Nuremberg Higher Regional Court, press release from October 16, 2024 on the judgment 10 O 5225/23 of the Nuremberg-Fürth Regional Court from May 15, 2024 (rkr)
The Nuremberg-Fürth regional court has dismissed a customer’s claim for damages against a music streaming service following a data protection incident. The user affected by unauthorized access to their data is not entitled to any claims against the streaming service due to a violation of the General Data Protection Regulation (GDPR). Data access by third parties can lead to a claim for damages from the person concerned against the platform operator. In the specific case, however, the judges were convinced that it could not be determined that the alleged damage was causally based on a violation of data protection regulations.
The defendant operates a music streaming service in Europe. In the past, unknown third parties had unauthorizedly stolen the personal data of the defendant’s users and initially offered the data sets for sale on the darknet and later made them freely available for everyone to download.
In his lawsuit, the plaintiff affected by the data access asserted the payment of compensation of at least 1,000 euros as well as other claims as compensation for an alleged data protection violation. As a result of the incident, he suffered a loss of control over his personal data and was very concerned about the possible risk of misuse. He has also been receiving spam messages to his email address since the incident. There was a dispute between the parties as to whether the defendant had taken sufficient technical and organizational measures to prevent data access.
In a ruling dated May 15, 2024, the regional court dismissed the lawsuit because the plaintiff was unable to prove a causal connection between the alleged data protection violation and damage. The court stated that the defendant was only liable for damage caused by unlawful data processing. An unauthorized disclosure of personal data by third parties alone is not sufficient to conclude that the defendant has violated data protection. In the present case, the plaintiff did not sufficiently state that the subsequent data access was precisely due to inadequate protective measures taken by the defendant. The plaintiff cannot rely on presumption in this context. With regard to the spam emails, the judges were also unable to determine any causal damage. It is possible that the plaintiff passed on his personal data elsewhere or that it was accessed elsewhere. In its decision, the court was therefore able to leave open whether the defendant was attributable to violating the General Data Protection Regulation or not.
The plaintiff appealed to the Nuremberg Higher Regional Court against the dismissal ruling of the Nuremberg-Fürth Regional Court of May 15, 2024. When the Higher Regional Court pointed out that the appeal was unsuccessful, the plaintiff withdrew his appeal. The judgment of the Nuremberg-Fürth Regional Court is therefore legally binding.
The Nuremberg-Fürth Regional Court has so far received 102 similar cases in the first instance. All proceedings that have already been decided by judgment, more than half (as of today), ended with the lawsuit being dismissed. Some of the cases are still in the appeal stage.
(Resolution 14 U 1227/24 of the Nuremberg Higher Regional Court of September 19, 2024)
Note on the legal situation
The relevant regulation of the General Data Protection Regulation (GDPR) is:
Article 82 Liability and right to compensation
(1) Any person who has suffered material or immaterial damage as a result of a violation of this regulation is entitled to compensation for damages from the controller or the processor.
(2) Any controller involved in processing shall be liable for damage caused by processing that does not comply with this Regulation. A processor shall only be liable for damage caused by processing if it has failed to comply with its obligations under this Regulation specifically imposed on processors or has acted in breach of or contrary to the instructions lawfully given by the data controller.
(3) The controller or processor shall be released from liability pursuant to paragraph 2 if he proves that he is in no way responsible for the circumstances that gave rise to the damage
(…)
Source: Bavarian State Ministry of Justice, Nuremberg Higher Regional Court