate for loss of control.

We will continue to monitor German case law on our Noerr Damages Tracker and will update our website once the full judgment has been published.

We recommend that companies take a proactive approach by establishing strong data protection governance, implementing effective management of data subject rights, and professionally assessing and handling potential data protection incidents. Companies should engage early and strategically with the challenges, opportunities, and risks of Data Protection Litigation. Our experienced team of recognised data protection and litigation experts are here to help.