Court case 13 O 126/22 – Court Ruling (Germany, 2023)

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. According to the court, the controller contravened to its obligation to guarantee integrity and confidentiality of data pursuant to Article 5(1)(f) GDPR and violated the principle of privacy by default and by design (Article 24 GDPR). The controller was aware of the risks that web scraping entails and still did not adopt appropriate security measures pursuant to Article 32 GDPR, such as removing the matching function described above. Concerning the existence of non-material damages pursuant to Article 82 GDPR, the court found that combining telephone numbers with other personal data potentially exposes users to several risks, including identity theft and targeted criminal activities. Therefore, an “abstract damage” could be compensated in the present case. To the contrary, no concrete negative consequence was actually proved by the data subject. In particular, the alleged phishing emails and calls could not be causally linked to the data breach, as other causal explanations were possible. In light of the above and considering that the data subject suffered