The judgment is based on a personal data breach concerning the social network Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping. To collect the data these third parties were using the search function for phone numbers which, by default, allowed unrestricted access to public profiles based on phone numbers (including where the profile owner had decided not to publish the telephone number).

In summary, the BGH has ruled in favour of the existence of non-material damages due to a mere loss of control of personal data and has therefore provided some clarity to the previously inconsistent German case law. In particular, the decision clarified whether non-material damages due to loss of control can be claimed; what requirements must be met to substantiate such claims; and how such damages are to be measured.

Claims for damages

In its judgment, the BGH states that a claim under Article 82(1) GDPR requires the following:

• An infringement of the GDPR;
• A material or non-material damage to the data subject; and
• A causal link between the infringement and the material or non-material damage.

In particular, BGH’s judgment looks at the question of whether the plaintiff suffered non-material damage in the specific case. The plaintiff claimed non-material damages for the anger and fear as a result of the loss of control over his personal data.

In its judgment, the BGH takes a broad interpretation of the term ‘non-material damage’. With reference to the case law of the ECJ (e.g. ECJ, judgment of 4 October 2024 – C-200/23, para. 145, 156 in conjunction with 137 – Agentsia po vpisvaniyata) and Recital 85 of the GDPR, the BGH ruled that the mere loss of control over personal data due to an infringement of the GDPR is sufficient to constitute non-material damages. According to the BGH, this applies even if there has been no specific misuse of the affected data to the detriment of the data subject or other noticeable negative consequences. Such consequences would only intensify an already existing damage.

Furthermore, the BGH clarifies the basic conditions for the assertion of a claim for non-material damage under the GDPR and civil procedural law. It was the plaintiff’s obligation to provide substantial evidence for damages in the specific form of loss of control over personal data and to prove the causal link. That means that the plaintiff had to present facts which, in conjunction with a legal provision, are suitable and necessary to justify the existence of the respective claim deriving from Article 82(1) GDPR. For this, the plaintiff can even use standardised text modules in written submissions, provided that these still demonstrate that the plaintiff is personally affected by the incident. The BGH considers the following circumstances, as presented by the plaintiff, to be sufficient to cause the damage:

• Loss of control over leaked personal data (with respect to his cell number, the plaintiff stated that he always passed on this number consciously and purposefully and did not make it accessible to the public randomly and without reason)
• State of significant unease and concern about possible misuse of personal data (increased mistrust regarding emails and calls from unknown numbers, receiving contact attempts via text messages and emails by unknown senders)

Further motions

Regarding the plaintiff’s motion for action of acknowledgment of future material and non-material damages deriving from the incident, the BGH states that the mere possibility of future damages is sufficient to grant such motion (this is in line with settled German case law).

The plaintiff also asserted injunctive relief. Insofar as he sought an order that prevents Facebook from making his personal data accessible to unauthorized third parties via software for importing contacts without taking the necessary measures to do so according to the state of the art, the BGH considered this application to be procedurally inadmissible. The reason for this was that the claim was unspecific in several respects – for example, it partly only re-phrased security requirements of the GDPR. However, the BGH deemed the plaintiff’s further application to be admissible. This application was aimed at preventing Facebook from further processing the plaintiff’s telephone numbers on the basis of consent given by him, since, in the plaintiff’s opinion, this consent was invalid due to a lack of transparency. The court of appeal will have to rule on this application again. Interestingly, the BGH also stated that consent is the only lawful basis that could be considered for processing of phone numbers for the search function.

Furthermore, the BGH ruled that the plaintiff had no further right of access according to Article 15(1) GDPR against the defendant. The plaintiff claimed a right of information regarding the specific recipients of the data. Since this was not possible because the defendant had no knowledge of the specific recipients of the data, the BGH ruled that the plaintiff had no right of access in this regard.

BGH on amounts of non-material damages

In accordance with the principle of procedural autonomy, the modalities for calculating the amount of non-material damage are determined by the national rules governing  the scope of financial compensation. Limited by the principle of equivalence and effectiveness, the application in Germany is governed by Section 287 German Civil Procedure Code (Zivilprozessordnung – “ZPO”). Article 82 GDPR only has a compensatory function and not a deterrent or punitive function. Therefore, the severity or number of infringements is irrelevant for the calculation of damages. Instead, the respective court must consider the sensitivity of the data concerned, the typical appropriate use, the type of loss of control, the possibility of regaining control and existing psychological damage. As a result, the BGH suggested that the court of appeal awards damages in the amount of EUR 100.

In general, however, it can be inferred from the BGH’s statements that the BGH also considers double-digit (but likely not single digit) amounts to be potentially appropriate, albeit taking into account the respective circumstances of the individual case.

Conclusion

The BGH’s judgment is a landmark for future similar cases due to the relatively low amount as a result of damages. The courts of lower instance will in all likelihood concur with the BGH’s opinion. It remains to be seen to what extent other supreme federal courts will follow the opinion of the BGH. The German Federal Social Court (Bundessozialgericht – “BSG), the federal court of appeal for social security cases, for example, seems to take the position in a judgment which is not yet publicly accessible that the mere formulaic assertion that the plaintiff had suffered a “loss of control” as a result of being left in the dark about the processing of his personal data to be insufficient to justify a claim under Article 82(1) GDPR.

The judgment is based on a personal data breach at Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping.

In the course of this incident, the plaintiff’s data (user ID, first and last name, place of work and gender) was published on the internet. The plaintiff argues that Facebook did not take sufficient and appropriate measures to protect his personal data and is essentially seeking non-material damages for the anger and loss of control over his personal data.

After the plaintiff was awarded an amount of EUR 250 in the first instance instead of the requested minimum of EUR 1,000, he lost in the appeal instance. The court of appeal stated that the mere loss of control is not sufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Furthermore, the plaintiff had not sufficiently substantiated that he had been psychologically affected beyond the loss of control.

The appeal to BGH was partially successful. The BGH is of the opinion that even the mere and brief loss of control over personal data as a result of an infringement of the GDPR could constitute non-material damages within the meaning of Art 82(1) GDPR. There is no need for the data to be misused in a specific way to the detriment of the data subject or for there to be any other additional noticeable negative consequences. For the specific case, the BGH has not decided on a particular amount of damages but considers EUR 100 to be reasonable in view of the underlying circumstances. However, it still remains in general the plaintiff’s obligation to present and prove the conditions that are pre-requisites for his claims.

The BGH has now referred the case back to the court of appeal for a new hearing and decision.

This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to date. Back on October 31, 2024, the BGH determined the procedure for the Leading Decision Procedure in accordance with Section 552b of the German Code of Civil Procedure (Zivilprozessordnung – “ZPO”). In such procedures, the BGH can decide legal issues that are relevant to the outcome of a large number of proceedings and thus provide guidance for the courts of lower instance. However, leading decisions are not formally binding. Nevertheless, the BGH judgment sends a signal, as the BGH considers the loss of personal data to be low in relation to the amount of damages.

An update to this post will be made once the judgment is publicly available.