Court case 15 O 74/22 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that Facebook did not handle user privacy settings properly, leading to a data breach affecting millions. The user claimed damages after receiving phishing attempts due to this breach, but the court dismissed the claim. This case emphasizes the need for businesses to prioritize user privacy and security to avoid similar issues.
What happened
A Facebook user claimed damages after a data breach exposed their information due to poor privacy settings.
Who was affected
The Facebook user whose personal information was compromised in the data breach.
What the authority found
The court rejected the user's claim for damages, stating that mere annoyance from the breach does not constitute a valid claim.
Why this matters
This ruling serves as a reminder for businesses to implement strong privacy measures and ensure user data is protected to avoid legal repercussions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the settings just described were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside wiht the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. Facebook replied that it was up to the data subject to change their privacy settings. Moreover, and despite Facebook’s subsequent attempts to prevent and mitigate risks, no measure could entirely protect users from scraping. The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 of compensation. According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed informed within the meaning of Article 4(11) GDPR. Indeed, finding information about the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 15 O 74/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 15 O 74/22 - Germany (2023). Retrieved from cookiefines.eu
Last updated: