Germany: No GDPR damages after data breach

Background: another open legal question

One of the many open questions of data protection law in Europe is how compensation for “non-material damage” will be calculated.  In contrast to personal injury claims where lawyers have (hundreds of) years of case law to call upon to help calculate compensation, there is comparatively little case law considering how compensation will be calculated for distress when personal data are processed in breach of GDPR.  The German courts have been helping to fill this legal void with a number of recent decisions which will be welcomed by controllers and processors.  Although there are some more data subject friendly court decisions in Germany these are increasingly seen as outliers; the developing trend of decisions in Germany is that a mere loss of control of personal data and a subjective feeling of distress on the part of the affected data subject is insufficient to prove non-material damage.  There must be some objective harm.  It is still early days in the evolution of case law regarding non-material losses so it is possible that the case law of the German courts will evolve along a more data subject friendly subjective approach, but this recent case and the majority of decisions to date favor a narrower objective test to prove non-material damage which will come as a relief to data controllers and processors alike.

Summary

In a civil action following a personal data breach affecting a credit card bonus programme, the Regional Court (Landgericht) Frankfurt am Main rejected claims by a data subject who was affected by the breach for a cease-and-desist injunction and for compensation for non-material damage under Article 82(1) GDPR. The decision is in line with the majority of similar restrictive interpretations of Article 82(1) GDPR by other German courts, requiring evidence of objective harm. Nevertheless, there are also a few more “generous”  court decisions favoring a subjective test for proof of non-material damage.

Facts

In its decision of 18 September 2020 (case number 2-27 O 100/20, available here – in German only), the Regional Court Frankfurt am Main had to decide on a civil action brought by an individual against the Belgian subsidiary of an international credit card company. The claimant participated in a credit card-related bonus programme run by the defendant. The defendant engaged a processor established in Austria for the technical operation of the bonus programme and processing of the participants’ personal data. During a hacking attack on the processor’s systems, unknown perpetrators accessed the data of approximately 90,000 participants of the bonus programme and made this data publicly available on the internet, including the claimant’s credit card number (but not the expiration date or the CVC code). Apparently the attackers exploited a weakness in the processor’s IT system to access the network and access the data. The defendant informed all affected data subjects about the data leak and warned about potential misuse of the data.

Although the platform was subsequently shut down, the website for the bonus programme (including login area) was accessible again for one day following an IT check. The claimant claimed both injunctive relief requiring the defendant to immediately refrain from processing or publishing his personal data and a compensation claim for damages against the defendant for breaches of the General Data Protection Regulation (“GDPR”).

The decision

The District Court dismissed both claims. In its opinion, the claimant was neither entitled to injunctive relief nor to damages.

Dismissing the claim for injunctive relief under Sections 1004 (1), 823 (1) of the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) the District Court found that on the facts there was no risk of a repeat breach as the service provider was no longer responsible for administration of the programme and as the bonus programme had ended.

The court also rejected the claimant’s claim for EUR 8,400 in damages for non-material damage under Article 82 (1) GDPR for the following reasons:

  • The publication of the claimant’s personal data by the attackers after the hack did not give rise to damage claims under Article 82(1) as the publication was not by the controller defendant or its processor.
  • The claimant also failed to prove that the controller had failed to comply with its obligation under Article 28 (1) GDPR to diligently select and monitor the service provider appointed to administer the bonus programme. The court stated in general that the burden of proof for an infringement of the GDPR is with the claimant data subject. Article 82 (3) GDPR only shifts the burden of proof to the controller (or processor) with respect to the controller’s (or processor’s) responsibility for a GDPR infringement once the infringement has been proven by the data subject.
  • The hacking (change of the admin password) and the fact the website for the bonus programme (including login area) was accessible again for one day following an IT check did not give rise to non-material damage claims as an infringement of the GDPR does not automatically result in non-material damages, but requires a concrete violation of the affected data subject’s right to privacy. In particular, German law and therefore Article 82 GDPR as applied by German courts does not provide for overcompensating punitive damages.
  • The plaintiff also could not claim damages for a missing data processing agreement in terms of Article 28 (3) GDPR between the defendant and its processor as on the facts there was an agreement in place. A data processing agreement does not require a wet signature; an electronic signature is sufficient.
  • Furthermore, neither Article 32 nor the Payment Card Industry Data Security Standard (PCC DSS) require that credit card numbers are stored as hashes. Not hashing the credit card numbers consequently does not qualify as an infringement of the GDPR in terms of Article 82 (1) GDPR.
  • Non-material damages are also not caused by an (alleged) inadmissible disclosure of personal data by the defendant to its parent company in the United States acting as joint controller with the defendant as the plaintiff could not establish such data transfers. The court stressed that it is possible to act as joint controller without having access to any personal data as joint determination of the purposes and means of processing is sufficient. A missing joint controller arrangement or an omission to make its essence available to the data subject is also not suitable to cause any non-material damages. Finally, the court found that approved Binding Corporate Rules (BCR) were in place between the defendant and its parent company.

Damage claims under German general tort law are blocked by Article 82 (1) GDPR. The court could also not identify any breach of contract.  As such the claimant was unable to prove liability on any of the various bases argued.

GDPR damages in Germany

The decision by the Regional Court Frankfurt am Main is in line with the generally restrictive interpretation of Article 82 (1) GDPR by the German courts in previous decisions. Most German courts do not automatically award non-material damages, not even after a personal data breach in terms of Article 4 No. 12 GDPR. The German courts have typically set the bar for damages claims for non-material damage such that the data subject must have experienced a noticeable disadvantage and an objectively comprehensible impairment of personal rights with a certain weight and in case of publication of personal data after a data breach, some sort of public humiliation. The mere individual (subjective) feeling of discomfort is not sufficient for non-material damages to be awarded.  The purpose of Article 82 (1) GDPR is not to introduce punitive damages.

There are a few isolated court decisions in Germany applying a more “generous” approach to damages, leaning towards a subjective test, according to which the mere loss of control over personal data may be sufficient for a non-material damage claim to be proven (Labour Court (Arbeitsgericht) Düsseldorf, decision dated 5 March 2020, case number 9 Ca 6557/18 – EUR 5,000 for delayed (by five months) and partially incomplete response to a data subject access request, also taking into account the controller’s annual turnover, available here – in German only; Regional Court Darmstadt, decision dated 26 May 2020, case number 13 O 244/19 –  EUR 1,000 for sending information from a job application process to the wrong candidate). Nevertheless, such decisions remain isolated and will hopefully be overturned on appeal.

For further information please contact Jan Spittka (Counsel, Cologne) or Katja Ruers (Trainee Lawyer, Cologne).