Facebook data breach: German Court grants EUR 100 compensation per user

At the end of last year, the German Federal Court of Justice ruled on a case involving the leak of personal data of more than 500 million Facebook users.[1] The personal data was obtained through scraping and published on the internet. The court concluded that the loss of users‘ control over their own personal data constituted non-material damage in itself and that further specific adverse effects on users did not need to be examined. It awarded EUR 100 as appropriate compensation for the damage. Does this mean that in future, any user will be able to claim damages of EUR 100 for the mere loss of control over personal data in the event of a data leak? Will this encourage new class actions in the Czech Republic and what impact can be expected on companies that process large amounts of personal data?

In April 2021, a massive data leak led to the exposure of personal information of approximately 533 million Facebook users, including user IDs, names, occupations, gender and phone numbers. The data were obtained by scraping which abused Facebook’s feature of allowing users to be searched by their phone numbers. One of the affected users claimed that Facebook, as a data controller, had not put in place sufficient measures to prevent this abuse and sought compensation for damage.

Decision of the German Federal Court of Justice

First, the German Federal Court of Justice (“BGH”) emphasised that, according to the CJEU case law,[2] even a temporary loss of control over personal data as a result of a breach of the GDPR can constitute non-material damage under Article 82(1) GDPR. Therefore, a data subject does not have to prove a specific abuse of their personal data or other negative consequences in order to claim compensation for non-material damage.

BGH further argued that the default setting allowing users to be searched by their phone numbers and visible to "all" does not comply with the data minimisation principle outlined in Article 5(1)(c) of the GDPR and the requirements for the data protection by design and by default under Article 25(2) of the GDPR. Facebook has therefore breached the obligation to implement appropriate technical and organisational measures (“TOMs”) and has failed to ensure that only data necessary for the specific purpose of the processing is processed by default. Moreover, BGH noted that in cases of non-compliance with the data controller‘s obligations under the GDPR, the burden of proof as to the absence of damage was not on the data subject, but on the controller.

BGH stated that it considered it adequate to award non-material damages of approximately EUR 100 for the mere loss of control over personal data, without requiring proof of further emotional distress or financial loss. This amount is intended to serve as adequate compensation for the violation of the data subject‘s rights under the GDPR.

As for the Court of Justice of the EU ruling on the issue of compensation for non-material damage, it decided that a mere violation of the GDPR was not sufficient to compensate for damage, but that it was instead necessary to prove (i) actual damage, (ii) a violation of the GDPR and (iii) a causal link between the violation of the GDPR and the damage.[3] Further, the non-material damage to the data subject must be interpreted broadly but must always be actually suffered, not hypothetical, and may include, for example, fear of future misuse of personal data.[4] Data subjects can also claim compensation for non-material damage, according to the CJEU, regardless of the severity of the harm or the length of time during which they lost control over the data, as long as the harm is actual and not merely hypothetical.[5]

The impact of new class actions in the Czech Republic

The data leak concerned approximately 533 million Facebook users. If the aforementioned amount of EUR 100 had been awarded to the majority of the users concerned, who suffered non-material damage simply due to a loss of control over their personal data, Facebook would have had to pay tens of billions of euros in compensations. However, the question is how many of the affected users would have decided to go into a legal battle over a relatively small amount. 

However, the new Act on Civil Class Proceedings is coming on the scene and codifies and facilitates consumer class actions in the Czech Republic. The topic of the new act and class actions has been covered repeatedly and in detail by colleagues on the HP blog, e.g. in this article. A class action allows similar disputes involving multiple consumers against a single business to be litigated in a single lawsuit. Under a class action, consumers can join an action claiming specific financial compensation, including the aforementioned non-material damages. Moreover, registering a consumer in a class action is simple. All the consumer has to do is merely to provide basic supporting documents to the consumer organisation filing the class action, to prove the consumer‘s claim. In the event of a data leak, it will therefore be principally necessary to prove the occurrence of consumer’s personal data leak and a breach of their data protection rights.

Can we expect devastating class actions in response to data leaks?

Large-scale leaks of personal data, court-recognised lump sum damages of EUR 100 for the mere loss of control over personal data, and class actions that significantly facilitate the blanket enforcement of even small consumer claims might imply tough times for companies processing large amounts of personal data.

However, this is not necessarily the case. Companies that may be at risk of suffering data leaks should focus on regularly reviewing their data protection compliance and, in particular, ensuring that their TOMs remain appropriate and up to date. Well-set TOMs can often prevent data protection incidents from the outset.

Despite the most meticulous efforts to set up appropriate TOMs, data leaks can still occur. In such cases, robust TOMs are invaluable in defending against consumer claims or fines from supervisory authorities. Under both the GDPR and the case law of the CJEU,[6] it is sufficient for TOMs to be adequate and in line with the state of the art.  As a result, companies need not be held liable, even if there is a data leak or a “loss of control” over subjects’ data. However, where claims for damages or non-material loss do arise as a result of a data breach, companies should seek professional legal advice as soon as possible.

Conclusion

The BGH‘s decision to award EUR 100 per user for mere loss of control over personal data without proving damage sets an interesting precedent, though it does not yet represent established case law of the CJEU. We will soon see whether similar claims will become the subject of newly introduced consumer class actions in the Czech Republic. Companies processing personal data need not fear ruinous claims if they regularly check their GDPR compliance and maintain well-established TOMs. In the event of a data leakage, it is crucial to seek both technical and expert legal assistance promptly.

Our dedicated data protection and cybersecurity team at HAVEL & PARTNERS is available to assist you with any project. We focus on all legal and technical issues related to the protection of personal and other data, including cybersecurity. We can effectively and comprehensively help you with any problem you are facing. Through our sister company, FairData Professionals a.s., we also provide Data Protection Officer services according to GDPR. We also have a dedicated team for class actions, which has been involved in drafting new legislation in this area. We have recently opened a representation office in Frankfurt, which allows us to better assist our clients in entering the market there. And of course, vice versa, to facilitate business contacts from Germany to the Czech Republic.