The Hamm Higher Regional Court has spoken, and the world of data protection is holding its breath. The much-discussed Facebook scraping judgment of August 15, 2023 ( ref. 7 U 19/23 ) sheds a bright light on the legal aspects of data protection violations and claims for damages. If you thought privacy was just a buzzword in our digital era, then you definitely shouldn't miss this article.

The case at a glance

It all started in April 2021, when unknown people published the sensitive data of around 500 million Facebook users on the dark web. Names, phone numbers – everything was there. But how did they get this information? The magic word: scraping. They used Facebook's search function to read user profiles, even if the phone number was not visible.

A data heist that remained undetected for years. Facebook responded by disabling search functions, but the damage was already done.

The lawsuit and the hope for compensation

An affected plaintiff whose data ended up on the Darknet demanded damages of at least 1,000 euros from Meta, the operator of Facebook. She was convinced that Meta had violated GDPR data protection regulations. The case ended up before the Bielefeld regional court, where the lawsuit was dismissed. But the plaintiff didn't give up and filed an appeal, which was ultimately heard at the Hamm Higher Regional Court.

GDPR violations and the role of Meta

The Higher Regional Court found that there was no doubt that there had been violations of the GDPR. Meta was unable to prove that disclosing the plaintiff's cell phone number was justified. The processing of this data for the purpose of connecting Facebook users required consent, which was not lawfully obtained. A breach of duty by Meta was also confirmed as the company had not taken appropriate measures to prevent further breaches despite knowledge of data access.

The crux of the matter: the non-material damage

Despite the proven data protection violations, the Higher Regional Court rejected the claim for damages. The reason? The plaintiff was unable to prove any specific non-material damage that went beyond the GDPR violation. The court emphasized that such damage must be personal or psychological in nature. Simply violating the GDPR is not enough. The plaintiff was unable to explain individually how she had suffered as a result of the data misuse.

Provisions of the General Data Protection Regulation (GDPR) relevant to the decision

Art. 4 – Definitions
For the purposes of this Regulation, the expression means: […]

  1. “Processing” means any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data, such as the collection, recording, organization, structuring, storage, adaptation or modification, reading, querying, use , disclosure by transmission, distribution or other form of making available, alignment or combination, restriction, deletion or destruction; […]

Art. 5 – Principles for the processing of personal data
(1) Personal data must
a) be processed lawfully, in good faith and in a manner that is understandable to the data subject (“legality, fair processing, transparency”) ;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitation”); c) be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (“data minimization”); […]

(2) The person responsible is responsible for compliance with paragraph 1 and must be able to demonstrate compliance (“accountability”).

Article 6 - Lawfulness of processing
(1) Processing is lawful only if at least one of the following conditions is met:
a) the data subject has given his consent to the processing of personal data concerning him or her for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract at the data subject's request; […]

Art. 7 – Conditions for consent
(1) If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of their personal data.
(2) If the data subject's consent is given in a written statement that also concerns other matters, the request for consent must be made in an understandable and easily accessible form in clear and simple language in such a way that it can be clearly distinguished from the other matters is. Parts of the declaration are not binding if they constitute a violation of this regulation. […]

Art. 32 - Security of processing
(1) Taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons The controller and the processor have appropriate technical and organizational measures to ensure a level of protection appropriate to the risk; […]

Art. 82 – Liability and right to compensation
(1) Any person who has suffered material or immaterial damage as a result of a violation of this Regulation is entitled to compensation for damages from the controller or the processor. […]

Conclusion: A hard blow for data protection

The ruling by the Hamm Higher Regional Court sends a clear signal to Facebook users and everyone who is concerned about their privacy. While Facebook was warned for data protection violations, a user's lawsuit was dismissed. However, this does not mean that the battle over data protection and compensation is over. The data theft and its consequences are far-reaching and the legal dispute will continue.

Stay informed and protected
The world of data protection is complex and constantly changing. To stay up to date and protect yourself from data breaches, subscribe to the Mimikama newsletter . Also discover our comprehensive media education offering to strengthen your digital skills and protect yourself from online fraud and data misuse. Your data is worth protecting!

If you want to learn more about privacy, fact-checking, and online safety, Mimikama is your trusted companion. Stay safe and well informed!

Source:

Hamm Higher Regional Court 7U 19/23 , Hamm Higher Regional Court: Leading decision on Facebook scraping

You might also be interested in:
Beware of the online credit trap: This is how you protect yourself from rip-offs!
EU takes on Facebook, Amazon and Co!
Blind sharing: Between self-affirmation and responsibility


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )