The Federal Court of Justice (BGH) today handed down its judgment in one of our lawsuits regarding the Facebook data leak (judgment of November 18, 2024, case number VI ZR 10/24). He had already negotiated for around 90 minutes last Monday and given a direction. Now it is certainty and a great victory for all consumers. The Federal Court of Justice has settled a highly controversial legal question and ruled: The mere loss of control over personal data is sufficient to justify a claim for non-material damages under Article 82 (1) of the General Data Protection Regulation (GDPR). The BGH considers a sum of 100 euros to be justified for this alone.
The European Court of Justice (ECJ) had already decided this legal question in this way. However, some German courts have made decisions that deviate from this and have also required that the consumers concerned must objectively prove that they suffer from fears of possible data misuse.
As a lawyer and partner at the Cologne media law firm WBS.LEGAL, Christian Solmecke specializes in advising the Internet and IT industry. In recent years, he has steadily expanded the firm's Internet law/e-commerce area and supports numerous media professionals, Web 2.0 platforms and app developers. In addition to his work as a lawyer, Christian Solmecke is a multiple author and, as the founder of the cloud-based law firm software Legalvisio.de, he is also a successful LegalTech entrepreneur.
However, the Federal Court of Justice made it clear in its ruling today: If the person can demonstrate corresponding fears beyond the mere loss of control, this increases the damages. However, it is not a requirement for this. The ECJ had already ruled that data loss is, by its nature, no less serious than bodily harm. Therefore, significantly higher compensation can now be expected in individual cases.
Finally legal certainty!
In doing so, the BGH is dismantling the high hurdles that other courts had sometimes set for GDPR damages. There is now finally legal certainty – not just for those affected by the Facebook data leak, but for practically everyone affected by GDPR violations. It will now be easier for millions of those affected to obtain non-material damages. Further information on the exact calculation of the claim for damages will only be available in the full reasons for the judgment, which have not yet been published.
The BGH also states: Facebook's possible liability applies not only to damage that has already occurred, but also to potential damage that could only occur in the future: for example, the actual misuse of data that ended up on the Darknet for phishing or other criminal activities. After all, the rights to informal self-determination and the protection of personal data have been violated. The BGH also partially recognizes claims for injunctive relief.
At a time when companies are collecting more and more data from all of us, but are still doing far too little to protect this data, the judgment won by our law firm WBS.LEGAL can be described as an enormous success.
What's next?
As expected, the BGH referred the proceedings back to the Cologne Higher Regional Court (OLG) so that it can make findings on Facebook's misconduct and the amount of damages. The lower court had left these questions open.
However, there is no serious question about the fact that Facebook is fundamentally liable: Not only have all German courts said this so far. The Cologne Higher Regional Court itself also wrote in its judgment: 'The defendant [Meta] In addition, violations of Article 5 Paragraph 1 Letter b), 25 Paragraph 2, 32 Paragraph 1 GDPR may also be alleged.' The attitude of the BGH chairman was already clear last week when he said: 'I would have a problem if my name and telephone number were found on the Internet.'
The ECJ has so far said that it is up to national courts to set criteria for the amount of GDPR damages. However, he also says: The amount should be calculated in such a way that it can fully and effectively compensate for the damage suffered; after all, the GDPR has a “compensatory function” here. The Cologne Higher Regional Court must now bring these requirements to life.
However, it is very likely that the case will end up back at the BGH after another OLG ruling. This can then set up legally secure criteria for assessing GDPR damages, which all courts can use as a guide in the future.
What are the consequences for those affected by the Facebook data leak?
Those affected by the Facebook data leak are now entitled to non-material damages. The BGH has taken a very clear position on the most controversial question. This makes it clear: the basic requirements for non-material damages are met in the case of the Facebook data leak.
What consequences will this have for future claims for GDPR damages?
This legal certainty creates an extremely important basis for all consumers affected by data leaks or other violations of the protection of personal data. It is now clear that they do not have to meet disproportionately high demands in order to establish that they are entitled to non-pecuniary damages. This will put enormous pressure on all companies to take data protection even more seriously in the future. Especially since the courts from other European countries will certainly also take note of this BGH decision and decide accordingly. Therefore, this day is a very good day for data protection in the EU.
The background is the Facebook data leak from 2021. In the case now decided, the plaintiff had set his phone number so that it should only be visible to him. However, he left the searchability settings at “all” and did not explicitly limit them, so that anyone who had already saved his phone number could have found his profile. Facebook's so-called contact import function now allowed hackers to grab his phone number and also his name and place of work in order to publish this on the dark web in April 2021.
The same thing happened to 533 million users worldwide, 6 million in Germany alone – in some cases their dates of birth, email addresses and personal information such as relationship status were also published. A gateway for criminals.
Debate about loss of control as damage
The question of whether the mere loss of control over personal data in itself constitutes damage has been of particular concern to German courts in recent years. There have been some wrong judgments here. In this specific case, too, the Cologne Higher Regional Court – contrary to the previous instance, the Bonn Regional Court – sided with the skeptics (ref. 15 U 67/23). Therefore, it placed disproportionately high demands on the damage that a consumer must demonstrate.
The court argues that the loss of control over one's own data alone is not enough to justify a claim for damages. What is needed is “any additional impact on the person or the life circumstances of the person concerned” – such as justified fears or fears of abuse. And even these would have to be objectively ascertainable – simply claiming that one has corresponding fears should not be enough. In doing so, the Cologne Higher Regional Court directly contradicted the consumer-friendly ECJ case law and the requirements of the GDPR itself.
The BGH now also saw this contradiction. The ECJ had already stated in several decisions – in particular on October 4th (Case C-200/23) – that both fears and concerns about actual misuse and the mere loss of control over personal data are in themselves sufficient to cause a to justify damage. No wonder – after all, this is exactly what is stated in Recital 85 of the GDPR. For the Federal Court of Justice, the legal situation is now just as clear.
Previous judgments in the specific case
In the specific case, the Bonn Regional Court had awarded our client at least 250 euros in damages because he had suffered compensable damage due to the loss of control over his data (ref. 13 O 125/22). The Cologne Higher Regional Court then dismissed the lawsuit in its entirety in the appeal proceedings (ref. 15 U 67/23) – as we have now seen, with reasons that were no longer tenable.
We already represent around 70,000 Facebook users in order to assert claims for damages, declaratory judgment, injunctive relief and information on their behalf due to a violation of Article 82 (1) GDPR by Meta.
We have now filed around 4,300 lawsuits on behalf of his clients in practically all German courts. The BGH was originally supposed to hear two of our Facebook data leak cases on October 8th. However, now that this negotiation date has been cancelled, there is now finally legal certainty for all affected consumers.
Background to the key decision process
The Leading Decision Act only came into force on October 31, 2024 and on the same day the BGH selected one of our proceedings as the first leading decision. This means that he has the opportunity to decide on the central legal issues, even if the procedure is resolved in another way before a judgment is reached – for example through a settlement. With this decision, the highest civil court can ensure that all regional and higher regional courts dealing with the matter now know how to decide these central legal questions. This serves to relieve the burden on the courts and ensure legal certainty for all those affected.
