More than 500 million Facebook users were affected by a data leak at Meta Group in spring 2021. While many companies are already experiencing existential fears as soon as individual emails are lost, there was little panic at the social media service.
However, the leakage of personal data (names, addresses, birthdays, telephone numbers) to a hacker forum does have consequences. In addition to a fine of no less than 265 million euros, successful lawsuits against Facebook for inadequate security measures and a lack of legal basis are multiplying.
We examine the factual and legal situation for you and enable you to assess your personal chances of success in a lawsuit. For companies, we draw conclusions from the current case law.
Data leakage on Facebook
In 2021, a data leak occurred on the social media platform Facebook. Hackers had exploited an incompletely secured Facebook function to gain access to the data of millions of users. This was probably data from before August 2019.
The data was used to send messages using the stolen identities. Addressees were then asked to click on a link that led to the installation of malware. Masses of data were also tapped in this way.
The website “haveibeenpwned.com” can probably be used to find out whether your personal data has also been misused. Of course, we cannot make any statement regarding the accuracy and completeness of this third-party service. However, it provides interesting information about your own data.
Data protection assessment
Personal data, i.e. information that can be used to directly or indirectly identify a person, is protected in particular by the provisions of the General Data Protection Regulation (GDPR). In addition to a general need for protection, which is set out in Art. 1 GDPR, there are special regulations that prescribe protection requirements (Art. 5), legality requirements (Art. 6) or necessary security measures (Art. 32).
Even if the Meta Group is only accused of negligence in the handling of user data, violations of these requirements lead to a claim for damages by the affected user under Art. 82 GDPR.
Lawsuits against Meta
These claims for damages have recently been asserted on a large scale. As a rule, no out-of-court settlement was reached with the Group, so legal action had to be taken. These lawsuits were often successful, as the outflow of data could be proven quite clearly and Facebook could not release itself from its obligation to assume liability.
However, the assessment of the damage suffered by the person concerned, in particular the non-material portion, was carried out quite differently by the courts. The background to this is that such a calculation of damages is based on a judicial estimate. After all, amounts of between € 300 and € 1,000 (e.g. Stuttgart Regional Court, decision of 28.02.2023, Ref. 3 O 220/22) were awarded to those affected. In addition, there were also reimbursable legal fees.
Accordingly, the cost of enforcing such claims must be weighed against the extent of the data outflow and the company’s own real interest in enforcing its rights. It will no longer be possible to delete the externally accessed data in this way, but it will be possible to obtain some satisfaction from the Meta Group.
Prevention
Even with personal data, prevention is better than cure. Anyone who (voluntarily) publishes data exposes themselves to a certain risk of misuse. The less data is disclosed, the lower the probability of data being misused to one’s own detriment, but also of participation in new media. The extent to which real data minimization can be maintained today is a question of type. After all, the legislator – much-maligned for the GDPR – has provided means that make security breaches costly for companies.
Conversely, as a company you should always ask yourself whether the technology currently in use offers sufficient security for customer and employee data. Similar data outflows are also conceivable outside of social media platforms. Since a certain level of risk can never be completely ruled out, investments in state-of-the-art safety measures are unavoidable. This is what the use of IT technology entails.
Conclusion
Check for yourself whether enforcing claims against the Meta Group will bring you satisfaction. At the very least, however, you should carefully consider whether the disclosure of personal data is always necessary.
As an entrepreneur, you must take measures to ensure the security of personal data in your company in order to avoid claims for damages and fines.
