Federal Court of Justice decides on claims after data protection incident at Facebook

Damages awarded for loss of control of personal data

By:
Klaus Brisch,
Hanno Hepke,
Marco Müller-ter Jung, LL.M.
28 Nov 20242 min read
Companies must protect data even better. There is the risk of action for damages if data subjects lose control of their personal data for even a short while.
Contents

Landmark decision by the Federal Court of Justice 

In a landmark decision, the Federal Court of Justice (BGH) has determined that Facebook is liable to pay damages for non-material damage owing to an infringement of the General Data Protection Regulation (GDPR). The crucial point is that it no longer depends on specific misuse of data to the data subject’s detriment or other additional negative consequences that make themselves felt (e.g. psychological impact through loss of data, anxiety, concern). 

Loss of control decisive for claims for damages

In harmony with European Court of Justice case law, it is alone the “loss of control”, as it is known, that is determinative here – the mere loss of control of one’s own personal data for a short time owing to an infringement of the GDPR may constitute non-material damage as defined by the Regulation.  The data subject has not consented to the specific use of his or her data and cannot ultimately trace how or whether the data are processed.

Amount of damages picks up speed

Consequently, in such cases, the data subject must only prove that he or she was the victim of the incident.  The Federal Court of Justice decided in this particular case that damages of 100 euros were appropriate for the loss of control. The amount may not be spectacular, but the Federal Court of Justice also affirmed a claim to determine the duty to refund any future damage. However, since this Federal Court of Justice decision eases the requirements for non-material damage, companies risk being sued en masse if such a data protection infringement becomes known. The quality of the data involved may well also be relevant to the development of how much damages are awarded in future – if it is special personal data, such as religious affiliation, sexual orientation or health data, higher damages can be expected. This may apply all the more if control is lost of lots of relevant data of many different kinds, such as when data are analysed by various apps. 

Companies on an alarm setting

In such cases, legal rearguard actions will be limited. Companies will most likely no longer be able to mount the defence that they have done everything they could in the way of technical safeguarding and handling the data legally. At any rate, the decision does not make certain whether or to what extent companies can appeal to their compliance with technical and organisational standards. So companies absolutely must give data protection even more consideration in developing products and services, their internal processes, using personal data in their own operations and in data security. 

Authors
  • Klaus Brisch
    Klaus Brisch Klaus Brisch is a certified lawyer in information technology law. He has extensive experience in IP, hardware and software licensing, IT-compliance, data protection, cyber-security, additive manufacturing (3D-printing), application of „artificial intelligence“ in various industry sectors and blockchain. View Profile
  • Hanno Hepke
    Hanno Hepke Hanno Hepke is Partner in Advisory and responsible for the M&A service line. View Profile
  • Marco Müller-ter Jung, LL.M.
    Marco Müller-ter Jung, LL.M. Marco Müller-ter Jung joined Grant Thornton Rechtsanwaltsgesellschaft in 2023 as a partner in the Digital Law department based in Cologne. He is a specialist lawyer for IT and Technology law and specializes in drafting IT and Licensing Agreements, Outsourcing, eCommerce, Data Protection Law and Data Law, Cyber Security and Intellectual Property Rights. View Profile