Data protection BGH ruling from 18.11.2024

Dec 01, 2024

4 mins Read Time

The General Data Protection Regulation (GDPR) also applies if the data collection occurred after the user registered on the platform.

Table of Contents

For personal reasons, I am directly affected by this ruling of the Federal Court of Justice and have therefore taken a closer look at it.

As this topic affects many people, I would like to provide a summary here, which I created with the help of NotebookLM, an AI-supported software from Google.

Disclaimer

The following summary does not claim to be 100% correct! For detailed information, please refer to the official document of the BGH judgment

Summary of the BGH ruling of November 18, 2024 on data protection

The ruling by the Federal Court of Justice (BGH) on November 18, 2024 in the Facebook data leak case has far-reaching consequences for data protection in Germany. For users, the ruling means that it will be easier for them to claim damages in the event of a data leak in future. Data processing companies, on the other hand, must now expect higher penalties and stricter requirements.

Key points of the ruling:

Applicability of the GDPR

The General Data Protection Regulation (GDPR) is also applicable if the data collection occurred after the user registered on the platform.

Standardized submission

The Federal Court of Justice ruled that in the case of a uniform procedure such as scraping, in which comparable data from millions of users was tapped and posted on the internet, the submission of the affected parties "at least in the starting point, necessarily has comparable features". This means that the plaintiff's submission in the present proceedings before the Higher Regional Court of Cologne was sufficient.

Loss of control as compensable damage

The BGH has clarified that the loss of control over personal data constitutes compensable non-material damage pursuant to Art. 82 para. 1 GDPR. Even the well-founded fear of having lost control of one's personal data is sufficient for a claim for damages.

Amount of damages

When assessing the amount of damages, the sensitivity of the data, the type and duration of the loss of control and the possibility of regaining control must be taken into account. The BGH considers a lower limit of 100 euros for the mere loss of control to be appropriate.

Admissibility of the application for a declaratory judgment

The BGH declared the application for a declaratory judgment admissible, as the mere possibility of future damages is sufficient to assume that the plaintiff has an interest in a declaratory judgment.

Partial admissibility of the injunctive relief: The BGH has declared the injunctive relief partially admissible.

Consequences for users and data processing companies:

Users

Users now have a better chance of receiving compensation in the event of data leakage, even if no specific misuse of the data can be proven.

Data processing companies

Companies must ensure that they comply with the GDPR and adequately protect personal data. Otherwise, they could face high claims for damages and fines.

The ruling by the Federal Court of Justice strengthens data protection in Germany and clarifies that the loss of control over personal data constitutes compensable damage. Users benefit from an improved legal position, while data processing companies are now held more accountable.

Note

I have "secured" my right to publish this summary on my blog in this form with the following judgment. I see a public interest here and a direct link to my work in the field of online marketing.

In its ruling of May 6, 2021 (case reference: I ZR 167/20), the Federal Court of Justice (BGH) ruled that a company may publish a judgment against a competitor on its website if there is an interest in the information that is worthy of protection.12 The following points should be noted:

  1. The publication must be objectively justified.
  2. There must be an overriding interest in information on the part of the target public3.
  3. Mentioning the competitor's full name may be permissible if this serves to protect potential customers2.

Publication is particularly justified if it serves to warn against unfair commercial practices and to protect consumers