Victims of the extensive data theft at Facebook can now assert claims for damages with comparatively minimal requirements. It is sufficient to prove that they were affected by the incident. It is neither necessary to prove the misuse of the data nor do those affected have to prove that they were particularly adversely affected by the incident.

The Federal Court of Justice (BGH) has made use of the new option of leading decision proceedings for the first time. This supreme court decision is now of great significance for thousands of similar cases at regional and higher regional courts in Germany. However, the presiding judge of the sixth civil senate, Stephan Seiters, emphasized that the damages awarded for a mere loss of control could not be excessive. Seiters cited an amount of 100 euros as an example. The lower court, the Higher Regional Court (OLG) of Cologne, had rejected the claim for damages. This decision was overturned by the BGH, and the case was remanded to the Higher Regional Court of Cologne for further clarification. The Higher Regional Court must now further investigate the facts of the case, which had previously been omitted due to the blanket rejection of claims.

Personal data of 533 million users surfaced on the Internet

In April 2021, data from approximately 533 million Facebook users from 106 countries was published online. The perpetrators had accessed the data via the "Find Friends" function by entering random phone numbers and accessing users' personal information if matches were found. The published connection data includes first and last names, country, gender, phone number, and, in some cases, employer.

Following the incident, numerous lawsuits were filed, most of which have so far been unsuccessful in state and higher regional courts. Facebook's parent company, Meta, consistently defended itself by claiming the lawsuits were unfounded. After last week's hearing, the company's lawyers emphasized that the incident did not constitute a data breach and that Facebook's systems had not been hacked.

Der Beitrag BGH stärkt Schadensersatzansprüche nach Facebook-Datendiebstahl erschien zuerst auf R&U.

Those affected by data theft on Facebook could hope for compensation. In an initial assessment, the Federal Court of Justice (BGH) indicated that the mere loss of control over one's own data could be sufficient for a claim. However, it must be proven that this loss actually occurred, not any immaterial damages such as fear or worry, explained Stephan Seiters, presiding judge of the Sixth Civil Senate in Karlsruhe. The final ruling of the Federal Court of Justice is still pending, however, and will be important for many future proceedings before German courts.

The background to this case is a 2021 data protection incident in which unknown perpetrators publicly published the data of approximately 533 million Facebook users from 106 countries online. This data was obtained by exploiting a friend search function on the platform. The Federal Court of Justice stated that the perpetrators benefited from Facebook's ability to search for users' profiles based on phone numbers—even if these were not publicly visible. The "scrapers" generated random phone numbers and found matches. This linked user ID, name, gender, country, and phone number, among other things.

Those affected accuse Facebook of having taken inadequate security measures. Due to the loss of control over their data and the resulting distress, they are demanding compensation, including for non-pecuniary damages. So far, the lawsuits before the regional and higher regional courts have largely been unsuccessful, but a final decision by the Supreme Court is still pending.

First leading decision of the Federal Court of Justice

In order to process the large number of individual lawsuits more efficiently, the Federal Court of Justice (BGH) designated the appeal procedure in the so-called scraping case as the first leading decision procedure – even though the appeal had since been withdrawn. This option was only introduced on the same day through a new provision in Section 552b of the Code of Civil Procedure.

With this case from North Rhine-Westphalia, the Sixth Civil Senate seeks to clarify fundamental legal questions, including whether the default setting of "all" for the so-called contact import function violates the General Data Protection Regulation. Other issues include whether the mere loss of control over scraped data constitutes non-material damage, how this damage should be assessed, and how a claim for damages would need to be substantiated accordingly (Case No. VI ZR 10/24).

Judge Stephan Seiters explained that in this specific case, the plaintiff stated that he had only deliberately shared his phone number. After the theft, the man felt, among other things, severe discomfort and developed a growing distrust of emails and text messages.

Based on a preliminary assessment, the Senate is also considering a user-friendly interpretation with regard to possible future damages. After all, the incident violated the rights to informational self-determination and the protection of personal data, according to Seiters.

The Bonn Regional Court partially upheld the claim in the first instance and awarded the plaintiff €250. However, the Cologne Higher Regional Court dismissed the claim in the second instance.

Meta: Complaints are baseless and unfounded

Christian Rohnke, a lawyer for Facebook's parent company Meta, warned against lowering the burden of proof for plaintiffs too much. In his view, the mere loss of control over one's own data is not sufficient to claim damages. "If anything, non-material damage could consist of harassing calls," he explained. In this case, however, it would have to be proven that the number of calls had increased.

According to Rohnke, the plaintiffs would also have to provide evidence that they were anxious or worried about the incident—for example, by changing their phone number. However, the plaintiff failed to do so. "If he had genuine concerns, it would have been obvious to change his number," Rohnke said.

Meta considers the lawsuits to be unfounded. Attorney Martin Mekat of the law firm Freshfields, which represents Meta, emphasized after the hearing that no Facebook systems were hacked in this incident and therefore did not constitute a data protection violation. He pointed out that Meta has already won over 6,000 similar lawsuits in German courts.

The Karlsruhe judges are now deliberating based on the oral hearing and will announce the verdict at a later date. The exact date for the verdict has not yet been set.

Der Beitrag Facebook-Datendiebstahl: BGH über mögliche Schadenersatzansprüche durch Kontrollverlust erschien zuerst auf R&U.