OLG Oldenburg rejects claims for damages in connection with the Facebook data breach
The Higher Regional Court (OLG) Oldenburg has dismissed claims for damages by users against the platform Facebook, represented by Meta Platforms Ireland Limited, in several parallel appeal proceedings (judgments dated 25.04.2024, case numbers 13 U 59/23, 13 U 79/23, and 13 U 60/23). The court thereby clarified that the alleged data protection violations resulting from the well-known ‘Facebook data breach’ do not automatically entitle affected individuals to financial compensation pursuant to Article 82 GDPR.
Background: Scope and consequences of the data breach
In April 2021, it became public that a large amount of personal data of Facebook users – including names, telephone numbers, and other profile data – had been accessible on the internet without consent. According to those affected, the disclosure resulted from a technical interface (‘Contact Importer’) through which attackers could automatically collect data.
Central legal issues in the proceedings
Standard of review applied by the court
The plaintiffs primarily based their claims for damages on Article 82 of the General Data Protection Regulation (GDPR), according to which data controllers can be required to compensate for damages incurred as a result of data protection violations. In the appeal proceedings, the OLG Oldenburg has now clearly specified the requirements for proving non-material damage that goes beyond mere annoyance or inconvenience.
Requirement of a measurable non-material damage
The court emphasized that the plaintiffs concerned had not sufficiently demonstrated how they had suffered a concrete and individual non-material damage. It is not enough to refer in general terms to a feeling of discomfort about the disclosure of personal data. Rather, a substantial, personal impairment must be plausibly and comprehensibly substantiated. The mere abstract possibility of misuse, such as ‘telephone spam’ or phishing, is not sufficient.
No ‘automatic’ entitlement to compensation for non-material damages
The OLG did not follow the view that every data protection violation necessarily triggers a non-material damage within the meaning of Article 82 GDPR. It emphasized the principle under European law that a mere violation of data protection provisions does not in itself give rise to a claim for compensation – rather, an individual demonstration of an actual damage suffered is required.
Significance of the decision for future proceedings
The decisions of the OLG Oldenburg illustrate the high requirements that must be met to substantiate claims for compensation of non-material damages in cases of data protection violations. According to the Senate, mere intrusion into private spheres or the vague possibility of potential harassment is not sufficient to enforce claims for damages.
In this way, OLG Oldenburg aligns itself with a growing body of case law that demands case-specific and substantive pleadings. The decision provides greater legal certainty regarding compensation for non-material damages due to data protection violations, both for platform operators and affected parties.
Practical considerations and outlook
The cases now decided underscore the increasing importance of procedural aspects when asserting mass GDPR compensation claims. In particular, it remains open how the European Court of Justice will further define the threshold for claims for damages in current preliminary ruling proceedings (e.g., C-340/21). Until there is a final clarification at the European level, further divergences in the case law of the member states are to be expected.
Conclusion
The judgment of the OLG Oldenburg confirms that, following a data protection violation, affected persons must present concrete and individualized explanations of actual non-material damages incurred. Mere concerns about the disclosure of personal data or a general possibility of misuse are not sufficient. Whether this might fundamentally change after a decision by the ECJ remains to be seen.
Companies, private individuals, and investors regularly face complex questions concerning the protection of personal data and the defense or assertion of related claims. Further legal aspects may be relevant when assessing and classifying such data protection incidents. In these matters, the lawyers at MTR Legal are happy to assist you.
