Court case 4 U 808/24 – Court Ruling (Germany, 2024)

The data subject is a user of Facebook (the controller) and was a affected by a scraping incident. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by randomly generating phone numbers and searching for users. Through this method, the data subject's ID, first and last name, and gender were included in the data set and were linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. Following a scraping incident the data subject received spam calls and SMS messages. The data subject claimed in a written statement that he had fallen into a state of great discomfort and concern about possible abuse. However, the spam calls and SMS messages received under the disputed cell phone number were filtered out from the outset. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages of €3,000 and sought a declaratory judgement to acknowledge his future right to compensation. This declaratory judgement concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). Additionally the data subjects applied for injunctions requesting that the controller refrains from processing his telephone number in any way that goes beyond the processing necessary for two-factor authentication and that the court orders the data subject to enhance its security measures. Following the lead decision of the German Federal Court of Justice (Bundesgerichtshof - BGH) - VI ZR 10/24 from 18 November 2024 the court held, that the mere