Court case 28 O 138/22 – Court Ruling (Germany, 2023)

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. The court rejected the data subject’s claim. The court referred to the CJEU judgement in case C-300/21, stressing that a mere infringement of the GDPR cannot give rise to damages in itself. At the same time, the court acknowledged that no minimum threshold as a requirement of the right to compensation was admissible under EU law. The court also held that mere annoyance or emotional discomfort could not be used as a basis to substantiate the existence of a damage. In the present case, the data subject was not able to prove more than such a mere annoyance. In particular, further distress originating from the alleged phishing emails and calls could not be causally linked to the data breach. Therefore, the court concluded that the case fell within the category of mere GDPR infringement that could not be compensated as such, as European law does not accept the idea of “punitive damages”.