Higher Regional Court: Facebook must set privacy-friendly default settings

Operators of online platforms are obliged to make default settings in such a way that users' personal data is not made accessible to the public or otherwise to an undefined group of recipients without further ado. This was decided by the Higher Regional Court (OLG) of Frankfurt am Main in a recently published ruling against the Facebook parent company Meta. The judges based their decision on the principle of data minimization, which is enshrined in the General Data Protection Regulation (GDPR).

Meta had violated this requirement, as users could only achieve the privacy protection to which they were entitled on Facebook by individually changing the default settings, according to the Hessian court portal on the decision of 8 April (case no. 6 U 79/23). This is to be published shortly. Meta must therefore pay the plaintiff 200 euros in damages. As in similar cases, – demanded 1000 euros from –. In April 2023, the Wiesbaden Regional Court had originally rejected this in its entirety. However, the court of appeal now recognized that, in addition to the general loss of control associated with the data protection breach, the plaintiff had to fear that third parties would misuse her data published on the darknet.

For the 6th Civil Senate of the Higher Regional Court, it is therefore also predominantly likely that the plaintiff suffered "corresponding psychological impairment" due to these concerns. This justified the amount of compensation awarded. The Federal Court of Justice previously assessed the damages in a leading decision on the incidents at Facebook "for the mere loss of control in the order of 100 euros".

Meta must take precautions against the risk of data scraping

Tens of thousands of Facebook users around the world have sued Meta for data scraping. The controversial technology is used to automatically read and process publicly visible data en masse from websites or via open interfaces (APIs). As soon as personal information is involved, this is prohibited under the GDPR without the explicit consent of the data subject. In many of the lawsuits, as at the BGH and now at the Higher Regional Court of Frankfurt, the issue is that a total of around 533 million data records with personal information of Facebook members from 106 countries appeared online in 2021.

Unknown individuals had previously taken advantage of the fact that Facebook made it possible, depending on the searchability settings of the respective user, to locate a profile using their telephone number. Using automated tools, they uploaded telephone numbers on a large scale via the operator's contact import function, merged them with the publicly accessible information linked to a user account and then accessed this data. The Irish data protection authority DPC imposed a fine of €265 million on Meta 2022 as a result of the incident.

According to the Higher Regional Court, Meta must refrain from making the plaintiff's personal data accessible to unauthorized third parties such as scrapers via import software due to a default setting set by the operating company. The users had a contractually protected interest in the lawful processing of their data.

(nie)