Maucher Jenkins successfully represented the German web hosting company ZAP-Hosting GmbH & Co. KG against a claim for damages due to an alleged data protection breach before the District Court of Münster. This is one of the first decisions issued after the ECJ's landmark ruling of 04.05.2023 on the interpretation of Art. 82 GDPR (ECJ - Case C-300/21).

Following an external hacker attack, a user of ZAP Hosting had sued the company for damages in the amount of 4,500 euros as well as reimbursement of pre-court legal fees. The user based his (immaterial) claim for damages on an alleged loss of control over his data and a resulting malaise.

The court dismissed the claim in its entirety. In this regard, the decision contains valuable information regarding the interpretation and implementation of the ECJ ruling by the German courts of instance. It is true that the ECJ had found that it was not necessary to reach a materiality threshold with regard to the damage suffered. However, as the district court rightly stated, this does not mean that a plaintiff does not have to present and, in case of doubt, prove (immaterial) damage. This is also in line with the findings of the ECJ in the aforementioned decision.

In the absence of evidence of damage, the court did not have to address the question of whether an external hacker attack can give rise to such a claim for damages on the merits if the appropriate state-of-the-art protective measures are observed.

The judgment is now legally binding. The proceedings were conducted by attorney Dr. Michael Nielen.

This decision sends an important sign to companies that have to deal with data leaks, especially when these are caused by external hacker attacks. Prior to the ECJ ruling, German courts in comparable proceedings sometimes used only the feared "loss of control" as sufficient justification for immaterial damage. In line with the ECJ ruling, this decision now rightly puts a stop to such an approach. This is an important sign, particularly in view of the forthcoming adoption of the Consumer Rights Enforcement Act (VDuG), as the government draft provides for the possibility of mass actions being brought by consumer associations in the event of an alleged data privacy infringement, and companies are likely to find themselves all the more exposed to such lawsuits if this draft is implemented.

Originally published 06 September 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.