UK: Compensation For Data Leaks Under Art. 82 GDPR? The Current Legal Situation Regarding Data Scraping

The term "data scraping" has gained increased attention since the global data leaks of the Facebook service operated by Meta. The automated "scraping" of data, often carried out by bots, means the extensive extraction of publicly accessible data on platforms in order to analyse, process or sell the information obtained, for example. Compiling information that can be found publicly on the internet is not illegal as such and in many cases, it is even useful for better systematisation and meaningful use of information. Nothing else happens when search engines index website content on the Internet. However, scraping is only harmless if it concerns publicly accessible general data.

However, mass extraction can also include personal data of platform users or sensitive data from a company's customer database. If such data is disclosed because the necessary security precautions have gaps, web scraping can be used maliciously by third parties to exploit the security gaps to collect sensitive data. Users and companies are therefore faced with the question, whether users are entitled to compensation in the event of data leaks. Of particular interest is the question of non-material claims for damages in the event of a GDPR breach and, in this context, whether the affected parties have suffered any compensable damage at all. While many of the non-material claims for damages brought by Facebook users under Art. 82 GDPR in connection with data scraping incidents have so far been dismissed by the German general civil courts, the labour courts have tended to a more generous line. At the beginning of 2023, for example, a German Labour Court awarded a plaintiff damages of €10,000 as a result of a breach of the GDPR (judgement of 23 March 2023, case no.: 3 Ca 44/23). This different approach led to legal uncertainty for companies and users. Can users now expect such high claims for damages in the event of data leaks?

When are users entitled to damages under data protection law?

The consequences of (negligent) data leaks for users are varied and can take the form of unwanted calls, emails or text messages. However, the difficulty lies in proving that these messages can actually be traced back to the data leak. Another key question in the case of data scraping of personal data is whether a loss of control over the data and the fear of misuse are sufficient as individual damage. The GDPR itself presupposes the existence of "significant economic or social damage" for a claim for damages. However, this cannot apply in the case of a data leak that occurred some time back and did not lead to demonstrably improper use of data. It should also be considered in this assessment that the data concerned in data scraping was typically publicly accessible on the internet from the outset and was not obtained without authorisation against the will of the user and provider by overcoming access restrictions, as is the case with hacking.

According to Art. 82 (1) GDPR, "any person who has suffered material or non-material damage as a result of an infringement of this Regulation [...] shall be entitled to compensation from the controller or processor".

Current case law

The vast majority of the numerous claims brought by Facebook users for damages under Art. 82 (1) GDPR as a result of the data leak failed. And in recent decisions on data scraping violations, claims for non-material damages under Art. 82 (1) GDPR were also dismissed due to a lack of demonstrable damage. Claims in connection with the data leaks at Facebook recently failed before the German Higher Regional Court of Stuttgart (judgement of 23 November 2023 - Ref.: 4 U 17/23; 4 U 20/23), for example, due to a lacking material harm to users, who only reported "annoyances and inconveniences". The Higher Regional Court of Hamm also stuck to its previous line and once again rejected a GDPR claim for damages in the Facebook data scraping cases on 22 September 2023 (OLG Hamm, decision 22.09.2023 - Ref.: 7 U 77/23). Some concrete, sufficiently substantiated damage attributable to the specific data leak is required in the individual case. A purely generalised loss of control or an abstract fear of misuse without personal or psychological impairment is insufficient. The judgement cites feelings such as "anxiety, stress, loss of comfort and time" as examples of purely generalised impairments. The feeling of a loss of control over personal data, feeling observed and helpless are not sufficient, even in the case of misuse of names and mobile phone numbers.

Initially, it was controversial whether the mere violation of the GDPR already gives rise to an immaterial claim for damages - quite apart from the question of whether data scraping is covered by a GDPR offence at all - and whether the platform operator can exculpate itself through sufficient security standards. Most case law now assumes that, in addition to the mere offence, proof of concrete damage in the form of personal or psychological harm is required. The European Court of Justice (judgement of 4 May 2023, case no.: C-300/21 - Österreichische Post) also ruled that an individual causal damage must exist for a non-material claim for damages, as not every GDPR violation automatically constitutes damage. In this respect, the ECJ has stipulated that no materiality or triviality threshold applies to the claim for damages under Art. 82 (1) GDPR as long as an actual immaterial impairment can be established. In its two most recent judgements in this context (judgement of 14 December 2023 - Ref.: C-340/21; judgement of 14 December 2023 - Ref.: C-456/22), the ECJ has now once again specified the criteria for damage and expressly allows immaterial damage as well as purely subjective impairments under Art. 82 GDPR. Proof of objective harm may not be required from the data subject. Only annoyance and subjective inconvenience as well as a generalised, unspecified loss of control cannot constitute an impairment. A balance must be struck in each individual case.

It should be noted that a majority of decisions have dismissed claims for damages in the Facebook data scraping cases. The decisions awarding non-material damages show an interesting repertoire of different amounts of damages with claims ranging from €100 to €10,000, as most recently awarded by the Duisburg Labour Court. However, the latter sum does not appear to reflect the amount in dispute that can be expected in such cases in the future, especially as the ruling by the Düsseldorf Regional Labour Court (judgement of 28.11.2023 - Ref.: 3 Sa 285/23) was also overturned due to a lack of concretely presented damages. Most cases will be in the lower range of between €100 and €1,000, meaning that the local courts will retain jurisdiction at first instance.

What does this mean for companies and users?

In order to deal with and protect themselves against claims for damages, companies should be aware that, in principle, any GDPR breach can trigger liability for damages. Even the sending of data to the wrong recipient or the unauthorised disclosure of personal data in the cloud context can lead to this. Furthermore, data scraping as such is legal and cannot be prevented by technical precautions, as it typically only involves the collection of publicly accessible content and data on websites. Website operators and companies with customer databases must therefore take sufficient technical and organisational measures and identify security gaps in good time in order to prevent the disclosure and data scraping of personal user data by third parties. Otherwise, there is a risk of high fines.

From the user's point of view, claims for damages due to data scraping, as in the case of the Facebook data leak, should not raise too much hope for the time being. At least as far as immaterial damage is concerned. The majority of dismissals of the claims show the existing hurdles for the user to sufficiently demonstrate damage and causality. There is only a chance of success if there is evidence that proves the damage and the attribution to the data leak. This will probably not apply in a large number of cases. However, if this is the case, damages of up to €1,000 can be expected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.