Court case 15 O 74/22 – Court Ruling (Germany, 2023)

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the settings just described were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside wiht the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. Facebook replied that it was up to the data subject to change their privacy settings. Moreover, and despite Facebook’s subsequent attempts to prevent and mitigate risks, no measure could entirely protect users from scraping. The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 of compensation. According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed informed within the meaning of Article 4(11) GDPR. Indeed, finding information about the