On November 18, 2024, the German Federal Court of Justice (BGH) ruled on a case related to the 2021 Facebook data scraping incident, where personal data of 533 million users was exposed. The plaintiff claimed Facebook’s weak security measures caused a loss of control over their data and sought compensation under Article 82(1) GDPR.

Initially, the Regional Court of Bonn awarded €250 in damages to the plaintiff. However, the Higher Regional Court of Cologne overturned the decision, dismissing the case due to insufficient proof of harm. Upon appeal, the BGH partially reversed the Cologne court’s decision, stating that even a temporary loss of control over personal data constitutes immaterial damage under GDPR, without requiring proof of emotional distress or misuse of the data.

The court emphasized that Facebook’s default privacy setting, which allowed profiles to be searchable by phone numbers, likely breached GDPR principles of data minimization and data protection by design and default. The BGH instructed the appellate court to reassess the case, examining whether the plaintiff had been adequately informed about the default settings and whether valid consent was given for the data processing.

The BGH also provided guidance on assessing non-material damages under GDPR, suggesting that €100 could be a reasonable amount for cases involving loss of data control without further harm. However, higher compensation could be justified if psychological or other impacts are demonstrated.

The case was sent back to the Higher Regional Court of Cologne for further proceedings in line with these findings.

See the decision in german here.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com