What were the key facts of the case?
The ruling of the District Court Munich I’s judgment of 9 December 2021 (case no 31 O 16606/20) concerns a dispute between a customer (plaintiff) and a financial services company (defendant) relating to an asserted data breach at the defendant’s service provider.
In October 2020, the defendant notified the plaintiff that third parties had unlawfully accessed a part of customer data, including the plaintiff’s full name, comprehensive contact information, and other information revealing the plaintiff’s identity (including an ID copy). An (unidentified) attacker obtained the account access credentials to the defendant’s database through a cyber-attack on the defendant’s service provider and was therefore able to gain access to the customer data. The key assertion of the case was that although the contractual relationship between the defendant and the service provider was terminated at the end of 2015, the account access credentials for the database remained unchanged until the data breach in question occurred.
The plaintiff argued that files of the prosecutor’s office indicate that there were three successful unauthorized accesses to personal data where third party attackers copied and used customer data to apply for credit loans on basis of stolen identities. He alleged that the stolen data was offered for sale on the dark web and argued to be permanently exposed to the risk that his data could be used for identity theft and other fraudulent activities.
What did the Court decide and why does it matter?
On basis of Art. 82 GDPR, the Court awarded the plaintiff a compensation of EUR 2,500 for non-material damages, although there was no proof that the stolen data of the plaintiff was actually used for fraudulent purposes, such as fraudulent credit loan applications.
In addition, the Court held that the defendant is obliged to compensate the plaintiff for all future material damages suffered by the plaintiff as a result of the unauthorized third-party data access. This finding is quite remarkable, as it constitutes a far-reaching liability of the defendant for future material damages. The ruling seems to be the first court decision to award such a declaratory claim based on Art. 82 GDPR.
If this judgment is upheld in the higher instances, it could open the door a bit wider for mass proceedings or class actions for material and non-material damages under the GDPR in case of data breaches (e.g. cyber-attacks or security incidents). Some commercial litigation funders and legal tech providers have already discovered the market for mass actions under the GDPR and offer their services on the German market. The plaintiff in the case at hand had also joined forces with a litigation funder.
What were the key findings of the Court?
The ruling is based on Art. 82 GDPR which provides data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR with an individual right to claim for compensation from the company that acts as controller or processor of personal data (see our blog post here for more details on Art. 82 GDPR). In the case at hand, the Court assumed that the plaintiff was concerned in his role as data subject with respect to personal data processed by the defendant in the role of a controller.
Infringement of Art. 32 GDPR
The Court found that the defendant infringed Art. 32 GDPR by not verifying the deletion of the account access credentials for the database after the agreement with the former service provider was terminated, and by leaving the credentials unchanged for several years. The Court highlighted that it is an own obligation of the controller to supervise its service provider and instruct the deletion of account credentials accordingly.
Non-material “damage” within the meaning of Art. 82 GDPR
Further, the Court found that the plaintiff suffered a non-material damage, given that the third-party attacker obtained a comprehensive and sensitive set of data relating to the data subject which could potentially be used for fraudulent purposes by using a false identity.
By taking this view, the Court applied a quite broad interpretation of Art. 82 GDPR, as it was not proven that the data relating to the plaintiff was actually used for fraudulent purposes by which the data subject suffered a specific damage. In this respect, the ruling deviates from judgments of several local courts in Germany which require claimants to prove that they actually suffered relevant damages by experiencing specific, objectively significant and noticeable disadvantages (also see our blog post here for an overview of previous case-law on Art. 82 GDPR). The ruling rather follows the line of some other German courts that apply a broad interpretation of Art. 82 GDPR in the interest of an effective enforcement of the GDPR.
Calculation of the compensation
For the calculation of the compensation for non-material damages, the Court applied the criteria listed in Art. 83 (2) GDPR, and thereby took into account the nature and severity of the infringement, in light of the scope of the processing in question. For its calculation, the Court considered that there is no proof that the data in question was actually used for fraudulent purposes. However, the Court also argued that compensations under Art. 82 GDPR are intended to have a “deterrent effect” and therefore considered a compensation of (non-material) damages of EUR 2,500 to be appropriate.
Compensation for future material damages
The Court considered the mere possibility that the plaintiff could suffer further material damages as a consequence of the infringement of Art. 32 GDPR. It thereby applied a rather low procedural standard for such a declaratory claim.
However, the ruling (if it would be upheld) would not entitle the data subject automatically for compensation payments for material damages from the defendant. Instead, the plaintiff would still need to prove that the relevant material damage is a result of the GDPR infringement in question in a follow-on proceeding. Nevertheless, such declaratory ruling on an obligation to compensate for future material damages leaves the defendant data controllers or processors in uncertainty until the alleged future damages realize (if any), including on the question whether and in what amount the company must set aside provisions.
What should companies do?
The ruling, which is not final, illustrates the legal risks that may result from cyber-attacks and security incidents affecting a larger number of customers. The current case-law in Germany shows that an increasing number of courts apply a rather broad interpretation of Art. 82 GDPR. Going forward, this could foster mass litigation for damage claims under GDPR in similar data breach scenarios.
Companies should be aware that declaratory rulings on future damages create an additional burden in this scenario. This is particularly relevant for data breach scenarios where larger number of data subjects are concerned.
With regard to the compensation of non-material damages, companies should monitor the development of the case-law in Europe. It is possible that the European Court of Justice could set the course for GDPR damage claims when deciding in pending cases dealing with the interpretation of Art. 82 GDPR later this year - we will follow-up on this with a separate blog post.
In order to mitigate risks from the outset, it is crucial for companies to implement effective data protection and data security management systems to ensure a high level of GDPR compliance and cybersecurity, also taking into account any service providers involved in the processing of personal data. Thorough documentation of implemented measures can also serve as a valuable means of defense in the event of GDPR damage claims or other enforcement proceedings.
Authored by Katrin Weixlgartner and Henrik Hanßen.