The German Federal Court of Justice (Bundesgerichtshof) has recently rendered a landmark decision regarding the loss of control over personal data as a basis for non-material damage compensation under the General Data Protection Regulation (“GDPR”). In a case concerning a massive Facebook data leak, the court concluded that even a temporary loss of control over personal data can justify non-material damage compensation without requiring proof of specific misuse or harmful consequences.

The Federal Court’s decision followed rulings from lower German courts, which had started to develop case law on non-material damage compensation for personal data breaches. We analyzed the positions taken by German regional courts in similar cases in our previous articles on the decision of the Munich Regional Court and the decision of the Schleswig-Holstein Regional Court.
This decision significantly impacts existing case law by clarifying the standards for recognizing the right to non-material damage compensation at the highest judicial level, thereby further strengthening data subjects’ rights in the event of GDPR violations.

How Did the Data Breach Occur?

In April 2021, personal data of 533 million Facebook users became publicly available on the internet due to the exploitation of a phone number search tool. An unknown party used the feature allowing accounts to be found by phone numbers, randomly generating numbers to search Facebook. Through this method, it accessed user profiles linked to corresponding phone numbers.
One affected individual had their user ID, first and last name, workplace, and gender linked to their phone number. Although the user had marked his phone number as “private”, meaning only visible to him, the user left the search setting on the default “Everyone,” allowing others to find his profile through his phone number.The user argued that Facebook had failed to implement adequate security measures and filed a claim seeking €250 in non-material damage compensation. After the Regional Court ruled in favor of the user, the Higher Regional Court of Cologne reversed the decision and dismissed the claim entirely. Ultimately, the case was brought before the German Federal Court of Justice.

The Decision of the Federal Court of Justice

The German Federal Court of Justice partially overturned the Higher Regional Court of Cologne’s decision and remanded the case for reconsideration. In doing so, the court set an important precedent, taking the following positions:

• Loss of Control over Personal Data is a Sufficient Basis for Non-Material Damage Compensation under the GDPR

The court held that the data subject is not required to prove specific data misuse or emotional distress. Unauthorized disclosure of data and the resulting loss of control are sufficient grounds for claiming non-material damages.

• Default Settings Were Inconsistent with the GDPR

The court highlighted the inconsistency between the default “Everyone” setting and two key GDPR provisions:

Data Minimization Principle (Article 5 GDPR) mandates collecting only data necessary for the specific processing purpose. Therefore, a setting that collects all data contradicts this principle, as processing all data is unnecessary.

The second issue relates to Article 25 of the GDPR, which mandates data protection by design of systems that include data protection measures and default settings that minimize the amount of data collected. A system that by default collects all data, without considering its necessity, violates this principle as well.

• Determining the Amount of Non-Material Damage

The court provided guidelines on how non-material damages should be assessed under the German Civil Procedure Code. It stated that compensation should be proportionate and effective. In cases where no additional harm occurred, a non-material damage award of approximately €100 could be appropriate. However, if the claimant can prove emotional distress or other negative consequences, the award could be higher.

• Legal Interest for Rendering a Declaratory Judgment

The court recognized the data subject’s legal interest in obtaining a declaratory judgment, considering the ongoing risk of future misuse of leaked data.

Impact of the Judgment on National Court Practice in the EU

The Federal Court of Justice’s decision significantly changes the previously restrictive approach of German courts regarding non-material damage compensation for GDPR violations. This ruling aligns more closely with the case law of the Court of Justice of the European Union (CJEU) and strengthens the rights of data subjects.

The decision is groundbreaking because it acknowledges the significance of the violation of data protection rights itself, without requiring proof of specific consequences. This opens the possibility for damage awards even when no additional negative effects are evident. The ruling also provides clear guidelines for implementing the GDPR, particularly regarding data controllers’ responsibilities.

This approach could inspire similar practices in other EU member states, promoting the harmonized application of the GDPR across the EU. It remains to be seen how national courts throughout the EU will respond to this groundbreaking decision of the German Federal Court of Justice.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.