Facebook Inc. – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that Facebook's linking of phone numbers to user profiles violated privacy rules. This decision is important because it shows that companies must protect users' personal information and cannot misuse it. It also highlights the need for stronger privacy protections for users.
What happened
Facebook linked users' phone numbers to their profiles without proper safeguards.
Who was affected
Facebook users whose phone numbers were linked to their profiles, affecting 533 million people worldwide.
What the authority found
The court found that Facebook did not have a valid legal basis for processing personal data, violating GDPR requirements.
Why this matters
This ruling emphasizes that tech companies can be held accountable for how they handle personal data. Businesses should ensure they have strong privacy measures in place to avoid similar issues.
GDPR Articles Cited
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages under Article 82 GDPR. The Court of first instance rejected the data subject’s claim. The data subject appealed the decision before the Higher Regional Court of Hamm (Oberlandesgericht Hamm – OLG Hamm). The court upheld the first instance judgement. The court clarified that a claim under Article 82 GDPR requires the existence of three necessary elements: the violation of a GDPR provision, an actual damage affecting the data subject, and a causal link between violation and damage. Concerning the first element, the court preliminary pointed out the fact that the burden of proof concerning the non-existence of a violation is on the controller. This conclusion can be drawn on the basis of Article 5(2) GDPR, which imposes on the controller the obligation to prove compliance with GDPR. The court also ruled out that the controller could rely on any valid legal basis for the processing. The linking function provided by Facebook was neither necessary for the performance of the contract (Article 6(1)(b) GDPR), nor could be based on legitimate interest of the controller (Article 6(1)(f) GDPR). Conse
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Facebook Inc. in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Facebook Inc. - Germany (2023). Retrieved from cookiefines.eu
Last updated: