Skip to content

You are here:

Data abuse fears – Claims for damages after scraping?

The General Data Protection Regulation (GDPR) brought a lot of uncertainties in its wake, but above all the promise of greater data security, too. Many consumers have grown very accustomed to this as regards the use of personal data. In the event of data abuse the victims are entitled to compensation. Yet, despite the necessary caution and justified scepticism, are fears about data abuse already sufficient in order to be able to assert such a claim? This was a question that the Gießen regional court had to answer.

Data collection by means of scraping

In the course of registering online in the internet, a man had entered his first and last names, his date of birth and his sex. Providing a mobile phone number was admittedly not mandatory, nevertheless, the man had also entered this. Subsequently, third parties had used automated processes to collect a wide variety of public information available on the company’s platform (so-called ‘scraping’). Thereafter, these scrapers added the telephone number linked to the account of the user concerned to the publicly available information taken from his profile. In April 2021, the scraped data records of more than 500m users as well as the telephone numbers linked to these data records were made freely available for downloading. 

Automated bulk queries as a security vulnerability?

The man’s profile information that was always publicly available was also among these data records along with the telephone number that was linked to his account. The man now claimed that the company had taken absolutely no security measures to prevent his data being acquired. The fact that an automated bulk query had been possible constituted a security vulnerability. He had sustained a considerable loss of control over his data and felt extremely anxious and worried because he feared that the data would be abused. He ultimately claimed compensation for non-material damages in the amount of €1,000.

Compensation only if damages set out in concrete terms

However, the outcome was that the Gießen regional court dismissed the claim with it its ruling of 3.11.2022 (case reference: 5 O 195/22). In the opinion of the court, a mere infringement of GDPR requirements is not sufficient grounds for being able to demand compensation already. Rather, it is necessary to demonstrate that specific damages have been incurred. Although, in doing so, the damage that has been suffered would not need to be considerable – even minor damage would be eligible for compensation.

Back to top of page