The Higher Regional Court of Hamm has issued an initial ruling on the so-called Facebook scraping cases and dismissed a claim for payment of damages under the General Data Protection Regulation (GDPR). According to the ruling, there have been violations of data protection regulations, but the plaintiff was unable to sufficiently demonstrate non-material damage.
In April 2021, unknown persons published the data of around 500 million Facebook users on the darknet, including names and telephone numbers. The unknown persons had previously collected the data over a long period of time, initially by exploiting Facebook's search functions at the time, which is why the term "scraping" is used. Even if the display of one's own phone number was not activated on Facebook, it was still possible to identify a user via a phone number entered using the search function. The unknown "scrapers" exploited this by generating millions of phone numbers with the computer and retrieving data for this purpose. Facebook deactivated the search function for phone numbers in April 2018, and further data was tapped on a subsequently adapted scraping procedure that exploited Facebook's contact import function, until Facebook also deactivated this function on the platform in October 2018 and in Facebook Messenger in September 2019.
With regard to this "data leak," numerous lawsuits are pending against Meta as the operator of the platform throughout Germany, including in the district of the Higher Regional Court of Hamm, for which the first decision has now been issued. In it, the 7th Civil Senate, which is responsible for the law of torts, clarifies numerous legal questions in connection with the scraping lawsuits.
The plaintiff in the case that has now been decided was also affected by the scraping. The data set published on the darknet contained her cell phone number, her first and last name, and her gender. The plaintiff has demanded compensation for immaterial damages from Meta as the operator of the platform, similar to damages for pain and suffering of at least 1,000 euros. She took the view that the operator of the platform had violated various data protection provisions from the GDPR both in connection with the scraping and independently of it. Meta has countered this.
The Bielefeld Regional Court had rejected the claim. The appeal filed by the plaintiff has now been unsuccessful before the Higher Regional Court of Hamm. The Higher Regional Court found that there had been violations of the GDPR. However, it was not convinced that the plaintiff had suffered any non-material damage.
With regard to the established violations of the GDPR, the Higher Regional Court starts from the premise that it is also the task of the data controller - in this case Meta - in civil proceedings to prove the permissible processing of this data in accordance with the GDPR. In this context, the transfer of data to third parties on a search function or a contact import function is also data processing within the meaning of the GDPR. Meta was not able to prove here that the forwarding of the plaintiff's cell phone number as part of the search or contact import function was justified under the GDPR. Meta cannot rely on the fulfillment of the contractual purpose as a justification ground under the GDPR, since the processing of the cell phone number is not absolutely necessary for the networking of Facebook users with each other, taking into account the principle of data minimization. The processing of the cell phone number therefore requires the consent of the user. Such consent was not effectively granted here, because the consent granted to the plaintiff at the time used default settings that could be deselected by the user if desired ("opt-out") and the information about the search and contact import function was insufficient and non-transparent.
The Higher Regional Court also affirmed a breach of duty leading to damages in principle, since Meta had not taken obvious measures to prevent further unauthorized data access despite concrete knowledge of the data access in the present case.
Nevertheless, the Higher Regional Court did not award damages to the plaintiff. The plaintiff only claimed immaterial damages, which is possible in principle under the GDPR and can lead to compensation similar to damages for pain and suffering. However, the plaintiff did not succeed in presenting concrete immaterial damages. The Higher Regional Court assumes that the non-material damage cannot lie in the mere violation of the GDPR itself, but that additional personal or psychological impairments must have occurred. However, the plaintiff has not individually presented such damages. The blanket statement, identical to a large number of similar proceedings, that the "plaintiff party" had developed feelings of loss of control, of being watched and of helplessness, i.e. overall the feeling of fear, and had expended time and effort, is not sufficient to demonstrate that the plaintiff was specifically and individually affected. Nor is the misuse of data at issue here, which led to the unintentional publication of name and cell phone number, so serious that the occurrence of non-material damage is readily apparent. In addition, the plaintiff only stated in her personal hearing before the Regional Court that she had suffered a "feeling of shock".
The Higher Regional Court assessed the amount in dispute for the entire proceedings - in which further claims for declaratory judgment, injunctive relief and information had also been asserted without success - at only EUR 3,000. It saw no reason to submit the proceedings to the European Court of Justice for a preliminary ruling or to allow an appeal, as the decisive legal questions had recently been clarified by the European Court of Justice.
Hamm Higher Regional Court, judgment of August 15, 2023, Case No. 7 U 19/23; lower court: Bielefeld Regional Court, judgment of December 19, 2022, Case No. 8 O 157/22.
Source: Press release of the OLG Hamm from 06.09.2023
