This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
viewpoints
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

Litigation Lunchbreak - Regional Court of Lübeck: www.haveibeenpwned.com is not sufficient evidence

In privacy litigation, particularly in mass actions related to data scraping, plaintiffs often face the challenge of proving that they were actually affected by the alleged scraping or data breach. The burden of proof lies with the plaintiffs to substantiate this fact. Some plaintiffs have been trying to prove this for some time using a screenshot of website www.haveibeenpwned.com (“HIBP”). Upon entering an email address, HIBP indicates in how many breaches the individual’s data was allegedly found.

However, the Regional Court of Lübeck (Case No. 15 O 214/23) recently ruled that such a screenshot does not suffice as conclusive evidence that the information displayed on this website is accurate, or that the plaintiff was indeed affected by a data breach or scraping incident. This is partly because it is unclear on what basis the operator of HIBP determines the involvement of individual users. The result displayed on the website merely reflects what the plaintiff claims. It does not serve as evidence that the plaintiff was, in fact, affected by the data breach or scraping beyond this mere assertion.

Furthermore, the Regional Court of Lübeck noted that the purpose and function of HIBP are not to provide legally sound evidence of a user’s involvement in a data breach when they enter their email address on the site.

Takeaway:

The decision of the Regional Court of Lübeck is in line with previous case law on HIBP. It highlights the critical and often challenging nature of evidentiary issues in privacy litigation. As the Regional Court of Lübeck states, the site is recommended for users to find out for themselves whether their data is still “secure”. In order to bring a court case, however, plaintiffs need further evidence.

Tags

litigation lunchbreak, privacy litigation, mass litigation, platform litigation, eu, germany, gdpr, cybersecurity, tech litigation, litigation, case law