Facebook users involved in major data incident eligible for compensation, German court rules
A German court has ruled that people whose data was accessed and exfiltrated by cybercriminals during a data breach in 2018-2019 are entitled to compensation.
On Monday, November 18, the German Federal Court of Justice (BGH) ruled that those affected by a loss of control of basic data can seek compensation without proving specific damages or financial impact.
This decision was made following a cyber incident in 2018 and 2019, in which malicious actors stole the data of approximately 533 million users, including 6 million in Germany.
Back then, it was possible to search for users using their phone number. Using this technique, malicious actors performed automated searches on millions of randomly generated phone numbers to scrape user data. This data was then disclosed in April 2021.
When the incident first occurred, thousands of affected people in Germany sought compensation; however, the claims were rejected because the company had not been hacked and users were unable to prove the exact damages.
In one case, a user requested a minimum of €1,000 (A$1,626) in compensation, but was rejected by the Cologne Higher Regional Court.
Today, the BGH’s new decision sets a precedent that will require a re-examination of these allegations.
Although the BGH is unlikely to pay the full €1,000 for the above case, it said it would consider €100 as appropriate compensation as the damages are not specified.
The court also said the lower court should decide whether users voluntarily consented to the use of their data and whether Facebook was transparent about the terms of their use.
However, despite the ruling, Facebook’s parent company Meta has doubled down on its decision not to pay compensation following the incident.
Regarding the latter claim, a spokesperson for Meta said the decision was “incompatible with recent case law of the European Court of Justice”, the EU’s highest court.
“Similar claims have already been rejected 6,000 times by German courts, with a large number of judges ruling that there was no claim for liability or damages.
“Facebook’s systems were not hacked in this incident and there was no data breach,” the spokesperson said.