The scraping incident on Facebook.
In April 2021, unknown persons tapped into masses of user data on Facebook through scraping. It is now up to the Federal Court of Justice to decide whether the parent company Meta is liable for this. In total, the perpetrators obtained the personal data, such as names, cell phone numbers or place of residence, of 533 million users from 106 countries and then published it on the internet.
What is scraping?
Scraping means "digging" and refers to the systematic collection and storage of data, for example from websites. One example of permissible and legal use is the work of search engines. However, if automated processes are used to extract data without Facebook's consent, this violates the company's terms of use.
Security vulnerability in the Facebook "contact import" function
The main point of attack for the data theft was Facebook's "contact import" function, which allows users to upload their cell phone contacts to the social network. Hackers abused this function by using automated tools to enter random phone numbers into Facebook on a large scale, link them to the corresponding profiles and access the data of the affected users. Using a hacker program, countless randomly generated cell phone numbers (000000001; 000000002 etc.) were entered into Facebook's "contact import" function. This worked even if the phone number was set to "non-public" in the Facebook user's privacy settings. As soon as one of the randomly generated numbers matched any Facebook profile, the hackers were able to link the cell phone number with the other publicly visible information on the profile (e.g. name and email address and sometimes even the employer). In this way, databases with a total of 533 million people affected (including 6 million in Germany alone) were created and subsequently published on the darknet.
Efficient decisions and legal certainty through landmark decisions
Dozens of lawsuits are already pending in Germany because of the leak. One of these lawsuits was heard by the Federal Court of Justice (BGH) last Monday. Germany's highest civil court selected the case as the "leading case" and is basically clarifying whether users can claim damages from Facebook's parent company Meta.
According to a regulation that only came into force on October 31, 2024, the Federal Supreme Court can declare a case to be a leading decision case in mass proceedings if the case is relevant to a large number of other proceedings. The disputed legal issues are generally clarified in this leading decision case. This new regulation is intended to protect the judiciary from a flood of individual lawsuits, as was the case with the diesel scandal, for example, and enable more efficient decisions in mass proceedings.
The special feature is that the BGH can also make the landmark decision if the parties reach an agreement in the meantime. In connection with the scraping scandal, Meta has already reached settlements with many of those affected - a common practice for companies in mass proceedings to avoid setting a precedent.
Will the affected customers receive money for the loss of their data?
The Federal Court of Justice has already sided with the users in the oral hearing on the Facebook data leak and declared: Meta's de facto loss of control over personal data already constitutes damage under the GDPR. According to the Federal Court of Justice, the de facto loss of control over personal data is sufficient to substantiate a claim for non-material damages under Art. 82 para. 1 GDPR.
Although this legal question has already been answered by the European Court of Justice, there have been divergent decisions by several German courts. These required the affected users to provide objective evidence that they were suffering from fears of possible data misuse in order to assert a claim for damages. The BGH clarifies that proven fears of data misuse additionally increase the damages.
In addition to the affected Facebook users, the leading decision of the Federal Court of Justice also gives all other victims of GDPR violations legal certainty in the future when claiming non-material damages.
Today's ruling by the BGH - Only 100 euros in damages!
The Federal Court of Justice in Karlsruhe today announced its ruling in the lead case on the Facebook data leak:
According to the ruling, even the temporary loss of control over personal data can constitute a breach of the General Data Protection Regulation and give rise to claims for damages. Affected parties only have to prove that they were victims of data theft, as the presiding judge Stephan Seiters explained when the ruling was handed down in Karlsruhe. However, proof of noticeable negative consequences is not required. It is also not necessary to prove that the data published without authorization was actually misused.
The regional and higher regional courts must now clarify the specific details, such as whether there was actually a breach of data protection. However, the BGH indicated that this was probably the case, as Meta had set the searchability of the data to "all" by default, which contradicts the principle of data minimization, as Presiding Judge Seiters explained.
The courts must also check whether the plaintiffs have effectively consented to the data processing. Other factors to be examined are which data is affected, how sensitive this data is, as well as the extent and duration of the loss of control. The question of whether control over the data can be regained by changing the telephone number is also important.
How much money are those affected entitled to now?
As far as compensation for damages is concerned, Seiters emphasized that this only serves to compensate for the damage suffered and has no deterrent function. If it is only a matter of the mere loss of control over the data, the Senate considers an amount of 100 euros to be appropriate.
Higher compensation for further evidence
The ruling goes one step further: if those affected can prove that they have suffered from anxiety or other psychological stress as a result of the data loss, for example, the compensation can be significantly higher. The European Court of Justice (ECJ) had previously clarified that data loss can be comparable to physical injury in terms of its severity. This decision by the BGH follows the line of the ECJ in this respect.
In addition, potential future damage, such as the misuse of data on the darknet - for example for phishing or other criminal activities - was also taken into account by the court. In such cases, Facebook could also be held liable for the damage caused.
What does this mean for those affected?
The ruling brings relief for affected Facebook users, as it simplifies the assertion of claims and may trigger a rethink among companies. Data protection is increasingly becoming a key issue and the pressure on companies such as Facebook is growing. For those affected, the ruling is a relief, while for companies it is a wake-up call. Anyone affected should hurry to sue for damages, as the statute of limitations will expire at the end of this year.
