Court case 10 O 126/22 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that Facebook did not break privacy laws when a 2019 data breach exposed user phone numbers. The court said users agreed to Facebook's privacy settings, which allowed their numbers to be visible. This decision means users need to be aware of their privacy settings and adjust them if needed.
What happened
Facebook's default settings allowed user phone numbers to be publicly linked to profiles, which was exposed in a 2019 data breach.
Who was affected
533 million Facebook users whose phone numbers were linked to their profiles and exposed.
What the authority found
The court found Facebook did not violate GDPR because users consented to the privacy settings, and the settings were transparent.
Why this matters
This ruling highlights the importance for users to actively manage their privacy settings on social media platforms. It also underscores that courts may hold users responsible for their chosen settings if they have been clearly informed.
GDPR Articles Cited
The data subject used the service provided by Facebook, the controller. The controller's service allowed users to select whether they wanted to be seen publicly, among others their phone number. If this function was set to be visible to everyone then the phone number could be linked with the person's profile and such profile could be found by everyone using in possession of the phone number. This function was the default setting. A data breach in 2019 had as a consequence that unauthorised third-parties could link phone numbers and profiles because of the above-mentioned function. 533 million Facebook users were affected. Consequently, the data subject claimed in court non-material damages pursuant to Article 82. They alleged a series of unsolicited calls and phishing emails following the breach. The court rejected the data subject's claim. The court held that the controller did not breach the GDPR because the processing was lawfully based on consent. The data subject voluntarily agreed to the privacy policy when registering. According to the court, the privacy policy was also presented in a transparent manner in accordance with Article 5(1)(a) GDPR. Moreover, the obligations under Article 25(2) GDPR, according to which the protection of personal data has to be ensured by design and by default, were also not infringed because the controller's service explicitly gave the data subject the option to customize the settings in privacy-friendly terms. Furthermore, the controller did not infringe its confidentiality obligation under Article 5(1)(f) GDPR, as the data subject did not change the above mentioned function after the data breach occurred. An infringement pursuant to Article 33 and 34 GDPR was also excluded by the court because legally speaking there was no data breach to begin with. Not only the data subject willingly made public their personal data, but also did not change the settings after scraping event, as stated above. Thus, the controller was obliged
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 10 O 126/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 10 O 126/22 - Germany (2023). Retrieved from cookiefines.eu
Last updated: