Compensation for damages in the case of „scraping“

In its ruling of 18 November 2024, the Federal Court of Justice (BGH, Ref.: VI ZR 10/24) made a fundamental decision on compensation for data protection violations in the context of so-called „scraping“. The case concerned mass data access to Facebook user profiles, in which personal information such as telephone numbers, names and other data was automatically accessed by third parties and later published on the Internet. The plaintiff affected by this data access complained that the scraping had resulted in his personal data falling into the hands of unauthorised persons and asserted claims for damages, declaratory relief and injunctive relief, among other things, based on the General Data Protection Regulation (GDPR).

In this ruling, the Federal Court of Justice clarified in particular that intangible damage may already exist if a data subject loses control over their personal data, even if this data has not been misused or no specific material disadvantage has occurred. This means that even the „mere and temporary“ loss of control over one's own data, for example because it is collected and published through scraping, can justify a claim for damages under Article 82 GDPR. The protection of personal data is an independent legal interest, the violation of which is considered worthy of protection regardless of any specific consequences. The focus in the assessment of claims for damages is therefore more on the protection of informational self-determination than on classic material consequences. 

At the same time, the Federal Court of Justice addressed the issue of calculating damages and clarified that, in individual cases, damages must be determined in accordance with the provisions on estimating damages (Section 287 of the German Code of Civil Procedure) , taking into account the special function of Article 82 GDPR as a compensation and indemnification standard. In similar cases, courts have considered compensation in the order of approximately €100 to be appropriate if the loss of control is purely technical and has no further serious consequences.

This ruling has significant implications for platform operators, social networks and digital service providers. Operators must be aware that data protection violations can result not only in administrative fines, but also in a multitude of civil law claims for damages, even if the data concerned has not been misused. This applies in particular to cases in which third parties can automatically read data due to vulnerabilities in the platform or insufficiently secured interfaces. Operators should therefore review and, if necessary, improve their security and data protection measures in order to prevent scraping attacks or similar data access and thus reduce the risk of claims for damages. For affected users, the decision strengthens their rights: the Federal Court of Justice expressly recognises that the mere loss of control over personal data can constitute damage that must be compensated under European law.