Frankfurt am Main Regional Court – No damages despite data protection violation

In its September 18, 2020 judgement (Case 2-27 O 100/20), Frankfurt am Main Regional Court addresses various claims asserted by a consumer against Mastercard. A data incident had occurred in the context of a bonus program for German customers that was operated by a service provider. Unidentified criminals made data collected from some 90,000 bonus program participants publicly accessible on the Internet.

Assessment of the incident by the district court of Frankfurt am Main

In its judgement, Frankfurt am Main Regional Court rejected both the plaintiff’s omission claims and claims for damages. Despite unlawful use, the Regional Court did not see any risk of repetition when it considered the asserted omission claim. The focus must be on the fact that the interference resulted from a unique situation caused by the criminal and unforeseeable behavior of an external or internal third party. After becoming aware of the incident, the defendant had taken extensive steps which would rule out renewed violation of this kind.

Frankfurt am Main Regional Court also rejected the plaintiff’s asserted claims for damages. As a claimant, the plaintiff would initially be burdened with offering evidence for the violation of data protection regulations. In addition, any possible infringement of obligations under the GDPR would have to be causal for the data incident and the damage incurred by the data subject. With respect to the violations asserted by the plaintiff, it was not possible to establish any such causality in the case at issue. Finally, it would have to be taken into account that not every data breach in the form of not (fully) legally compliant data processing would automatically constitute compensable damage. Rather, the infringement must have led to a specific violation of the data subject’s personal rights. Punitive damages are contrary to the German legal system. Frankfurt am Main Regional Court thus continues to hold the view already confirmed by other courts (cf. article “No claim for damages under the GDPR in cases of individually perceived inconveniences or non-material trivial damage”).

What should companies be aware of regarding claims for damages in data protection incidents?

In detail, Frankfurt am Main Regional Court listed the following key items for companies affected by hacker attacks as a consequence of which claims for damages are asserted:

1. The data was not published on the Internet by the defendant, but by an unknown third party and therefore the unauthorized publication of the data should not be considered as an infringement by the defendant.
2. Since it remained unclear what caused the data leak, it was not possible to establish causality of the possible infringement for the data incident and thus the plaintiff’s damage. It would remain speculative whether the incident could have been prevented by other security measures.
3. The GDPR only requires appropriate security measure taking into account the state of the art. There would be no claim to having a specific measure taken, so that the failure to take a certain measure could not justify compensation for damages.
4. Similarly, the failure to conclude contracts of joint responsibility does not give rise to claims for damages by the data subjects. It would not be evident what the data subject’s damage should be if contracts were not concluded.

Legal protection of companies against hacker attacks

It is welcome news that the September 18, 2020 judgement of Frankfurt am Main Regional Court strengthens the position of companies affected by hacker attacks. This affirms yet again that claimants need to provide burden of proof and present the basis of the claim and that not every violation of data protection regulations automatically leads to damage to data subjects. If companies fall victim to hacker attacks despite appropriate and state-of-the-art security measures, claims for injunction and damages must be examined for their justification. In general, these claims will not be justified. Companies that have fallen victim to cyberattacks are therefore well advised to obtain professional legal advice prior to simply meeting claims by data subjects.