On 27 August 2025, the Munich I Regional Court issued an interesting decision on a claim for damages under Art. 82 GDPR (Ref. 33 O 635/25; see here).
The court dismissed the claim brought by a user of a US social media platform, among other reasons, because the plaintiff had acted inconsistently (Sec. 242 of the German Civil Code).
The plaintiff, who had used the platform from within the EU, argued that his personal data had been unlawfully transferred to the US (see para. 43 et seq.).
In the court’s view, a person who knowingly uses a provider’s communication service despite being aware of an alleged legal violation, and then claims damages from that same provider precisely for offering the service, is acting in bad faith.
Background
Pursuant to Art. 82(1) GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall receive compensation from the controller or processor for the damage suffered. An infringement of the GDPR and, in consequence, a right to compensation may arise if the data processing is unlawful (in this case: if the transfer of personal data from the EU to the US does not comply with the requirements for international data transfers under Art. 44 et seq. GDPR).
In the judgment of 16 July 2020, Schrems II (C‑311/18), the ECJ declared the EU-US Privacy Shield invalid. Until the EU-US Data Privacy Framework came into force on 11 July 2023, data could therefore no longer be transferred to the US on the basis of Art. 45(1) GDPR.
In the plaintiff's opinion, data transfers from a European subsidiary to the US parent company during this period (2020 to 2023) were therefore unlawful; due to the US authorities’ ability to access the transferred data, the plaintiff suffered a significant loss of control and thus damage within the meaning of Art. 82 GDPR.
Key Findings
1. Lawfulness of Data Transfers to Third Countries under Standard Contractual Clauses
A data transfer to a third country may still be lawful without an adequacy decision within the meaning of Art. 45 GDPR if standard contractual clauses have been concluded between the controller or processor and the recipient, and if effective legal remedies are available (Art. 46(1), (2)(c) GDPR).
2. No Right to Data Processing Only in Europe
Social networks that are ‘globally designed’ (see para. 41) technically require the international exchange of personal data. Users of such platforms are well aware of this fact. There is also no claim against the provider of such a network to operate the service as a ‘purely European platform’:
‘The business decision [...] to offer a global network [...] and to process data in the United States must be accepted by users who voluntarily choose to use it.’
3. No Compensation for Contradictory User Behaviour
In the court’s view, anyone who consciously uses a globally operating US social media platform cannot claim compensation on the abovementioned grounds, as it is common knowledge that data is transferred to the US and that US intelligence services may be able to access this data under certain circumstances. Such conduct violates the principle of good faith.
Outlook
The decision of the Munich I Regional Court is to be welcomed.
With this ruling, the court has taken a clear stance against the wave of ‘largely template-based’ mass claims for damages under Art. 82 GDPR, in which actual impairment is often doubtful and users/plaintiffs act inconsistently – for example, by continuing to use a comparable service from the same provider while claiming serious impairment.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
