The reference decision of the Higher Regional Court of Dresden dated June 18, 2024 (Ref. 4 U 156/24) provides an opportunity to take a closer look at the evidentiary value of information from "haveibeenpwned.com" [HIBP] and other "leak checkers" in civil proceedings. A clear line has been established in case law on this topic of evidence.
The legal situation
Companies that process personal data are obliged under Art. 32 GDPR to take appropriate security measures to prevent data leaks. If these measures are not sufficiently implemented and a data leak occurs, the data subjects and the supervisory authorities must be informed in accordance with Art. 33, 34 GDPR. Failure to comply with these obligations may result in a claim for damages, as has often been the case with the "scraping" attacks of recent years.
A claim for damages can only be successfully enforced if the plaintiff can conclusively prove both the GDPR breach and their individual impact as a result of the specific data leak.
The role of "leak checkers" in the presentation of evidence in court
As a rule, the average user will not gain any insight into the internal processes of their contractual partner and will not search the darknet for their leaked data. So-called "leak checkers" such as the one from HIBP therefore offer assistance. If the user enters their email address in the search field, the checker checks whether this email was contained in a hacked data record and what other data has been leaked.
While 'leak checkers' such as HIBP provide an initial indication of possible data loss, this is often not sufficient in a legal context (cf. Data scraping on Twitter ("X") and the burden of presentation and proof). A court requires complete and conclusive evidence in order to recognize a claim for damages.
Data sources not known
On the one hand, these tools do not allow any traceable verification of the data sources. The data record sources on which the website bases its information on whether the user is affected by a data leak are not named. HIBP's FAQ also does not go beyond clichéd statements.
Insufficient information
On the other hand, the results are often incomplete and cannot allow any reliable conclusions to be drawn about the origin of the data leaks due to a lack of contextual information. HIBP only checks the email address entered in the search mask for a match with known data records. The user is not informed which other user data is contained in the data record. HIBP only provides general information about what other data is contained in the record (IP address, date of birth, password, etc.). Finally, it is not possible to trace the source from which the data obtained originated and thus flowed out.
Not sufficient evidence
These circumstances - quite rightly - stand in the way of full proof in civil proceedings. Neither the court nor an expert witness involved can base their full conviction on this. Even HIBP does not claim that the information is always correct because it only "usually" checks its sources to ensure that its users are informed quickly ("making data searchable early").
Insurmountable hurdle?
The decision of the Higher Regional Court of Dresden, which follows the previous line of the courts, illustrates the difficulties faced by plaintiffs in such proceedings. Without access to the leaked data records, it remains a considerable challenge for plaintiffs to provide the necessary full proof. Detailed and specific evidence is therefore essential.
Interestingly, the majority of the plaintiffs in the published decisions relied on the information provided by HIBP. The "EIDI Leak Checker" from the University of Bonn, for example, contains more information, including the respective file names in which the checked email address was found. The user also receives extended information on compromised passwords, as the first and last characters used are displayed for identification purposes.
The Higher Regional Court of Dresden also made a comment in its decision that has received too little attention to date:
"Whether a positive report [...] is sufficient can be left open here; in any case, the screenshot of the page "haveIbeenpwnd.com" does not allow any conclusions to be drawn as to where and when a data leak occurred. After all, the plaintiff is registered with numerous other social media - such as facebook, instagram, tiktok, twitter and pinterest."(Higher Regional Court Dresden, 4th Civil Senate, decision of June 18, 2024, Ref.: 4 U 156/24)
From this, it can be concluded that an email address used once - to open an account in the social network - which is published on the darknet must actually be affected by the specific data outflow from the network operator.
If the plaintiff can demonstrate to the full satisfaction of the court that his data could only have been leaked as part of a data protection incident at the defendant, it is conceivable that the court would consider this submission to be sufficient. Nevertheless, the risk of losing the case is likely to be higher.
OLG Dresden, 4th Civil Senate, decision of June 18, 2024, Ref.: 4 U 156/24
