Court case I-25 U 25/24 – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that Facebook did not protect user data properly after a major data scraping incident. This case highlights the importance of companies safeguarding personal information to prevent unauthorized access. It serves as a reminder for businesses to strengthen their data protection measures.
What happened
Facebook failed to protect user data, leading to the scraping of information from approximately 533 million accounts.
Who was affected
Users of Facebook whose data was exposed during the scraping incident.
What the authority found
The court found that Facebook did not take adequate measures to protect user data, violating GDPR requirements for data security.
Why this matters
This ruling emphasizes that companies must actively protect user data from unauthorized access. It sets a precedent for holding companies accountable for data breaches, urging all businesses to review their data protection practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is a user of Facebook (the controller). In April 2021, data of approximately 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers. The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). The data subject argued that he had suffered a loss of control over his personal data, resulting in a feeling of unease and worrying about potential abuse of his data. This also resulted in a heightened distrust of emails and calls from unknown senders or numbers. After the controller rejected the data subject’s claims, the data subject initiated legal proceedings, claiming that the controller had violated the GDPR in several respects and had not adequately protected his data. The Regional Court Münster (Landgericht Münster - LG Münster) dismissed the action on 6 June 2024 because the data subject h
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case I-25 U 25/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case I-25 U 25/24 - Germany (2024). Retrieved from cookiefines.eu
Last updated: