Why Meta Platforms' data collection is illegal
First time: Meta Platforms illegally harvests data on third-party websites under German law. Legal cornerstones examined.
(Image: Maksim Kabakou/Shutterstock.com)
For the first time in Germany, Meta Platforms has been legally ordered to pay damages for harvesting personal data on third-party websites and apps using its Meta Business Tools and then processing it without effective consent. In four parallel decisions, the Higher Regional Court of Dresden (OLG) even excluded appeals to the Federal Court of Justice (BGH) because the matter was considered clear at the level of the higher regional courts. It refers to the OLG Munich, which also ruled against Meta. Nevertheless, the views of the two OLGs are not identical.
The focus is on the loss of control that affected individuals suffer over their data. They do not know on which websites and apps what data is collected about them and passed on to Meta, and what Meta then does with it. The OLG Dresden (Ref. 4 U 292/25) speaks of an "unforeseeable multitude of personal data, including, depending on the individual case, health data or data on sexual orientation." The harvested information is used by the company for its own purposes, not least for tailoring advertising. Contrary to Meta's assertion, this is not a service in the interest of the affected parties.
Although personal data is hashed before being transferred to Meta, it is done using the same procedure that Meta uses internally. Therefore, according to the OLG Dresden, the company can assign the hashes "in most cases."
Loss of Control
The loss of control over one's own data constitutes grounds for damages under Art. 82 of the General Data Protection Regulation – as Meta has neither obtained effective consent from the affected parties nor can it rely on other grounds of justification. The OLG senates 4 in Dresden and 14 in Munich (Ref. 14 U 1068/25e) agree on this.
And it gets even worse for Meta: Even without proven data collection, Meta is threatened with liability for damages according to the OLG Dresden. Namely, if the plaintiff can show that they reasonably fear that their data is being collected on independent websites and misused by Meta, and that this justified fear has had negative consequences. Purely hypothetical risk, or fear without negative consequences, are therefore not sufficient.
Damages Vary
As these are non-material damages, the specific amount of damages is difficult to quantify. It is not intended to have a punitive or deterrent function. The Regional Court of Leipzig awarded 5,000 euros to a "typical" affected person in July, without investigating specific circumstances. The OLG Dresden limits it to 1,500 euros and notes that it would have awarded more in case of a demonstrated "psychological impairment."
Videos by heise
The OLG Munich, on the other hand, awards only half as much in the judgment available to heise online, even pointing out that it is a special case. The plaintiff is "unusually sensitive due to her health problems, and her problems were 'fueled' by the incident in question." Furthermore, sensitive data, namely the plaintiff's health, was affected. Thus, the Munich Senate 14 would probably have awarded less damages to a healthy affected person.
It remains to be seen where German courts will settle. So far, it appears that impairments beyond the average case will result in higher damages, provided this is demonstrated in the proceedings. Minors can probably expect higher amounts than adults.
Injunction
Both OLGs order Meta to cease data collection. While this only applies to the respective plaintiffs, it could hit Meta harder than damage payments in a few tens of thousands of cases. Meta generates approximately one billion US dollars per week from tailored advertising in Europe. This can cover some three- or four-digit damage payments.
However, both OLGs threaten fines of up to 250,000 euros per violation of the injunction. At the same time, the Dresden court holds that not only the use of data by Meta, but already its transmission to Meta and its comparison with internal information, such as checking whether the observed person has a Meta account, constitutes data processing according to Art. 4 No. 2 GDPR. Meta must therefore revise its business tools itself to prevent data of successful plaintiffs from flowing to Meta at all. How this is to be done efficiently is not apparent. Meta's business model stands and falls with this.
Legally, both OLGs base the claim for an injunction not directly on the GDPR, but on German personality rights. This is good news for Meta, as the German judgments can thus be less easily applied to other states in the European Economic Area. Specifically, the OLG Dresden cites "§ 823 para. 1 BGB with Art. 2 para. 1 Art. 1 para. 2 GG; § 823 para. 2 BGB with Art. 6 GDPR, each with § 1004 para. 1 sentence 2 BGB analogously," while the Munich court approaches it more simply with "corresponding application of §§ 1004 para. 1 sentence 2, 823 para. 1 BGB."
In addition, the Munich judges consider that the contract concluded between Meta and the plaintiff for her Meta account also establishes the duty to cease and desist: "By unlawfully processing data, (Meta) has violated a (main or ancillary) duty of the user contract, and (Meta) continues to do so – as far as can be seen –." However, the Bavarian judges qualify that Meta is not prohibited from processing any of the plaintiff's personal data for all time. On the one hand, the woman could consent at some point, and on the other hand, there are certain data processing activities that are permissible under GDPR even without consent. Just because Meta has not presented such processing activities in the current proceedings does not mean that it could not succeed in doing so one day.
