OLG Hamm confirms Facebook’s responsibility in scraping incidents under the GDPR
In its ruling of April 2, 2024 (Case No.: 7 U 19/23), the Higher Regional Court (OLG) of Hamm made a landmark decision regarding the unauthorized collection and publication of personal data from Facebook users. The court identified what is known as Facebook scraping, where publicly viewable information from Facebook profiles is automatically read on a massive scale and later disseminated on the Internet, as a serious violation of key provisions of the General Data Protection Regulation (GDPR). The decision has far-reaching significance for both digital economy companies and individuals whose data is processed on social media platforms.
Background of the legal dispute
Facebook scraping refers to the automated access to publicly accessible profile data, for example via so-called bots. In the present case, numerous personal information – especially names, phone numbers, and user IDs – were extracted from the Facebook profiles of millions of European users and published on an external website without the consent of those affected. Ultimately, an affected individual filed a lawsuit for injunction and non-material damages pursuant to Art. 82 GDPR, arguing that Facebook as the controller had failed to take adequate technical and organizational measures to prevent such access.
Key statements from OLG Hamm
Responsibility according to Art. 4 No. 7 GDPR
The OLG Hamm clarified that Meta Platforms Ireland, as the operator of Facebook, remains the “controller” for the processing of the relevant data within the meaning of the GDPR. The readability of phone numbers was primarily based on the platform’s configuration and the settings options provided by Facebook. Even in cases where affected users voluntarily published their own information – particularly their phone numbers – in their profiles, significant responsibility remains with the platform.
Violation of technical and organizational protection obligations
The court emphasized that Facebook has special obligations pursuant to Art. 25 and Art. 32 GDPR. Accordingly, preliminary measures through appropriate technical and organizational measures to protect personal data are essential. However, Facebook had not sufficiently ensured that automated data collections by bots and scraping tools were effectively prevented. In particular, privacy-friendly defaults and effective mechanisms to detect and prevent such accesses were not implemented to an adequate extent.
Compensation for damages under Art. 82 GDPR
In this specific case, however, the OLG Hamm decided that the claim for non-material damages was not successful. Although a data protection violation was proven, the plaintiff, according to the Senate’s assessment, did not demonstrate an individually attributable harm that went beyond the abstract impairment of data protection. The judgment emphasizes here the procedural necessity for a substantiated presentation of concrete non-material damage.
Significance for data protection in the platform economy
The court’s fundamental legal assessment makes it clear that platform operators like Facebook are also obliged to prevent the automated reading of public user data, even when users themselves make information public. The decision reinforces the scope of data privacy responsibility for large digital companies. In particular, the claim for implementing effective protective mechanisms against the mass reading and publishing of personal data by third parties has been strengthened.
Impact on corporate compliance strategies
Given the now confirmed obligations under the GDPR, companies are required to continually adapt security concepts and data protection measures to evolving threat situations and the increased demands of European courts. Particularly for platforms with publicly viewable user profiles, the extent of technical-organizational measures will come into sharper focus than before. In particular, with regard to bot and scraping prevention, technical protective measures must be regularly reviewed and adjusted to the state of the art to minimize potential liability and reputational risks.
Legal classification and outlook
The judgment of the OLG Hamm further underscores that the protection of personal data in the digital environment requires a dynamic and ongoing adaptation process from the controllers. At the same time, it should be noted that claims against Facebook concerning compensation for damages are to be assessed on a case-by-case basis. The procedure can be seen as exemplary for the interpretation and application of the GDPR in the context of social networks; further supreme court decisions, such as those by the Federal Court of Justice or the European Court of Justice, could have an even more formative impact on the future legal framework. With regard to the not yet final legal situation and ongoing similar proceedings, the presumption of innocence for companies and their representatives continues to apply (Source: OLG Hamm, Judgment of 02.04.2024, Case No. 7 U 19/23).
For companies, investors, and individuals who are confronted with complex questions in data protection and IT law in the course of ongoing digitalization, it can be beneficial to seek well-founded advice on current developments and new compliance requirements. The attorneys at MTR Legal are available for an individual assessment and legally secure support in light of current case law.
