Mass claims risk rises from ‘dark web’ data breaches

Dr. Sandra Gröschel and Dr. Janett Bachmann of Pinsent Masons said, however, that the ruling by the Federal Court of Justice does not provide would-be claimants with automatic rights to compensation in cases where their data is exposed to the dark web. Rather, they said, the burden remains on those affected to prove that they have suffered a form of damage justifying financial redress – contrary to what some lawyers that act for claimants in mass claims have said.

Article 82(1) of the General Data Protection Regulation (GDPR) provides individuals who suffer material or non-material damage because of an infringement of the GDPR with the right to receive compensation from the controller or processor for the damage suffered.

The concept of ‘material’ damage refers to financial loss, while the meaning of ‘non-material damage’ has been interpreted broadly by the EU courts, including to encompass a person’s loss of control over their data, such as where they fear that their personal information could be misused.

The Federal Court of Justice’s ruling builds on the EU case law.

Among other things, it confirmed that organisations will remain responsible for personal data handled by third-party processors even after the contract under which the processing of that data takes places has ended, in some circumstances.

In this regard, according to the court, the controller cannot merely rely on giving an instruction to the processor to delete the data they hold – they must obtain confirmation that the data has been deleted. In the case before the Federal Court of Justice, an IT service provider retained copies of the data in a test environment. The data was subsequently made available for sale on the dark web, having either been hacked by cyber criminals or made available by someone who had relevant access rights.

However, while the court confirmed that fear of data misuse can constitute non-material damage, Gröschel said the ruling “gives organisations a practical roadmap rather than a reprimand”.

“Dark web exposure can make non-material damage more plausible, but not automatic,” Bachmann added. “The ruling clarifies that courts will look for evidence of reasonable measures and clear end‑of‑contract controls with processors; standards most firms are already striving to meet. The ruling tightens accountability without flipping the burden of proof. Those affected by dark web data breaches still must substantiate individual non-material damage and causation, while controllers must evidence the adequacy of their technical and organisational measures and end‑of‑contract deletion controls with processors.”