On November 18, 2024, the German Federal Court of Justice (BGH) issued a landmark ruling in the Facebook data leak case. The court ruled that the loss of control over personal data alone constitutes damage within the meaning of the GDPR. But what exactly is behind this decision? What details did the judges take into account and how are these reasons for the ruling applied in practice? We take a detailed look at the most important aspects.
Loss of control is sufficient for compensation
A central topic of the ruling was the question of whether the mere loss of control over personal data already justifies a claim for damages. The BGH clarified: Yes, the mere loss of control is already to be recognized as non-material damage. A claim for damages under Article 82(1) GDPR can therefore arise without the data subject having to prove specifically that misuse or actual damage has already occurred as a result of the data breach.
This clarification is particularly important because in the past, German courts have sometimes set very high requirements for proof of damage. For example, some courts demanded that the affected user had to prove actual damage or at least fears of misuse of the data. The BGH has now clearly ruled that the loss of control alone is sufficient to speak of damage.
What does that mean in concrete terms?
This means that users whose data has been accessed without their consent, as happened in the case of the Facebook data leak, are already entitled to compensation for the loss of control over their data. A specific misuse of the data does not have to be proven. The loss of control alone, i.e. the knowledge that one's own data is now accessible on the internet, is sufficient to claim damages.
Fears of abuse increase damages
Although the BGH recognizes the loss of control as a sufficient reason for compensation, there is another important point: If those affected can prove that the incident caused them fears or concerns regarding the misuse of their data, the compensation can even be increased.
Why is this the case? The BGH argues that such fears constitute additional immaterial damage that also justifies compensation. For example, someone whose telephone number was made publicly accessible as a result of the data leak could fear becoming a victim of phishing attacks or spam messages in the future. According to the BGH, these concerns constitute further damage that goes beyond the mere loss of control and also justifies a claim for damages.
What does this mean for those affected?
This could be good news for many people concerned about the misuse of their data. Anyone who can credibly demonstrate that they are afraid of misuse due to the publication of their data on the internet can assert a higher claim for damages. This claim could even exceed the lump sum of 100 euros that the Federal Court of Justice considers to be the minimum compensation for loss of control.
Amount of loss: How is the amount determined?
The question of how much compensation is due is of great importance to many. The BGH provides a clear framework here. The Court stated that the compensation must "fully and effectively" compensate for the damage. The amount must be proportionate to the damage suffered, but must not have a deterrent or punitive effect. The aim is therefore not to punish Meta (Facebook), but to provide the affected users with fair compensation for the loss of control over their data.
How is the damage measured?
The BGH takes several factors into consideration when determining the amount of damages:
- Sensitivity of the affected data: The more sensitive the data, the greater the damage. Health data would therefore be more valuable than simple contact data.
- Duration of the loss of control: If the data subject has permanently lost control over the data, for example because the data ends up in a public data pool, this is considered more serious.
- Number of possible recipients: If the data can be disseminated on a large scale (e.g. via the darknet or other insecure platforms), the damage is considered to be greater.
The minimum compensation of 100 euros The Federal Court of Justice has set the amount of damages for the loss of control over data at a minimum of 100 euros. The BGH considers this sum to be justified in order to compensate for the immaterial damage caused by the loss of control over one's own data.
The impact on Facebook and the responsibility of Meta
In the ruling, the BGH also confirms that Meta is responsible for the incident. The judges emphasize that the protection of personal data must be of great importance to the company and that violations of the GDPR cannot simply be accepted.
Specifically, this involves several points:
- Violations of the GDPR: Facebook has violated several provisions of the GDPR, in particular the principle of data minimization and the protection of data through appropriate default settings.
- Responsibility for security: Meta should have done more to prevent misuse of the "contact import" function. The company must ensure that such leaks no longer occur in future.
What does the ruling mean for future cases?
The ruling by the Federal Court of Justice provides more legal certainty, both for the Facebook users affected and for all other people whose data may have been accessed without their consent. In future, it will be easier for consumers to assert claims for damages in the event of data protection violations. Companies must be prepared for higher liability risks if they violate the GDPR and do not adequately protect their users' data.
Practical consequences of the BGH ruling: Higher data protection requirements for companies
The ruling of the Federal Court of Justice in the Facebook data leak shows that companies must now be even more careful when handling data. It is hard to ignore the fact that responsibility for the protection of personal data is being further strengthened - and not just in terms of legal formalities, but also with real financial consequences. Entrepreneurs should prepare themselves for the fact that the protection of personal data can no longer be considered a mere compliance exercise. Implementing the GDPR is increasingly becoming a practical necessity in order to avoid expensive fines. The ruling underlines the importance of taking data protection seriously - not only for legal reasons, but also for business reasons.
