A verdict was not yet reached in Karlsruhe on Monday, but the responsible sixth civil senate indicated in a preliminary assessment that it could see the loss of control over its own data as damage. The later BGH decision will be decisive for other cases that are still before the German courts. (Ref. VI ZR 10/24)
It was about a so-called scraping incident. Between January 2018 and September 2019, unknown individuals used Facebook‘s search function to access the data of hundreds of millions of Facebook users. Back then, users could be identified by entering phone numbers into the search function. This is no longer possible now.
The unknown persons generated millions of random telephone numbers and used automated queries to retrieve the data of users whose numbers were among them. In April 2021, the data of 533 million users was spread across the Internet. Data from the plaintiff in the case heard by the BGH was also included. His telephone number became known in connection with his user identity. His name, gender and employer were also among the data, although he had previously published these himself on Facebook.
The man sued Facebook parent company Meta for damages of at least 1,000 euros, among other things. He claims that Meta violated the European General Data Protection Regulation and did not adequately protect his data. After the scraping incident, he was contacted significantly more frequently via email, text message and telephone with fraudulent intent, which worried him.
He was partially successful before the Bonn Regional Court, but the Cologne Higher Regional Court dismissed the lawsuit on appeal. The BGH has now examined this judgment. During the hearing there was a debate about whether the European Court of Justice (ECJ) considers such a loss of control to be non-material damage. Whether anything else happened would then be irrelevant.
This is what the plaintiff’s lawyer argued. In his opinion, the ECJ made a clear statement on this. This is important because this is about EU law. ‘Meta’s lawyer argued, however, that the plaintiff would have had to prove damage, such as evidence of his concern. The man didn’t even change his phone number, he said.
As the presiding judge Stephan Seiters explained at the beginning of the hearing, the Senate had previously come to the preliminary assessment that damage had been caused. It therefore does not matter whether there was additional data misuse.
The BGH assumed a violation of the General Data Protection Regulation because the Higher Regional Court had not made sufficient findings in this regard. He justified his preliminary opinion, among other things, with the standard setting at the time. This meant that users could find other profiles using their phone number.
Meta was nevertheless optimistic after the negotiation. Martin Mekat from the law firm Freshfields explained on behalf of the company that these were “baseless lawsuits”. In the incident, “no Facebook systems were hacked and there was no data breach,” he said.
