The German Federal Court of Justice (Bundesgerichtshof, BGH) has issued a decision on claims arising from a significant Facebook data scraping incident in April 2021, which exposed the personal information of approximately 533 million users globally. The ruling clarifies the interpretation of damages under the EU's General Data Protection Regulation (GDPR).
The incident occurred when unidentified parties exploited Facebook’s contact import tool to link users’ public profile data, such as names and workplaces, with phone numbers generated from randomized inputs. This “scraping” method leveraged Facebook’s default settings, which made user profiles searchable by phone number. The exposed data included the plaintiff's name, gender, workplace, and user ID, all linked to their phone number.
The plaintiff argued that Facebook failed to implement adequate safeguards to prevent such exploitation and sought compensation for non-material damages, a declaratory judgment for future damages, and an injunction against further use of their phone number.
History of legal proceedings
Initially, the Lower Court in Bonn awarded the plaintiff €250 for damages under Article 82(1) GDPR, dismissing the broader claims. The Appeals Court in Köln rejected all claims, ruling that a “mere loss of control” over personal data did not meet the threshold for immaterial damages unless specific psychological harm or tangible misuse was demonstrated.
The plaintiff appealed to the BGH, seeking a broader interpretation of GDPR provisions on damages.
The BGH partially overturned the appellate court's decision. The court’s ruling can be summarized in the following main points.
- The court emphasized that under GDPR Article 82(1), even a temporary loss of control over personal data constitutes an immaterial harm warranting compensation, regardless of evidence of misuse or additional adverse effects. The court suggested €100 as a reasonable baseline for compensating such harm.
- The court upheld the plaintiff's right to seek protection against future material and immaterial damages, citing the realistic possibility of future harm from the exposed data. It also confirmed the validity of the injunction to prevent Facebook from using the plaintiff’s phone number without consent.
- The BGH remanded aspects of the case for re-evaluation, instructing the appellate court to consider whether Facebook’s default settings violated GDPR’s data minimization principle and whether users had provided valid consent for the settings.
Implications
The decision strengthens the interpretation of GDPR protections, confirming that individuals can claim compensation for data breaches without proving direct misuse or psychological harm. This sets a precedent that underscores the importance of robust data protection measures for technology platforms.
The decision by the German Federal Court of Justice (BGH) suggests that individuals affected by the 2021 Facebook scraping incident could potentially claim compensation for immaterial damages under GDPR Article 82(1).
However, not everyone automatically qualifies for the €100 baseline figure cited in the ruling. To receive compensation, affected users would likely need to demonstrate that their data was part of the breach, and that the exposed data caused a “loss of control” over personal information, as defined by the GDPR. This could include situations where users had no prior knowledge or consent for their data being accessible in the manner it was exploited.
The ruling could be leveraged by a law office in Germany to form a class action and reach a settlement with Facebook, so the potential implications of the court's decision are no doubt significant.
Hackers Exploit Misconfigured Servers for Illegal Sports Streaming
Leave a Reply