Data scraping on Twitter ("X") and the burden of presentation and proof

We highlight three important court rulings that deal with the data scraping incidents at Twitter, now X. These rulings specify the requirements for the burden of presentation and proof for plaintiffs seeking damages following a data protection incident.

1 What is data scraping?

Data scraping refers to the automated collection of data from websites or databases. In 2021, hackers were able to enter email addresses or telephone numbers into Twitter (now: "X") via an unsecured API interface and, if they matched, access all publicly accessible user data. These data records were sold on the darknet.

Further information on data scraping can be found in our article on a ruling by the Higher Regional Court of Hamm: No immaterial damage in the case of Facebook scraping.

2. query at "www.haveibeenpwned.com" can provide indications of your own involvement

In order to assert a claim for damages under Article 82 GDPR, the plaintiff must (among other things) prove that Twitter's data protection breach has led to damage. They must therefore prove that their personal data was affected by the 2021 API bug.

The plaintiff presented the court with a confirmation from the website "haveibeenpwned.com", which allows users to check whether their personal data has been compromised by data leaks. As the data record affected by a leak matched the data entered by the user on Twitter, the Regional Court of Freiburg ruled in its judgment of February 8, 2024 (Ref. 8 O 212/23) that this provided sufficient evidence that the plaintiff was affected. Twitter had to carry out further investigations as part of its secondary burden of proof. As this was not done, the plaintiff was awarded damages.

3. the plaintiff cannot declare himself ignorant

In a second trial, Twitter satisfied its secondary burden of proof and was able to prove, following a comprehensive investigation, that the plaintiff's data was not affected by the 2021 API bug. The Hamm Higher Regional Court rightly pointed out in its order of reference dated 14.05.2024 (case reference: 7 I 14/24) that the plaintiff, as a party with the burden of presentation and proof, could not declare that it did not know. This is in line with general procedural principles. The plaintiff withdrew his appeal in response to the ruling.

4. query at"www.haveibeenpwned.com"is not full proof

But how can the plaintiff provide the necessary evidence?

The mere confirmation of being affected by the website "haveibeenpwned.com" is not sufficient in any case. One plaintiff failed in this attempt before the Regional Court of Stuttgart. In its judgment of 24.01.2024 (Ref.: 27 O 92/23), the court came to the conclusion that the confirmation of compromised personal data by the website "haveibeenpwned.com" did not provide full proof. It was not convinced of the accuracy of the account. Firstly, the confirmation does not show that the information is correct and that the incriminated data set is attributable to the 2021 API bug. Secondly, it is not known on what basis the operator of the website determines whether individual users are affected.

The plaintiff's submission that it had noticed an increased volume of spam was also not sufficient for the court to prove that it was affected. The court stated: "In particular, the spam messages described by the plaintiff, through which a message from an alleged parcel service provider such as DHL is faked, also occur with the single judge and his family members, although no one maintains a Twitter account."

Sources:- LG Freiburg, judgment of 08.02.2024 - 8 O 212/23; OLG Hamm, decision of 14.05.2024 - 7 U 14/24; LG Stuttgart, judgment of 24.01.2024 - 27 O 92/23

Seal