BGH obliges Facebook to pay damages for data theft

In a ruling issued today against Facebook, the Federal Court of Justice has set the hurdles for claims for damages under Art. 82 GDPR very low. Contrary to Facebook's opinion, "even the mere and short-term loss of control over one's own personal data as a result of a breach of the GDPR can constitute non-material damage within the meaning of the standard".

The data subject does not have to prove that their data has been misused. Evidence of fear and concern about misuse is also not required. In April 2021, unknown persons exploited a friend search function in the social network and automatically accessed profile data ("scraping"). In doing so, they were able to capture data from around 533 million users from 106 countries, which they distributed publicly on the internet.

Claims for damages filed against Facebook by users have so far been largely unsuccessful in court. One issue in the proceedings is whether Facebook's default settings for the contact import function violate the GDPR. Plaintiffs had criticized that the security measures were too lax. Due to the annoyance they suffered and the loss of control over their data, they also want compensation for so-called immaterial damages.

Facebook parent company Meta rejects such claims because there was neither a breach of the GDPR nor did the plaintiffs suffer any damage directly resulting from the incident. A Meta spokeswoman emphasized that more than 6,000 lawsuits had been dismissed by the German courts because the plaintiffs "have no legitimate claims for liability or damages".

Leading decision

In the specific case, the customer ID, first and last name, place of work and gender of a Facebook user had been "scraped". In his lawsuit at Bonn District Court, he claimed that Facebook had not taken sufficient security measures to prevent the contact tool from being exploited. He was entitled to compensation for the annoyance he had suffered and the loss of control over his data. While his claim was partially successful at first instance, he was unsuccessful at second instance at the Cologne Higher Regional Court (OLG).

The Federal Court of Justice (BGH) designated the subsequent appeal as a so-called "leading decision procedure". The court has had this option since the Leading Decisions Act came into force on October 31: In cases involving fundamental legal issues, a leading decision by the BGH is intended to serve as a guideline for lower courts in similar cases. The Federal Court of Justice rules in leading decision proceedings even if litigants withdraw their applications for appeal for tactical reasons. Today's decision is therefore likely to have a major impact on thousands of pending proceedings on the same facts.

100 euros for loss of control

The BGH has now referred the specific case back to the Higher Regional Court of Cologne for a new hearing and decision and has given the court clear instructions: According to the BGH, Facebook's default searchability setting of "all" did not comply with the GDPR principle of data minimization. Furthermore, "the Court of Appeal had to additionally examine the question of the plaintiff's effective consent to data processing by the defendant".

The BGH also gave the Higher Regional Court of Cologne and probably all other German civil courts clear guidance on the assessment of non-material damages under Art. 82 para. 1 GDPR: "Under the circumstances of the dispute, there are no legal objections to assessing the compensation for the mere loss of control in the order of 100 euros." This statement is likely to disappoint many users who have demanded compensation of 1000 euros or more from Facebook.

(hob)