German Facebook Users Eligible For Compensation Over Data Breach

Millions of German Facebook users whose data was obtained and leaked in a major security breach are eligible for compensation, Germany’s highest civil court, the Federal Court of Justice (BGH), has ruled.

The Karlsruhe-based court found the users’ loss of control over their data was grounds for damages, without any requirement for the plaintiffs to prove specific financial losses or misuse of the data.

The BGH said its ruling was a guideline decision, meaning it can serve as a precedent for thousands of similar cases currently being processed by German courts.

In 2018 and 2019 unknown people scraped the data of some 533 million Facebook users worldwide and posted the data online.

Data scraping

The incident involved the misuse of the social network’s search tool, which allowed users to be identified by entering their phone numbers.

The scrapers used automated searches for millions of randomly generated phone numbers to access users’ data en masse.

Facebook parent Meta Platforms has downplayed the breach since the data was made public in April 2021, saying it did not involve hacking and that the company had already plugged the loophole.

The company refused to compensate users, saying they could not prove concrete losses.

About six million people in Germany were affected by the data leak.

The higher regional court in Cologne had rejected the legal claim, but must now reconsider it taking the BGH’s ruling into account.

The plaintiffs in the case considered by the BGH had demanded at least 1,000 euros ($1,056, £836) in compensation from Meta, but the BGH said a sum closer to 100 euros would be more suitable with no proof of financial loss.

Compensation claim

The ruling said the lower court must determine whether Facebook’s terms of use were transparent and comprehensible and whether users’ consent for use of their data was voluntary.

Meta said in a statement the BGH’s ruling was “inconsistent with the recent case law of the European Court of Justice, the highest court in Europe”.

“Similar claims have already been dismissed 6,000 times by German courts, with a large number of judges ruling that no claims for liability or damages exist,” the company said.

It said its systems had not been hacked and there was “no data breach”.

The data protection office of Ireland, where Meta’s European headquarters is located, fined the company 256m euros in 2022 over the leak following a more than year-long investigation.