- Mastercard does not have to pay damages to the customer who was affected by a data theft in 2019. That was the decision of the Karlsruhe Regional Court, which dismissed the lawsuit.
- The ruling is an indication for those affected by the data leak at Scalable Capital, who are also suing for damages.
- Data privacy advocates from legal tech firm EuGD are nevertheless optimistic, as a ruling by the Federal Constitutional Court removes an important hurdle to data privacy lawsuits.
This is an automated machine translation of an article published by Business Insider in a different language. Machine translations can generate errors or inaccuracies; we will continue the work to improve these translations. You can find the original version here.
In late August 2019, lists of names, account numbers, email addresses, and in some cases addresses and phone numbers surfaced on an online forum. At issue was a data breach at Mastercard: the personal information of more than 90,000 customers of its "Priceless Specials" rewards program was circulating online. The company blamed a third-party partner, and affected customers turned to data protection authorities. As in the Scalable Capital case from October, which was reported on, those affected also demanded compensation.
More than 2,000 affected Mastercard customers contacted the European Data Protection Association (EuGD), which examined their claims for damages. In proceedings at the Karlsruhe Regional Court, the verdict was now announced on February 9: Mastercard does not have to pay damages. The court dismissed the claim because it was a case of "minor damage". EuGD data protection experts are dismayed by the court's ruling: "Either we protect this area or we don't," says EuGD founder Thomas Bindl. The consumer protection intended by the General Data Protection Regulation (GDPR) is meaningless if the courts do not recognize it, he said.
The case could be an indication of the success of lawsuits filed by customers of investment management advisor Scalable Capital, who were victims of data theft in October.
The court deemed the leaked data "not compromising"
In the case of the Mastercard lawsuit, a Mastercard customer from Karlsruhe learned on August 22, 2019, that his personal data had been leaked online. As a customer of the "Priceless Specials" bonus program, he entered not only his personal data on a Mastercard platform but also his purchases, which were then supposed to earn him rewards. Because many other users also had their purchase histories hacked, the plaintiff assumed that this was also the case with him and accused Mastercard of using insecure encryption of the data. He demanded damages of 5,000 euros.
Now, however, the Karlsruhe Regional Court has rejected the claim and ruled that Mastercard does not have to pay compensation for pain and suffering. In the data leak, the plaintiff suffered "trivial damage"; moreover, not every violation of the GDPR leads to an obligation to pay compensation, the court said. "The fact that the plaintiff frequently uses his credit card for small amounts at gas stations, eats at fast-food restaurants and shops (partly in France) at discounters is so commonplace and innocuous that it is a minor loss overall," the district court's ruling reads. Even if this information circulates on the Internet, it does not involve compromising content, according to the district court.
From the EUGD's point of view, this ruling is incomprehensible. "This argumentation of the court fundamentally undermines the protection of personal data," says Thomas Bindl. From the point of view of the data protectionists, the damage was already done the moment the data was irrevocably leaked. Courts have yet to develop an understanding of this.
For those affected by the Scalable Capital leak, there is still hope
The case from Karlsruhe also shows how difficult it is to make the damage caused by misuse of data tangible. Are 5,000 euros too much to ask for the fact that a company's negligence causes customers to lose control over their personal data?
Bindl says there is still little basis for quantifying the damage, because a flight delay, for example, has a different financial impact than the risk of identity fraud following data theft.
EuGD, where more than 800 people affected by the data theft at Scalable Capital are also having their claims for damages examined, is optimistic despite the defeat in Karlsruhe. This is because a decision by the Federal Constitutional Court (BVfG) in January removed an important hurdle for future proceedings. The BVfG ruled that no de minimis limit for infringements emerges from the GDPR alone, Bindl explains. "This means that now the European Court of Justice will have to decide whether such lawsuits may be dismissed on the grounds of de minimis," says EuGD's founder. For Scalable customers, this means that courts may no longer be able to dismiss their lawsuits on the grounds of small claims.
In addition, those affected by the Scalable data theft are a particularly valuable target group from a data quality perspective, Bindl says. "Customers of the advisor are higher-income individuals," says Thomas Bindl. "It's easy to build profiles with the information circulating on the Internet about these individuals."
As we reported in December, the first claim from a Scalable Capital customer has already been received. The CFI most recently estimated a realistic damages claim amount would be between 3,000 and 5,000 euros.
from Business Insider https://ift.tt/3s6QigB
No comments:
Post a Comment