Data scraping on Facebook: OLG Frankfurt awards 200 euros for non-material damages
In its judgment of April 24, 2024 (Ref. 6 U 79/23), the Higher Regional Court of Frankfurt am Main clarified that individuals affected by the unlawful use and disclosure of personal data through so-called “data scraping” may be entitled to compensation for non-material damages. The decision sheds light on key issues of European data protection law and its practical implications, particularly in the context of extensive social networks. This paper discusses the ruling, its background, and its resulting significance for companies, platform operators, and affected individuals.
Background of the proceedings: Massive scale of data extraction
The judgment of the OLG Frankfurt deals with the unauthorized use of personal information from over 500 million Facebook users, whose contact details were automatically extracted by so-called scrapers and subsequently published on the Internet. The plaintiff argued that his mobile phone number was collected and made accessible using automated procedures without his consent. In the court’s opinion, this practice violates the provisions of the General Data Protection Regulation (GDPR).
Technical and legal dimensions of data scraping
Scraping employs technical tools to automatically extract publicly accessible information from web services. Such activities often target large platforms like Facebook, which store a vast amount of sensitive data. Since, in particular, contact information can unintentionally become accessible through a combination of certain settings, there is a significant risk of misuse for the individuals concerned.
Key considerations of the OLG Frankfurt
Interpretation of the term non-material damage
At the heart of the decision is the interpretation of non-material damage under Art. 82 GDPR. The court made it clear that even the unlawful publication of personal contact data can give rise to a claim for damages. Unlike physical or material damage, an objective impairment of the legal right is sufficient for non-material damage – for example, through loss of control over one’s own data or the risk of future misuse.
The OLG Frankfurt emphasized that, to establish the claim, it is not necessary to prove consequences such as identity theft or spam messages. It is sufficient to establish that disclosure of the data has impaired interests in confidentiality, protection, and integrity.
Amount and reasoning for damages awarded
The amount awarded, 200 euros, may appear small relative to the number of those affected. However, the court explained that this sum reflects the specific extent of the impairment, especially in the case of isolated incidents without verifiable consequential damage. Moreover, it was emphasized that GDPR-compliant security measures and transparent settings by platform operators are essential to prevent such violations.
Responsibility of platform operators
The judgment underscores the high standards that data controllers must meet under the GDPR. Operators of large social networks are required to take appropriate technical and organizational measures to prevent unauthorized extraction and disclosure of user data. The mere absence of adequate safeguards may constitute a breach of data protection obligations and give rise to compensation claims by affected individuals.
Relevance for companies and individuals
For companies and institutional users of platforms, the OLG Frankfurt’s decision has far-reaching implications. On the one hand, it serves as a further reminder of their comprehensive obligations when processing personal data. On the other hand, the ruling shows that even a relatively minor infringement may trigger claims for damages—a factor that, especially in cases of mass incidents, can quickly lead to significant financial sums.
Those whose data is affected are also shown by the judgment that data protection violations do not have to remain without consequence and that courts can indeed award affected individuals measurable compensation.
Classification and significance for future proceedings
The decision by the OLG Frankfurt aligns with current case law on the GDPR, in which courts increasingly sanction violations of data protection obligations even in the absence of substantial individual harm. Nevertheless, the appropriate amount of non-material damages remains a case-by-case decision, dependent on the scope and severity of the infringement. It can be expected that this jurisprudence, especially regarding future class actions, collective proceedings, and data protection breaches, will become increasingly important.
Further perspectives
Companies and private individuals alike are required, in light of these developments, to familiarize themselves with the current rules, legal opinions, and technical requirements for the protection of personal data. The dynamic nature of technological innovation and the ongoing evolution of digital communication platforms make continuous monitoring of developments in data protection law indispensable.
Should further questions arise from this subject or similar circumstances, it is advisable to carefully examine the current legal situation and respective courses of action. The lawyers at MTR Legal, with many years of experience, are available to assist with individual questions regarding the protection of personal data, damage claims, and compliance requirements.
