Introduction
Germany’s Federal Court of Justice (BGH) has issued a pivotal ruling that significantly lowers the standard of proof required for Facebook users seeking compensation for data breaches. This decision marks a substantial shift in the accountability of tech companies for data protection failures, particularly affecting users whose data was unlawfully accessed between 2018 and 2019.
Description
Germany’s Federal Court of Justice (BGH) has issued a landmark ruling that lowers the standard of proof for Facebook users seeking compensation due to data breaches that occurred between 2018 and 2019. Individuals whose data was unlawfully accessed are now entitled to compensation for non-material damages, marking a significant shift in accountability for tech companies regarding data protection failures [3]. The court established that it is sufficient for victims to demonstrate they were affected by the data leak without needing to prove specific financial losses or demonstrate misuse of their data. This decision may enable millions of affected users in Germany to pursue claims against Meta Platforms, Inc. [4] [5], particularly following incidents where unauthorized third parties accessed user accounts through guessed phone numbers [4].
The ruling is connected to a major data breach from April 2021, where personal information of approximately 533 million Facebook users was exposed on a hacker website [2], including around six million users in Germany. The claims are linked to inadequate data protection measures that allowed unauthorized access to user accounts through the Facebook friend search feature. The Irish Data Protection Commission had previously fined Meta €265 million for these failures [2]. A higher regional court in Cologne [1], which had initially dismissed these claims [6], is now required to reconsider the case in light of the BGH’s ruling [1]. One plaintiff sought damages of €1,000 ($1,056) [4] [8], but the BGH indicated that approximately €100 (around $106) would be more appropriate for cases without proven financial losses.
The court instructed the lower court to assess whether Facebook’s terms of service were clear and understandable and whether users consented to the use of their data voluntarily [4]. Meta had previously denied compensation claims [6], arguing that affected users did not demonstrate tangible damages and contending that the incident did not constitute a data breach, as Facebook’s systems were not hacked [2] [4] [7] [8]. A spokesperson for Meta criticized the BGH’s ruling [4], claiming it contradicts recent decisions by the European Court of Justice and noted that similar claims have been dismissed over 6,000 times by German courts [4], with many judges concluding that no liability or damages claims were valid [4]. This ruling fundamentally changes the landscape of data protection enforcement in Germany [3], providing users a clearer path to seek redress for the loss of control over their personal data and influencing numerous pending cases where Meta has previously achieved an 85% success rate in similar litigations. The case reference is BGH [2], VI ZR 10/24 [2].
Conclusion
The BGH’s ruling represents a transformative moment in data protection enforcement in Germany, setting a precedent that could influence future cases and potentially lead to increased accountability for tech companies. By lowering the standard of proof [2] [5], the decision empowers users to seek redress for non-material damages, thereby reinforcing the importance of robust data protection measures. As the legal landscape evolves, tech companies may need to reassess their data protection strategies to mitigate potential liabilities and ensure compliance with emerging legal standards.
References
[1] https://www.silicon.co.uk/e-regulation/legal/facebook-leak-compensation-589386
[2] https://finance.yahoo.com/news/meta-loses-german-court-fight-142728757.html
[3] https://www.forbes.com/sites/larsdaniel/2024/11/18/facebook-data-breach-fallout-millions-may-receive-compensation/
[4] https://www.isss.org.uk/news/facebook-users-affected-by-data-breach-eligible-for-compensation-german-court-says/
[5] https://news.bloomberglaw.com/us-law-week/meta-loses-german-court-fight-over-global-data-leak-in-2021
[6] https://www.thedailystar.net/tech-startup/news/facebook-users-eligible-data-breach-compensation-german-court-3756136
[7] https://www.cyberdaily.au/security/11374-facebook-users-caught-up-in-major-data-incident-eligible-for-compensation-rules-german-court
[8] https://www.insurancejournal.com/news/international/2024/11/19/801739.htm