Facebook/Meta – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled against a Facebook user who sought damages after their data was exposed in a scraping incident. This case matters because it shows that companies can be held responsible for data breaches, but users must also take care with their privacy settings. Website operators should ensure they have strong security measures in place.
What happened
A user sued Facebook after their data was exposed online due to a scraping incident involving phone numbers.
Who was affected
The user whose data was exposed and who sought damages was directly affected by this ruling.
What the authority found
The court dismissed the user's claim for damages, indicating that Facebook had not failed to protect the user's data adequately.
Why this matters
This ruling highlights the need for users to manage their privacy settings carefully. It also underscores the importance of robust security measures for companies to prevent data breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject is a user of Facebook (the controller). In April 2021, data of approx. 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers. The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, workplace, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). After the data subject was granted €250 in non-material damages by the Regional Court of Bonn (Landgericht Bonn – LG Bonn), the controller appealed to the Higher Regional Court of Cologne (Oberlandesgericht Köln – OLG Köln), which then overrode LG Bonn’s decision and fully dismissed the action. The data subject, in return, appealed the case to the German Federal Court of Justice (Bundesgerichtshof – BGH). In its first decision under the [https://www.gesetze-im-internet.de/zpo/__552b.html new leading decision procedure], the Federal Court of Justice (Bundesgerichtshof, BGH) partially overruled
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Facebook/Meta in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Facebook/Meta - Germany (2024). Retrieved from cookiefines.eu
Last updated: