Facebook/Meta – Court Ruling (Germany, 2024)

The data subject is a user of Facebook (the controller). In April 2021, data of approx. 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers. The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, workplace, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). After the data subject was granted €250 in non-material damages by the Regional Court of Bonn (Landgericht Bonn – LG Bonn), the controller appealed to the Higher Regional Court of Cologne (Oberlandesgericht Köln – OLG Köln), which then overrode LG Bonn’s decision and fully dismissed the action. The data subject, in return, appealed the case to the German Federal Court of Justice (Bundesgerichtshof – BGH). In its first decision under the [https://www.gesetze-im-internet.de/zpo/__552b.html new leading decision procedure], the Federal Court of Justice (Bundesgerichtshof, BGH) partially overruled