For personal reasons, I am directly affected by this ruling of the Federal Court of Justice and have therefore taken a closer look at it.
As this topic affects many people, I would like to provide a summary here, which I created with the help of NotebookLM, an AI-supported software from Google.
Disclaimer
The following summary does not claim to be 100% correct! For detailed information, please refer to the official document of the BGH judgment
Summary of the BGH ruling of November 18, 2024 on data protection
The ruling by the Federal Court of Justice (BGH) on November 18, 2024 in the Facebook data leak case has far-reaching consequences for data protection in Germany. For users, the ruling means that it will be easier for them to claim damages in the event of a data leak in future. Data processing companies, on the other hand, must now expect higher penalties and stricter requirements.
Key points of the ruling:
Applicability of the GDPR
The General Data Protection Regulation (GDPR) is also applicable if the data collection occurred after the user registered on the platform.
Standardized submission
The Federal Court of Justice ruled that in the case of a uniform procedure such as scraping, in which comparable data from millions of users was tapped and posted on the internet, the submission of the affected parties "at least in the starting point, necessarily has comparable features". This means that the plaintiff's submission in the present proceedings before the Higher Regional Court of Cologne was sufficient.
Loss of control as compensable damage
The BGH has clarified that the loss of control over personal data constitutes compensable non-material damage pursuant to Art. 82 para. 1 GDPR. Even the well-founded fear of having lost control of one's personal data is sufficient for a claim for damages.
Amount of damages
When assessing the amount of damages, the sensitivity of the data, the type and duration of the loss of control and the possibility of regaining control must be taken into account. The BGH considers a lower limit of 100 euros for the mere loss of control to be appropriate.
Admissibility of the application for a declaratory judgment
The BGH declared the application for a declaratory judgment admissible, as the mere possibility of future damages is sufficient to assume that the plaintiff has an interest in a declaratory judgment.
Partial admissibility of the injunctive relief: The BGH has declared the injunctive relief partially admissible.
Consequences for users and data processing companies:
Users
Users now have a better chance of receiving compensation in the event of data leakage, even if no specific misuse of the data can be proven.
Data processing companies
Companies must ensure that they comply with the GDPR and adequately protect personal data. Otherwise, they could face high claims for damages and fines.
The ruling by the Federal Court of Justice strengthens data protection in Germany and clarifies that the loss of control over personal data constitutes compensable damage. Users benefit from an improved legal position, while data processing companies are now held more accountable.
Note
I have "secured" my right to publish this summary on my blog in this form with the following judgment. I see a public interest here and a direct link to my work in the field of online marketing.
In its ruling of May 6, 2021 (case reference: I ZR 167/20), the Federal Court of Justice (BGH) ruled that a company may publish a judgment against a competitor on its website if there is an interest in the information that is worthy of protection.12 The following points should be noted:
- The publication must be objectively justified.
- There must be an overriding interest in information on the part of the target public3.
- Mentioning the competitor's full name may be permissible if this serves to protect potential customers2.
Publication is particularly justified if it serves to warn against unfair commercial practices and to protect consumers