German consumers potentially affected by a massive Facebook data leak dating back several years now have a formal avenue to seek compensation. The country’s Federal Office of Justice today, May 5, opened the official register allowing individuals to join a collective lawsuit filed against Meta Platforms Ireland Limited at the Higher Regional Court (OLG) Hamm.
Spearheaded by the Verbraucherzentrale Bundesverband (vzbv), Germany’s consumer protection federation, this “Musterfeststellungsklage” – a form of model declaratory action in Germany – aims to establish Meta’s liability for damages under GDPR stemming from the incident.
The lawsuit centers on a large-scale “scraping” event where personal information associated with hundreds of millions of Facebook profiles was illicitly gathered using automated methods. This data later surfaced online.
The vzbv contends that Meta’s data protection measures were insufficient, leading to a loss of control over personal data for affected users – a basis for claiming damages under European privacy law. Jutta Gurkmann from vzbv stated, “With the BGH ruling behind us, the vzbv is working to ensure that those affected by the Facebook data leak are financially compensated”.
The consumer group suggests that potential damages could reach up to €600 per person, with the actual amount depending on the scope of personal data exposed in their specific case, which might include phone numbers, email addresses, birth dates, locations, or relationship statuses alongside Facebook IDs. The vzbv has published guidance on its website to help potential claimants check eligibility.
The Scale Of The Facebook Data Exposure
This legal action traces back to 2019 when databases containing details linked to Facebook accounts were discovered exposed on the internet. Initial reports pointed to over 419 million records, including phone numbers mapped to Facebook IDs and, in some cases, user names, gender, and country. Later findings reported in 2021 suggested the scope might have been even larger, potentially involving data from 533 million users globally, including an estimated 6 million in Germany, circulating online.
Meta acknowledged at the time that the data was likely harvested prior to April 2018. Before that date, Facebook allowed searching for user profiles by inputting a phone number, a feature attackers exploited through automated scripts to systematically link numbers to accounts and scrape associated public profile data.
While Facebook restricted this specific search vector in April 2018 following earlier data privacy controversies, the collected data remained vulnerable. The exposure of phone numbers linked to profiles raised concerns about risks ranging from targeted spam to potential SIM swapping attacks, where criminals attempt to take over a person’s phone number to bypass security measures – a technique used in high-profile incidents like the hacking of Jack Dorsey’s Twitter account.
Legal Footing For The Collective Claim
The vzbv’s case, filed in December 2024, leans heavily on the principle of claiming non-material damages for the mere loss of control over personal data under GDPR. This interpretation gained significant traction in Germany following a landmark Federal Court of Justice (BGH) ruling in November 2024. That decision, coincidentally involving this very Facebook scraping incident, affirmed that inadequate data protection leading to such exposure could indeed justify compensation, even without proof of specific subsequent harm like identity theft.
Further bolstering the case, the Frankfurt Higher Regional Court (OLG Frankfurt) already ordered Meta to pay a user €200 in damages in a ruling dated April 8, as detailed in a court press release.
The Frankfurt court explicitly found Meta in breach of GDPR Article 25 (‘data protection by design and by default’) due to the pre-September 2019 settings that enabled the scraping via phone number lookups.
While individual lawsuits have yielded relatively small awards (€100-€500 being typical in German courts for this incident), the collective action offers a potentially more streamlined path for users. This legal route operates independently of regulatory enforcement actions; the Irish Data Protection Commission, Meta’s lead EU regulator, already imposed a €265 million fine on the company in November 2022 specifically for GDPR violations connected to the scraping incident.
Joining The Lawsuit And Broader Context
Users who had public profile data on Facebook in 2018 or 2019 and believe they were affected can now formally join the vzbv’s lawsuit via the Bundesamt für Justiz’s online portal. The Musterfeststellungsklage allows consumer organizations to seek a court declaration on factual and legal questions relevant to many individual claims, potentially simplifying subsequent individual compensation efforts if the ruling is favorable.
This collective action represents another significant legal challenge for Meta regarding its handling of user data, adding to a history that includes the Cambridge Analytica scandal.
That separate incident resulted in a record $5 billion fine from the US Federal Trade Commission in 2019 and a $725 million class-action settlement in the US in December 2022. More recently, Meta has faced legal action over allegations it used copyrighted materials, including books sourced from “shadow libraries”, without permission to train its Llama AI models. While distinct from the GDPR scraping case, these instances illustrate ongoing legal and public examination of Meta’s data acquisition and usage practices.
