German court awards GDPR non-material damages over data breach | Hogan Lovells
In a recent judgment, the Munich I District Court awarded a data subject compensation under Art. 82 GDPR for immaterial damage suffered as a result of unauthorized access by a third party to personal data of the person concerned. In addition, the Court found that the defendant company is liable to indemnify all future property damage resulting from the data breach.
What were the main facts of the case?
The judgment of the Munich I District Court of December 9, 2021 (case no. 31 O 16606/20) concerns a dispute between a customer (plaintiff) and a financial services company (defendant) concerning an alleged data breach at the defendant’s service provider.
In October 2020, the defendant notified the plaintiff that third parties had unlawfully accessed some of the customer data, including the plaintiff’s full name, full contact details and other information revealing the plaintiff’s identity (including a copy of ID). An attacker (unidentified) obtained access credentials to the account in the defendant’s database through a cyberattack against the defendant’s service provider and was therefore able to access customer data. The key contention of the case was that, although the contractual relationship between the defendant and the service provider was terminated at the end of 2015, the account access credentials for the database remained unchanged until for the data breach in question to occur.
The plaintiff argued that the records of the prosecutor’s office indicate that there were three successful unauthorized accesses to personal data where third-party attackers copied and used customer data to apply for loans based on identities. stolen. He alleged that the stolen data was offered for sale on the dark web and argued that he was at constant risk that his data could be used for identity theft and other fraudulent activities.
What did the Court decide and why is it important?
On the base of the art. 82 GDPR, the court awarded the plaintiff EUR 2,500 compensation for non-pecuniary damage, although there is no evidence that the plaintiff’s stolen data was actually used for fraudulent purposes, such as credit applications fraudulent.
In addition, the Court held that the defendant is liable to indemnify the plaintiff for all future material damages suffered by the plaintiff as a result of the unauthorized access to third party data. This finding is quite remarkable, as it constitutes an extended liability of the defendant for future property damage. The decision appears to be the first court decision to grant such a declaratory claim based on s. 82 GDPR.
If this judgment is confirmed in higher courts, it could open the door a little wider to mass proceedings or class actions for material and immaterial damages under the GDPR in the event of a data breach (e.g. cyber -attacks or security incidents). Some commercial litigation funders and legal technology providers have already discovered the mass market under the GDPR and are offering their services in the German market. The plaintiff in this case had also partnered with a funder.
What were the Court’s main findings?
The decision is based on Art. 82 GDPR which offers data subjects who have suffered material or immaterial damage as a result of a breach of the GDPR an individual right to seek compensation from the company which acts as controller or processor of personal data (see our blog post here for more details on art. 82 GDPR). In the present case, the Court assumed that the plaintiff was concerned in his capacity as data subject by the personal data processed by the defendant in his capacity as controller.
Violation of art. 32 GDPR
The Court held that the defendant had violated Art. 32 GDPR by not verifying the deletion of account access credentials for the database after the termination of the agreement with the former service provider, and leaving the credentials unchanged for several years. The Court emphasized that it is the responsibility of the data controller to monitor their service provider and order the removal of account identifiers accordingly.
Intangible “damage” within the meaning of art. 82 GDPR
In addition, the Court concluded that the plaintiff had suffered non-pecuniary damage, since the attacking third party had obtained a complete and sensitive set of data relating to the data subject which could potentially be used for fraudulent purposes using a false identity.
In taking this position, the Court applied a fairly broad interpretation of s. 82 GDPR, as it has not been proven that the applicant’s data is Actually used for fraudulent purposes whereby the data subject has suffered specific damage. In this regard, the decision departs from judgments of several local courts in Germany which require plaintiffs to prove that they have indeed suffered relevant damage by suffering specific, objectively significant and perceptible inconvenience (see also our article by blog here for an overview of previous case law on s. 82 GDPR). Rather, the decision follows the line of some other German courts which apply a broad interpretation of Art. 82 GDPR in the interest of effective GDPR enforcement.
Calculation of compensation
For the calculation of the compensation for non-pecuniary damage, the Court applied the criteria listed in Art. 83 (2) GDPR, and thus took into account the nature and gravity of the infringement, in light of the scope of the processing in question. For its calculation, the Court considered that there is no proof that the data in question were actually used for fraudulent purposes. However, the Court also held that compensation under Art. 82 GDPR are intended to have a “deterrent effect” and therefore considered compensation for (immaterial) damages of EUR 2,500 to be appropriate.
Compensation for future property damage
The Court considered the mere possibility that the plaintiff would suffer other Equipment damages following the violation of Art. 32 GDPR. It thus applied a rather low procedural standard for such a declaratory request.
However, the decision (if confirmed) would not automatically entitle the person concerned to compensation for material damages from the defendant. Instead, the claimant would still have to prove that the relevant material damage was the result of the GDPR breach in question in a follow-up procedure. Nevertheless, such a declaratory ruling on the obligation to indemnify future material damages leaves defendant controllers or processors in limbo until the alleged future damages materialize (if any), including understood on the question of whether and to what extent the company should make provisions.
What should companies do?
The judgment, which is not final, illustrates the legal risks that can arise from cyberattacks and security incidents affecting a greater number of customers. Current case law in Germany shows that an increasing number of courts apply a rather broad interpretation of Art. 82 GDPR. In the future, this could foster mass litigation for damages claims under the GDPR in similar data breach scenarios.
Businesses should be aware that future damage declaratory rulings create an additional burden in this scenario. This is particularly relevant for data breach scenarios where a larger number of data subjects are affected.
With regard to compensation for non-material damage, companies should monitor the evolution of case law in Europe. It is possible that the European Court of Justice could set the course for GDPR damages claims when deciding on pending cases involving the interpretation of Art. 82 GDPR later this year – we will follow up on this with a separate blog post.
In order to mitigate risks from the outset, it is crucial for businesses to have effective data protection and data security management systems in place to ensure a high level of GDPR compliance and cybersecurity, also taking into account any service providers involved in the processing of personal data. Full documentation of the measures implemented can also serve as a valuable defense against GDPR damage claims or other enforcement proceedings.