GDPR: Meta’s loss of control of personal data ruled non-material damage justifying compensation
Wednesday 4th December 2024
Remember the €265m fine handed out to Meta by Ireland’s Data Protection Commission in 2022? That breach is still making waves.
German Facebook users took Meta to Court over the incident, and on 18 November 2024 Germany’s Federal Court of Justice (BGH) decided that they were entitled to compensation.
This matters because the German Facebook users couldn’t prove their data had been misused. There was no evidence of knock-on damage from Meta’s loss of control of their data, such as increased spam calls. BGH has essentially ruled that mere short-term loss of control of personal data can be non-material damage within the meaning of Article 82 GDPR.
Let’s consider why this could be important.
The data breach
In case you missed it, in 2021 Facebook faced a massive data leak of the personal information of over 530 million users across 106 countries. This wasn’t the result of a hack, but a process called data scraping.
Here’s what happened: attackers exploited Facebook’s ‘contact importer’ tool, designed to help users find friends using phone numbers. By using randomly generated phone numbers to flood the tool, the attackers were able to assign numbers to associated user accounts and access the public data available on these accounts. They built up a database of names, emails, places of work, and gender, linked to telephone numbers.
Although Facebook fixed the flaw in 2019, the scraped data had already been collected and was dumped on a hacker forum in 2021.
The BGH ruling
Everyone has a right to claim compensation for both financial and non-financial losses if a company violates GDPR. It’s long been a question of contention as to whether loss of control of personal data can alone constitute non-material damage under Article 82(1).
The Facebook users in this case could not prove that their data had been misused, but nevertheless appealed an earlier decision and posed that contentious question to the BGH.
The BGH awarded each user €100 compensation and, in doing so, found that it was not necessary to prove data has been misused to the detriment of the data subject. In other words, the loss of data is non-material damage in itself.
What impact could the ruling have?
Arguably, €100 compensation signals the BGH did not deem mere loss of control to be particularly serious damage. That said, the decision could have wide reaching impact as it will bind other cases pending before German Courts.
If you have an EU footprint, it of course could affect you directly, though it remains to be seen how the European Court of Justice will interpret this.
The decision doesn’t immediately affect the UK GDPR or bind any UK Courts, but decisions like these can often have a ripple effect. The ICO and UK Courts are likely to take notice.
Facebook’s systems weren’t hacked, so the incident underlines that data protection incidents can never be ruled out and can quickly become expensive, even when there’s been no misuse of the data.
But it’s no cause for panic. Not every data protection incident is a breach of the GDPR. As ever, compliance is key.
The law requires data controllers and processors to implement and document appropriate measures. If you’ve done that, you might not be liable should a data breach happen. Better yet, you might avoid any incidents in the first place.
If you need advice on data breaches or implementing appropriate data protection measures, get in touch with one of our Data Protection experts.
