Mastercard data leak before the BGH

Under what conditions do companies have to compensate their customers if personal data is stolen by hackers? The highest German civil court should now ensure clarity.

The credit card provider Mastercard was the victim of a hacker attack in 2019.  A lot of customer data from a bonus program was openly available on the Internet.

“There are things that you can’t buy. There is Mastercard for everything else. ”With this slogan, the American payment service provider advertised the use of its credit card among German customers and also for their trust. If you use Mastercard to process payments, the advertising suggests, you don’t really have to worry about anything. However, the company lost the trust of more than 90,000 users of its “Priceless Specials” bonus program in Germany after a data breach almost two years ago.

In the summer of 2019, personal data such as address, account number, telephone numbers and email addresses of Mastercard customers were circulating on the Internet. But the company didn’t want to take responsibility. Mastercard put the blame for the data breach on its third party partners, particularly banks. The consumer advice centers advised to report suspicious payments to the financial institutions, this was the only way to prevent customers from getting stuck on a possible fraud damage.

Thousands of those affected went one step further. They sued Mastercard for damages because of the data protection leak. In doing so, they refer to Article 82 of the GDPR, the General Data Protection Regulation, which provides for “reasonable compensation for pain and suffering” in the event of culpable violations. In court proceedings, which are often accompanied by legal service providers such as the European Society for Data Protection (EuGD), Rightnow or Kleinfee, plaintiffs face two problems. Mastercard is extremely reluctant to disclose contracts with third-party partners, lawyers report. As a rule, consumers do not have access to this internal information.

There is no clear line in case law

In addition, there is no clear line in the courts. For many civil judges, the GDPR is a completely new field. Some dismissals say that anyone who wants to obtain damages from Mastercard that goes beyond the “exposure” of their data on the Internet has to give a good reason – the German civil justice system is still alienating with a claim for damages after a data leak.

The Federal Court of Justice (BGH) should now ensure clarity. As the FAZ learned in advance, the highest German civil court has to deal with the matter for the first time. An affected Mastercard customer appealed against a decision of the Stuttgart Higher Regional Court from the end of March (Az .: 9 U 34/21). The Stuttgart Senate denied the woman compensation. But the OLG wanted to have the outstanding questions for pending DSGVO damage claims clarified by the highest court, in particular with regard to the reversal of the burden of proof.

“According to the will of the European legislator, such claims for damages play a central role in achieving the goal of effective data protection in the EU, in addition to the fines threatened by the GDPR and in some cases also set in the millions,” says Thomas Bindl from the legal services provider EuGD who accompanied the proceedings in Stuttgart. In the present case, such an infringement is taken for granted. We are confident about the revision in Karlsruhe, emphasized Bindl. The attorney for the Mastercard customer, Daniel Raimer, puts the fundamental clarification of decision-relevant questions in the foreground. It is urgently needed, also with regard to other current cases of data theft, explained Raimer.

Effect of the revision on other procedures

In any case, the legal service provider EuGD, through whose portal around 2,000 injured parties are alleged to assert claims against Mastercard, is expected to send a signal from the appeal. Other courts could now suspend processes and wait for an announcement from the BGH. Only a few weeks ago, another court based in Karlsruhe provided support for lawsuits following data protection violations.

With a decision, the Federal Constitutional Court made it clear that German courts may not reject DSGVO claims for damages solely because they only concern minor issues. If the BGH now approves a reversal of the burden of proof in favor of those affected by data leaks, this will facilitate the lawsuits against companies. This is likely to increase the number of GDPR procedures significantly.