A German appeals court has ordered Meta Platforms to pay damages to a Facebook user whose data was exposed in a massive scraping incident, finding the company violated European data protection rules through inadequate default privacy settings. The Frankfurt Higher Regional Court (OLG) ruled on April 8, 2025, that Meta failed to uphold the GDPR’s principle of data minimization, leading to the user’s loss of control over personal information.
While the damages awarded were modest at €200, the ruling underscores ongoing legal liability for Meta regarding past data handling practices under the General Data Protection Regulation (GDPR).
Privacy By Default Violation Led To Scraping Exposure
The Frankfurt court (case Az. 6 U 79/23) determined that Meta breached Article 25 of the GDPR, which mandates ‘data protection by design and by default’. The issue stemmed from Facebook’s “contact import tool” settings between early 2018 and September 2019. By default (“all” setting), the platform allowed any user to find another user’s profile using their phone number, even if the user had set their phone number’s visibility to private.
This vulnerability was exploited by scrapers who used automated methods to harvest phone numbers and link them to publicly available profile data like names and locations. This technique contributed to the April 2021 leak where datasets of approximately 533 million Facebook users were published online.
The OLG Frankfurt found that Meta’s default setting did not adequately protect user data, stating platform operators must ensure settings prevent data being made available to an indeterminate group without explicit user action. The court agreed with the plaintiff that this violation led to a loss of control over personal data and created a justifiable “fear of misuse” following the data leak, warranting the €200 compensation.
The decision overturned an earlier ruling by the Wiesbaden Regional Court (Az. 10 O 52/22) which had dismissed the claim. The Frankfurt court also ordered Meta to cease making user data accessible to third parties via such import tools based on default settings.
Wider Context Of GDPR Scraping Lawsuits
The new ruling is one of many similar GDPR lawsuits filed against Meta across Germany following the 2021 data exposure. While court decisions have varied, a trend has emerged where German courts often award small amounts of immaterial damages (typically €100-€500) for the loss of data control, even if plaintiffs cannot prove specific subsequent harm like identity theft.
This contrasts slightly with earlier German Federal Court of Justice (BGH) guidance suggesting around €100 might be appropriate for the “mere control loss.”
The case highlight the practical application of GDPR principles demanding robust privacy safeguards by design and default. Although the fine appears merely symbolic, it might set a precedent for the future. In a more impactful case, Ireland’s Data Protection Commission fined Meta €251 million in December 2024 for GDPR Article 25 violations related to a separate 2018 data breach.
Separate EU Action: First Fines Reported Under Digital Markets Act
In a separate development the European Commission last week delivered its first financial penalties under the newer Digital Markets Act (DMA), targeting both Apple and Meta. Apple received a €500 million ($572 million) fine for breaching the DMA’s “anti-steering” provisions in its App Store, which restrict developers from informing users about cheaper purchase options outside the platform. The official EU announcement apparently elaborated that these rules hinder developers.
Meta, under this separate DMA action, was fined €200 million concerning its “pay or consent” model used for Facebook and Instagram between March and November 2024. This model required users to either pay a fee (initially higher but later reduced following pressure) or consent to extensive data tracking.
The Commission concluded this didn’t offer a valid choice under the DMA, echoing preliminary concerns raised in 2024 that the model “may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers.” The investigation into Meta’s revised model was said to be ongoing.
This reported DMA enforcement action arrived amidst political context, following suggestions of earlier delays possibly linked to US trade talks and lobbying by tech firms, including pushback framed by a White House memorandum describing such regulations as “overseas extortion.”
Despite a temporary freeze on the decision previously cited for technical reasons, the Commission in the end moved forward. Henna Virkkunen, EC executive vice-president for tech sovereignty, was quoted stating, “The decisions adopted today find that both Apple and Meta have taken away this free choice from their users and are required to change their behaviour,” emphasizing the goal that “citizens have full control over when and how their data is used online, and businesses can freely communicate with their own customers.” Antitrust commissioner Teresa Ribera reportedly called the action “firm but balanced” and intended to “send a strong and clear message.”
Both companies reportedly signaled disagreement and intent to appeal these DMA fines. Apple was quoted saying the EC is “unfairly targeting Apple in a series of decisions that are bad for the privacy and security of our users, bad for products, and force us to give away our technology for free.”
Meta’s chief global affairs officer, Joel Kaplan, reportedly stated the Commission “is attempting to handicap successful American businesses.” Notably, Apple has also avoided a separate DMA fine by complying with rules on browser choice and app uninstallation.
