noyb welcomes yesterday's leading decision of the German Federal Court of Justice on claims in connection with a data protection incident at Facebook
Copyright for header picture above: Steffen Prößdorf, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons
- Press Release by the BGH (in German)
- Video of the Ruling (in German)
- Report by German public broadcaster ZDF on the Ruling (in German)
Statement by Max Schrems.
Max Schrems: "Despite clear provisions in the GDPR and several CJEU rulings, German courts have regularly refused damages in data protection cases. We are pleased that the BGH has now put its foot down and brought German case law into line. The legal debate in Germany has so far been dominated by corporate lawyers, and some courts have allowed themselves to be swayed by their crude theories and quickly dismissed tricky GDPR cases. As a result, Germany has become a Europe-wide problem for data protection cases."
German courts and literature so far extremely hostile toward GDPR. In Germany, legal literature has a great influence on the courts. In the area of data protection, however, there are almost only specialist lawyers on the corporate side. Also, research in the field of digital rights is increasingly being commissioned and paid for by companies to an alarming extent – often without this being disclosed accordingly. Against this backdrop, an industry has emerged that continues to produce crude theories as to why GDPR claims should be rejected or why damages for data protection violations are virtually non-existent.
For example, a ‘materiality threshold’ was invented in Germany, whereupon the courts dismissed many GDPR damages cases as ‘immaterial’. Austrian courts have also embraced this theory, although the GDPR offers no basis for it. It was only the CJEU that put a stop to this (C-300/21 Österreichische Post). Nevertheless, some German courts have repeatedly dismissed such cases, contrary to the CJEU ruling.
The infringement of privacy is the ‘primary damage’. It is often difficult to calculate the damage when the rights are not directly ‘measurable’. However, in other areas besides data protection, this is no reason not to award damages. In media law, for example, an insult can be just as much of a ‘damage’ as the pain of a broken leg. In other areas, courts have gradually worked out what compensation is appropriate. In some EU countries, this has also led to the development of informal ‘fracture tables’ for claims for damages.
‘Secondary damage’ independently eligible for compensation. The damage to the fundamental right to data protection can also be separated from ‘secondary damage’. For example, one can already suffer from the unlawful publication of an illness. If one subsequently loses one's job because of the publication, this is a second, independent secondary damage - which is eligible for compensation separately. Corporate lawyers have so far consistently denied that the fundamental right to data protection itself is the damage and have focused on (rare and difficult to prove) secondary damage.
The decision in summary: In its leading decision yesterday, the Federal Court of Justice ruled that the mere loss of control over one's own personal data can constitute damage that can be compensated under the GDPR, provided that this damage is due to a violation of the GDPR. In doing so, the German supreme court is following the case law of the CJEU (see (C-200/23). Further disadvantages, such as the specific misuse of the data or other negative consequences, are not required in order to award data subjects damages under the GDPR. Even though the BGH was specifically dealing with a data breach on Facebook, the statements in the judgement can probably be applied to other scenarios in which data subjects are unlawfully deprived of control over their privacy.