Facebook – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that Facebook users affected by a data breach couldn't claim damages. The breach linked phone numbers to profiles, but the court found it didn't cause serious harm. This decision highlights the challenges users face in proving harm from data breaches.
What happened
Facebook users' phone numbers were linked to their profiles in a data breach, but the court denied damages claims.
Who was affected
Facebook users whose phone numbers were linked to their profiles by third parties.
What the authority found
The court decided that the data breach did not cause serious harm to the user, so no damages were awarded.
Why this matters
This case shows that proving harm from data breaches can be difficult, even when personal information is exposed. Businesses should ensure strong privacy settings to prevent similar issues.
GDPR Articles Cited
The data subject was a Facebook user. While using the service, the data subject provided different personal information, including their city of residence, “relationship status” (both publicly visible on their Facebook profile) and phone number (not immediately visible on the platform). However, according to the privacy settings selected at the moment of the facts, the phone number could be used by a third person to find the data subject’s profile on Facebook. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. The data subject lamented that since then they received anonymous calls and a huge amount of spam. This entailed negative psychological consequences for them. Thus, the data subject asked for €1,000 in non-material damages under Article 82 GDPR. The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented. In Facebook’s view, third parties merely had access to publicly available information. The court rejected the request for damages under Article 82 GDPR. Pursuant to this provision, any data subject has the right to receive compensation for material or non-material damages whenever their rights under the GDPR were infringed by a controller or processor. In assessing the oral declarations of the data subject, the court held that the data breach, despite annoying, did not seriously harm the data subject. As a matter of fact, the data subject was only concerned about the possibility that their data could be misused in the future. According to the court,
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (2)
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Cases (0)
No other cases found for Facebook in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Facebook - Germany (2023). Retrieved from cookiefines.eu
Last updated: