German Court Ruling: Facebook Data Breach Victims Eligible for Compensation
Germany’s Federal Court of Justice (BGH) has ruled that Facebook users affected by a 2018–2019 data breach are entitled to compensation, setting a significant precedent for data protection claims under the GDPR. This decision highlights that victims of personal data leaks can receive damages without demonstrating financial losses or misuse of their data.
German Court Ruling: Facebook Data Breach Victims Eligible for Compensation
The breach resulted from a “scraping” operation exploiting Facebook’s friend search functionality. Between 2018 and 2019, automated tools used randomly generated phone numbers to extract user data. The leaked information, including user IDs, full names, workplaces, and genders, surfaced online in 2021. Globally, 533 million users were impacted, including 6 million in Germany.
Meta, Facebook’s parent company, argued that this incident was not a traditional data breach since its systems were not compromised. Instead, the data was “scraped” by exploiting a loophole in its tools, which Meta addressed in September 2019. Despite these claims, the court’s decision reflects a broader understanding of GDPR violations.
The German court’s decision is significant as it moves beyond requiring material damages for compensation. The BGH ruled that loss of control over personal data constitutes non-material damage under Article 82 of the GDPR. This means plaintiffs do not need to prove tangible financial harm or data misuse to claim compensation.
While plaintiffs initially sought €1,000 in damages, the court deemed €100 a more appropriate sum. This ruling underscores that GDPR breaches have consequences, even in the absence of financial loss.
Meta has criticised the ruling, calling it inconsistent with recent European Court of Justice (ECJ) decisions. A spokesperson highlighted that similar claims were dismissed over 6,000 times by German courts, reaffirming Meta’s stance that no harm occurred and its systems were not breached.
Despite Meta’s arguments, the ruling could reshape GDPR enforcement across Germany and the EU. By recognising non-material damage as grounds for compensation, courts are strengthening data subjects’ ability to hold companies accountable.
For businesses, the decision reinforces the need for robust data protection measures and clear, transparent terms of use. Even incidents involving unauthorised data scraping — rather than system breaches — may lead to legal and financial liabilities.
German users impacted by the 2021 data leak must act swiftly to claim compensation. Reports indicate that claims against Meta could expire by the end of this year. To pursue damages, affected individuals need to file lawsuits and provide evidence linking their data to the breach.
Given the precedent set by this ruling, similar claims could emerge across other EU jurisdictions.
This case reflects a growing trend in GDPR enforcement, where courts are prioritising data subjects’ rights over technical arguments on system security. The €265 million fine issued to Meta by the Irish Data Protection Commission in 2022 for the same incident further illustrates regulators’ focus on accountability and prevention.
As GDPR evolves, businesses must reassess their compliance frameworks. Unauthorised data scraping, even when systems remain uncompromised, can still trigger significant regulatory fines and legal claims.
The BGH ruling is a landmark moment for GDPR enforcement, establishing that loss of control over personal data is sufficient for compensation. While Meta continues to challenge the decision, it marks a shift in how courts address data breaches and privacy violations.
For affected German users, the ruling offers a path to asserting their rights under GDPR. For businesses, it serves as a stark reminder that data protection failures, regardless of intent or financial impact, carry serious consequences.
If your business is facing reputational damage due to a data breach or privacy concerns, addressing these issues quickly and strategically is essential. Proactive reputation management can help mitigate negative perceptions and rebuild trust. Learn more about safeguarding your brand and protecting your digital presence – contact Igniyte today