When the Regional Court of Munich ordered Scalable Capital at the end of 2021 to pay EUR 2.500 in damages to an aggrieved customer, it sent ripples through the data protection world. It was a somewhat novel decision, awarding claims for immaterial damages in a case were no concrete economic loss was established.
The verdict can hardly be considered an outlier anymore, to this day over 25 decisions of different courts have granted claims for immaterial damages, with damage amounts ranging from EUR 100 to EUR 5.000.
The Scalable case, however, has been more visible than many others – it was one of the first, and it needs little phantasy to imagine that it can be scaled up easily. Thus, all eyes were on the appeal proceedings, hoping for further guidance from the appellate court. But we will have to wait a bit longer: In an unexpected turn, Scalable Capital and their legal advisors retracted their appeal Verstoß gegen DSGVO: Scalable Capital haftet nach Datenleck (faz.net). As a result, the initial decision is now legally binding.
Are the floodgates now open?As it stands, everyone affected by a data breach could have a four digit Euro claim against the controller – without having the burden to evidence an actual loss or damage. In fact, the court in Munich let the risk of misuse (some evidence pointed to bad actors attempting to exploit the breach) of data suffice. On the one hand a successful appeal would have been good news for Scalable and other controllers who still have hope that the mass claim nightmare does not materialize – but on the other hand the withdrawal of the appeal did not raise much eyebrows on the side of the mass claim industry-in-waiting.
They can sit back. Some players, such as the EuGD, already collected a pile of claims and now waits for the right time to file. Since the "Diesel scandal" the German plaintiff industry has grown significantly and has the manpower as well as the legal expertise to carry out such large scale campaigns. The attacks will be launched once there is sufficient certainty that the highest courts will not thwart their plans.
Controllers are right to worry. They should be prepared that in cases of data breaches and other mishandling of personal data, they will not only have to deal with the data protection authorities, but increasingly also a claim industry. Preparing for such attack is different. Defendants must be able to handle a mass of claims with speed and a coherent legal strategy. Legal-Tech solutions and process specialists will play a critical role in supporting classic legal advisors to rise to these challenges.
Many open questionsAlso aside from the Scalable verdict, a lot of questions remain unanswered. Scalable's data breach concerned data which is readily understood as sensitive, such as ID data and tax numbers of data subjects, and it is unclear whether immaterial damages would also be awarded where the risk is more remote. In another case, the Regional Court of Munich granted damages amounting to EUR 100 for the use of Google Fonts by a website provider (case no. 3 O 17493/20). It will be interesting to see if this strict line of ruling will find support amongst other courts.
For controllers, there are of course many other lines of arguments to defend: Mass claims are often based on a bundling of claims assigned to a claim vehicle. Whether this is at all possible in case of personal and immaterial damage claims has not been finally decided. The municipal court of Hannover has questioned the assignability back in 2019 (case no. 531 C 10952/19).
Further, the Munich court reiterated that the claimant needs to evidence not only the breach/infringement, but importantly also the (immaterial) damages, i.e. identity theft, reputational harm, loss of confidentiality etc. In the Scalable case, the claimant succeeded in providing sufficient evidence of (attempted) malicious exploitation, but it may be more difficult to do so in a Google Fonts case.
Also, the links between national law and the GDPR will also offer much room for argumentation. While the claim itself might arise from the GDPR, concepts such as contributory negligence and other mitigating factors may well find their way into the proceedings under national law. Which national law this will be, presents another open question. Due to the pan-european nature of the GDPR we will likely see cases with data subjects from one EU member state attempting to enforce claims against a controller from a different member state. These claims can be bundled at the seat of the controller (Art. 79 (2) GDPR). Courts will then have to grapple not only with the interplay of GDPR and national laws but potentially also choice of law clauses.
About the authors:Stephan Zimprich is a partner in Fieldfisher's Hamburg office. He specialises in litigating cases with a technology background and advises clients mainly from the digital sector on data protection, competition law and IT law.
Jacob Feder is an intellectual property and technology lawyer in Fieldfisher's Hamburg office. He advises technology-based companies as well as those with novel business models, especially in regulated markets.
Sign up to our email digest
Click to subscribe or manage your email preferences.