Meta Scraping: Munich Court Strengthens User Rights in "Loss of Control" Cases

The automated scraping of publicly accessible information (scraping) has occupied the judiciary for years. With a final ruling published at the end of September (Ref. 36 U 1368/24 e), the Higher Regional Court (OLG) of Munich has sent a clear signal to operators of social networks. The core issue is the protection of data that is theoretically viewable but becomes the target of mass collection due to inadequate default settings. The OLG awarded damages to an affected party and corrected a significant procedural hurdle in favor of users.

The case dates back to 2019. At that time, it became known that approximately 533 million data records worldwide had been scraped via a contact import function on Facebook and later published on the darknet.

The plaintiff was also affected: his phone number, which he did not want to share publicly, was linked to his profile. The reason: the default searchability option was set to "all." This allowed third parties to identify profiles by matching lists of phone numbers through automated queries.

The Munich Regional Court had initially dismissed the lawsuit. However, the higher OLG clearly sees the responsibility with the platform operator. Facebook had violated the principle of data minimization and the obligation for data protection-friendly default settings. The fact that users theoretically had the option to manually adjust their privacy settings does not absolve the "master of technology" of responsibility.

A default setting that allows worldwide searchability of a phone number is simply not necessary for the actual contractual purpose – connecting people. The court also criticized the lack of technical hurdles such as CAPTCHAs or effective IP checks, which could have made mass scraping more difficult.

Scope of the GDPR: "Secondary Burden of Proof"

The ruling has particular legal relevance regarding the question of when an incident can be dated. Since the General Data Protection Regulation (GDPR) has only been in effect since May 2018, corporations often argue that the critical data outflows began before this cutoff date and thus fall into a legal gray area.

The OLG puts a stop to this tactic: Facebook has a so-called secondary burden of proof, it ruled. Since only the operator has insight into the internal technical processes and log files, they must provide detailed proof of exactly when the scraping took place. If this proof is not provided, the applicability of the strict GDPR rules is assumed in favor of the user.

In assessing damages, the OLG followed the current line of the European Court of Justice and, in essence, also that of the Federal Court of Justice. According to this, the mere loss of control over personal data constitutes non-material damage. The fact that the information appeared on the darknet permanently manifests this loss. The appellate court awarded the plaintiff 200 euros. This seemingly manageable sum can quickly take on threatening proportions for Meta in the event of a wave of lawsuits, given the millions of affected individuals.

According to IT lawyer Jens Ferner, the ruling underscores a paradigm shift occurring in case law: platforms are liable not only for active errors but also for structural design weaknesses of their systems. The decision makes it clear that the GDPR is not a toothless tiger but an effective instrument of individual legal protection. For companies, this means that data protection-friendly default settings ("Privacy by Default") are not merely a recommendation but a legal necessity.

(wpl)