Facebook - data breach

The risk posed by a data breach depends on the leaked data. Depending on the information disclosed, there may be an increased potential for spam when email addresses are leaked, misuse of exposed passwords, Trojan emails, social engineering, and phishing attacks. The risks increase the more data is available to the sender. As a result of a data protection incident, there is a tangible risk of financial damage, such as through the misuse of credit card data or identity theft leading to fraudulent commitments at the expense of the affected individual. If location data is involved, the leaked information may also be used to create movement profiles of those affected. The risk of becoming a victim of extortion or threats also increases, particularly when sensitive data is involved. Especially concerning sensitive categories of personal data such as political beliefs, union membership, sexual orientation, or health data, there is an increased interest in deciding who learns such details.

With the support of Protectra, which consolidates and enforces the claims of affected individuals. Particularly advantageous for those affected: According to Article 82(4) GDPR, both the data controller and any processors involved in the processing may be held jointly and severally liable for violations. Additionally, Article 82(3) GDPR significantly eases the enforcement of claims because the data controller must prove the proper handling of personal data:

"The controller or the processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage."

Both Art. 82 para. 1 GDPR and § 83 para. 2 BDSG provide for compensation for non-material damages. Since December 2023, the European Court of Justice (ECJ) has defined the conditions under which compensation claims apply in a series of rulings (C-340/21, C-456/22, C-667/21, C-300/21, C-182/22, C-189/22, C-200/23) in favor of individuals whose personal data was unintentionally published. The Federal Court of Justice (BGH) has now ruled in its leading decision on the scraping incident at Facebook that the mere loss of control over personal data can constitute damage within the meaning of Art. 82 GDPR, and there is no need to prove additional concerns or fears.

As soon as there are updates, we will inform you about the status of your case in our "Blog on Data Protection Scandals and Other Small Matters" section on our homepage. We kindly ask that you refrain from inquiries in the meantime. In a relatively new legal field without consistent case law, it is not uncommon for the completion of a single instance to take a considerable amount of time (sometimes over a year).

Protectra, our opponents, or the legal protection insurance.

As a data processor, Facebook is generally obligated under Art. 34 GDPR to inform affected individuals about a data breach, especially when it involves a "likely high risk to the personal rights and freedoms" of the affected individuals. Facebook argues that the obligation to inform was waived because subsequent measures were taken to ensure that the risk no longer persisted.

In leading decisions, the Federal Court of Justice (BGH) decides on fundamental legal questions, even if the procedure has already been completed. Typically, in a large number of civil lawsuits with similar factual circumstances (such as the dispute over the Facebook data breach), the same decisive legal questions arise, which the BGH clarifies at the highest judicial level. This allows lower courts in similar cases to make swift decisions based on this leading decision.

In the oral hearing on November 11, 2024, the BGH stated that the mere loss of control over personal data can constitute damage within the meaning of Art. 82 GDPR, and that there is no need to prove additional concerns or fears.