Following a data incident involving approximately 533 million Facebook (now known as Meta) users (and 6 million in Germany), the decision has lowered the bar for affected parties to seek damages under Art 82(1) GDPR. The court held that in this instance, the potential loss of control over a phone number meant that a compensatory amount of EUR 100 was reasonable.

While the compensation amount is low, this German decision potentially carries significant implications beyond the scope of social media platforms. Given the frequently large claimant pools following GDPR breaches, allied with compensatory awards (however small) for non-material damage, this could lead to organisations and/or their insurers to paying out significantly more sums that previously anticipated.

It remains to be seen what implications this case will have outside of Germany.

Background

The claimant was amongst approximately 533 million (of which around 6 million were German users) Facebook users, whose data was made publicly available on the internet following a data leak in early April 2021. The claimant's personal data, including his phone number, was exposed. Between January 2018 and September 2019, unknown individuals had harvested data from the social media platform by guessing phone numbers and subsequently linking them to profiles. In his user account, the claimant had opted for setting that meant, while his place of work would be publicly visible on his profile, his phone number was only visible to him. However, in the searchability settings for his profile, where it was possible to decide who could find his profile via his phone number, the default setting was "everyone." As the claimant did not change his searchability settings, this meant anyone who had his phone number would be able to find his profile.

In his claim against Meta, which was initially brought before the Regional Court of Bonn, the claimant claimed damages of EUR 1,000. The court partially granted the claim and awarded damages of EUR 250. Meta successfully appealed this decision to the Higher Regional Court of Cologne ("HRC"), where the claim was dismissed.

The reasoning behind the HRC's decision is worth a closer look: the court concluded that, upon the basis of the claimant's submissions, it was not possible to establish whether he had ever lost control over his phone number. A loss of control required for the individual to originally have control over the data and then lose it against their will. Further, the claimant should have explained how he used his phone number in daily life, as a phone number was not inherently a sensitive piece of personal data. Rather, according to the judges, it was a piece of information intended to facilitate contact with others in everyday life and was often made widely accessible.

The court then continued that, even if a loss of control had occurred, the claimant had not suffered any non-material damage. There had been no effect on him or his life circumstances beyond the loss of control, for instance, there was no distress – which was in line with existing decisions.

The HRC hinted that Meta could have potentially violated several provisions of the GDPR by failing to implement appropriate technical and organisational measures to ensure that only the personal data of the claimant was processed only when necessary for the specific processing purpose. However, the court ultimately provided room for further discussion as to whether and which violations of the GDPR could be attributed to the defendant, as it had already assumed that the claimant would not be able to show he had suffered non-material damage.

The claimant appealed this decision to the BGH, on the grounds that the mere loss of control constituted non-material damage.

The BGH's decision

The BGH found in favour of the claimant. The claimant's action will now be re-examined by the HRC at a new hearing, with the decision now expected to consider the following factors.

• The court, referring to various decisions of the European Court of Justice, held, that the mere short-term loss of control was sufficient to constitute non-material damage. There was no requirement for a specific abusive use of this data to the detriment of the claimant, nor for any other additional noticeable negative consequences. The court further expressed that, in this specific case, the damages to be awarded for the mere loss of control over the claimant's data would be within the range of EUR 100, significantly lower than the sought figure by the claimant.
• Regarding the establishment of loss of control, the court held that the claimant's explanation that he had not made his telephone number publicly accessible was sufficient to establish a loss of control. In particular, the claimant was not required to specify in detail which persons had been given access to his phone number.
• The BGH also guided the Higher Regional Court of Cologne by indicating that Meta's default searchability setting to "everyone" may not have corresponded to the principle of data minimisation as set out in Articles 5(1)(b) and (c), and Article 25(2) GDPR. Therefore, one of the question remains to be considered by the Higher Regional Court will be whether the default settings amounted to his consent or authority for his number to be disclosed. If so, then his claim will likely fail.

Implications of the decision

If the lower courts find there is a valid claim, then it will still have discretion as to the final amount of damages in similar Facebook cases where phone numbers were compromised, but, as is the norm within the German court system, it is unlikely that such lower courts will deviate from the BGH's position. Even if there is a valid claim, those affected from the loss of control are likely to refrain from pursuing costly and drawn out legal proceedings over a sum of EUR 100.

The BGH provided the lower courts with the following considerations regarding quantum in cases with different facts: in particular, the potential sensitivity of the personal data affected and its typical purpose of use; the type of loss of control (limited or unlimited recipient group); the duration of the loss of control, and the possibility of regaining it. Regarding the latter, the court provided examples such as removing a publication from the internet or changing personal data, such as changing a phone or credit card number. A possible benchmark for a remedy could be the hypothetical cost of regaining control, for example, the cost of changing the number.

Interestingly, the court stated that immaterial damages caused by a violation of the GDPR were no less serious than bodily harm. That said, traditionally, the compensation awarded in Germany for non-material damages following bodily harm tends to be relatively low.