In privacy litigation, particularly in mass actions related to data scraping, plaintiffs often face the challenge of proving that they were actually affected by the alleged scraping or data breach. The burden of proof lies with the plaintiffs to substantiate this fact. Some plaintiffs have been trying to prove this for some time using a screenshot of the website www.haveibeenpwned.com (“HIBP”). Upon entering an email address, HIBP indicates in how many breaches the individual’s data was allegedly found.
However, the Regional Court of Lübeck (Case No. 15 O 214/23) recently ruled that such a screenshot does not suffice as conclusive evidence that the information displayed on this website is accurate, or that the plaintiff was indeed affected by a data breach or scraping incident. This is partly because it is unclear on what basis the operator of HIBP determines the involvement of individual users. The result displayed on the website merely reflects what the plaintiff claims. It does not serve as evidence that the plaintiff was, in fact, affected by the data breach or scraping beyond this mere assertion.
Furthermore, the Regional Court of Lübeck noted that the purpose and function of HIBP are not to provide legally sound evidence of a user’s involvement in a data breach when they enter their email address on the site.
Takeaway:
The decision of the Regional Court of Lübeck is in line with previous case law on HIBP. It highlights the critical and often challenging nature of evidentiary issues in privacy litigation. As the Regional Court of Lübeck states, the site is recommended for users to find out for themselves whether their data is still “secure”. In order to bring a court case, however, plaintiffs need further evidence.