Facebook – Court Ruling (Germany, 2023)

The parties were in dispute over claims for damages, injunctive relief and information in relation to the use of the social media platform Facebook operated by Facebook (now: Meta) and a data scraping incident. The data subject is a Facebook user. Facebook operates a social media platform and is the data controller. Among other features, Facebook provides its users with the ability to import contacts from their address book, called the Contact Import Tool. The purpose of the tool is to allow users to import contacts and thus find friends on Facebook's social media platform. The Contact Import Tool has been abused by unauthorised third parties to harvest contact information from Facebook users. By enumerating batches of possible phone numbers, it was possible to manipulate the tool to return personal information about Facebook users. The data queries were automated. This made it possible to extract large amounts of data from Facebook's user database. Unauthorised third parties were able to match the phone numbers on Facebook with certain publicly available data to further identify specific individuals. At an unknown time, presumably between January 2018 and September 2019, third parties read personal data (specifically name, gender and user ID) from Facebook's database and were able to associate specific phone numbers with each record. At the beginning of April 2021, the data sets obtained in this way were made available for download on the Internet in a well-known "hacker forum", including the data set of the data subject. The data subject is of the opinion that he is entitled to non-material under Article 82(1) GDPR, because Facebook made the plaintiff's personal data available to unauthorised third parties. In particular, Facebook did not adequately protect personal data from web-scraping attacks, for example by using "security captchas" to make it more difficult for software to make automated queries. The data subject further argued that Facebook failed to co