Breaking Down the BGH Decision
With the judgement as of November 18, 2024, the German BGH ruled that the mere and temporary loss of control over personal data triggered by a GDPR breach constitutes immaterial damage within the meaning of Art. 82 para. 1 GDPR.
The case arose from a 2021 incident where personal data from 533 million Facebook users worldwide became publicly accessible due to scraping by third parties exploiting Facebook's contact import tool. This tool linked phone numbers with public user profile data. The plaintiff, whose data was affected, argued that Meta had failed to implement adequate safeguards, leading to the loss of control over their personal data, and sought damages under GDPR.
While the lower courts ruled differently—granting 250 EUR in damages at first instance but later rejecting the claim entirely—the BGH clarified that non-material damages under Art. 82 para. 1 GDPR do not require proof of misuse or additional psychological harm. The mere loss of control over data, even temporarily, can constitute sufficient immaterial damage.
The court further addressed procedural and legal issues, upholding the plaintiff's claims for injunctive relief and legal cost reimbursement. It also emphasized that the question of whether Facebook’s default privacy settings aligned with GDPR standards, as well as whether valid consent was obtained for processing, requires further examination by the lower court.
Mitigating Risks and Strengthening Compliance Through Codes of Conduct
The decision reinforces the importance of establishing transparent and monitored GDPR compliance processes. It further emphasizes the scope of protection for individuals' data rights under Art. 82 GDPR, specifically in cases of temporary data breaches. However, while such processes are essential, implementing them can raise a multitude of obstacles for companies to overcome. One effective way to navigate those challenges and to ensure compliance, is adopting an approved code of conduct under Art. 40 GDPR, which is monitored by an accredited body in accordance with Art. 41 GDPR.
A sector specific code of conduct can be designed to tackle the unique risks of GDPR’s requirements by offering tailored androbust standards e.g. containing safeguards, such as default privacy settings and consent mechanisms. In addition, a code can facilitate the implementation of guidelines for tools such as the contact import function, a feature exploited in the Scraping Incident.
Moreover, a code of conduct should contain provisions for regular security audits, testing of data protection measures, and increased transparency about data handling practices. These elements create streamlined and efficient responses to procedural challenges and also foster legal certainty for adherent companies. At the same time, companies build trust among consumers by demonstrating commitment to high data protection standards.
Adherence to an approved code of conduct demonstrates proactive efforts to comply with GDPR and therefore, can act as a mitigating factor in determining liability for GDPR data breaches, pursuant to Art. 83 GDPR.
More information about the BGH judgment on the court’s website (available in German).
