On 18 November 2024, the Federal Court of Justice (Bundesgerichtshof – "BGH") handed down its decision, according to which the mere loss of control over user data can justify a damage claim under Art. 82 of the EU's General Data Protection Regulation ("GDPR"). Emphasizing that the affected individual does not need to show that the loss of control resulted in a misuse of the data or other harm, the BGH significantly reduces the burden for plaintiffs to assert such damage claims.
The decision concerns a scraping case in which unknown persons tapped public data from user accounts at an online service. The decision's consequences go far beyond the individual case, however: The BGH resorted to the new procedural tool of declaring its decision a "leading decision" (Leitentscheidung) which aims at clarifying fundamental legal issues in mass proceedings. In addition, the decision's rationale is not limited to scraping cases but can be applied to other “leaks” of user or customer data.
Still, neither the individual case at hand nor the fundamental legal question of which test applies under Art. 82 GDPR are necessarily yet resolved for good. One, the Court remanded the case back to the first appellate level to determine whether there was a GDPR violation at all and, if there was, to calculate damages. Two, the BGH did not refer the fundamental question on the interpretation of Art. 82 GDPR to the Court of Justice of the EU ("CJEU"). The casuistic nature of the CJEU's Art. 82 GDPR case law could offer defendants a glimpse of hope that the CJEU's authoritative interpretation eventually imposes – even if slightly – stricter standards for plaintiffs claiming non-material damages.
The potential economic impact from the BGH's decision does not result from the damage amounts for individual plaintiffs (here, according to the BGH, around EUR 100) but from the massive number of potential plaintiffs (here: approx. 6m).
The potential damage amount for the affected individual is likely too small to incentivize such individuals to engage in the hassle of initiating a lawsuit on their own. This essentially leaves claimants with two viable options under German civil procedure:
Professional litigation vehicles may offer to acquire individual claims for a fee and assert the collected claims before the competent courts against the data controller. This would follow the example of airline passenger rights, where a claims industry has developed over the years relying heavily on the support of legal tech.
Consumer protection associations could bring a collective action against the data controller under the representative action regime introduced into German law in 2023. This instrument allows consumer protection associations to initiate a lawsuit for damages on behalf of all potentially affected consumers that choose to opt into the collective action. If successful, the amount recovered would be distributed among the consumers.
Defending against such lawsuits will pose challenges for sued data controllers. It will require a thoroughly devised litigation strategy that itself will have to heavily rely on legal tech and artificial intelligence to cope with the potentially massive number of individual claims.