German Court: ‘Victims of Facebook data breach are entitled to financial compensation’
The German Federal Court of Justice ruled that local Facebook users that were affected by Facebook’s massive data breach in 2021, are eligible for financial compensation.
Back in April 2021, hackers published personal information from approximately 533 million Facebook users on the dark web.
The attackers managed to exfiltrate full names, home addresses, dates of birth, gender, phone numbers, email addresses, relationship statuses, texts from users’ bios, Facebook IDs, and dates that accounts were created. All thanks to the help of scraping software.
Ireland’s data protection authority (DPA) imposed a fine of € 265 million on Meta for this incident.
A group of German Facebook users filed a lawsuit against the social media platform, claiming that the company failed to implement adequate safety measures, leading to distress and loss of control over their personal information.
The district court partially upheld the lawsuit and awarded the plaintiffs a compensation of € 250.
Meta appealed the decision successfully. The Higher Regional Court dismissed the lawsuit as a whole, claiming the mere loss of control over their personal information was neither sufficient to assume immaterial damage, nor plausible they suffered emotional distress due to the breach.
The Bundesgerichtshof overturned the Higher Regional Court’s ruling. Germany’s Federal Court of Justice argued that the mere and short-term loss of control over personal information as a result of a violation of the General Data Protection Regulation (GDPR) can be considered as immaterial damage. Therefore, plaintiffs are entitled to financial compensation.
The Court ruled that € 100 would be a fair amount per victim, as there was no evidence of financial loss.
Meta’s attorney Martin Mekat told Der Spiegel that there was no data breach as Facebook’s systems had not been hacked. A Meta spokesperson told the German news outlet that the Federal Court of Justice’s assessment of liability and damages is “not compatible with the recent case law of the Court of Justice of the European Union”.
Max Schrems, Chairman of Austrian privacy group Noyb, on the other hand is happy with the ruling of the Bundesgerichtshof.
“Despite clear provisions in the GDPR and several CJEU rulings, German courts have regularly refused damages in data protection cases. We are pleased that the BGH has now put its foot down and brought German case law into line,” he says in a statement.
Even though the Federal Court of Justice specifically deals with a data breach on Facebook, Noyb believes that the statements in the ruling can be applied to other scenarios in which data subjects are unlawfully deprived of control over their privacy.
Your email address will not be published. Required fields are marked