In November 2024, Germany’s highest civil court — the Bundesgerichtshof (BGH) — handed down a decision that could reshape how data privacy rights are enforced across Europe. For the first time, the court said that losing control over your personal data alone can count as real harm — even if that data isn’t misused or sold.
In simple terms: if your personal data leaks, and you no longer have control over where it goes or who can see it, that loss of control itself can be enough to claim compensation. You don’t have to prove that someone stole your identity or emptied your bank account.
The case is seen as a major step for digital rights in Europe — and a potential headache for companies that handle user data.
How It All Started: The Facebook Scraping Scandal
The case (BGH, VI ZR 10/24) came out of one of the biggest data incidents in recent years. In 2021, hackers exploited a feature on Facebook that let users find friends by uploading phone numbers. By feeding in millions of random numbers, the attackers managed to connect those phone numbers to real Facebook profiles — names, user IDs, workplaces, and other public info — and later dumped the data online.
Over 530 million users were affected worldwide, including about six million Germans.
One of those users decided to take Facebook’s parent company, Meta, to court. His argument was simple: by allowing this to happen, Facebook had failed to protect his data. He hadn’t lost money or suffered identity theft, but his personal information was out there for anyone to find — and he felt that loss of control was harm in itself.
The case went through several levels of the German court system. The first court gave him €250 in damages. The next court threw the case out, saying he hadn’t proven any “real” harm. But the BGH — Germany’s top civil court — disagreed and set a new standard that could ripple across Europe.
What the Court Actually Said
The BGH confirmed that under the EU’s General Data Protection Regulation (GDPR), individuals can claim damages when a company violates their data protection rights. That’s nothing new — Article 82 of the GDPR has always allowed people to seek compensation for both material (financial) and non-material (emotional or reputational) harm.
The twist here is what counts as “non-material damage.”
According to the court, simply losing control over your personal information — for example, if it’s leaked online or accessed by third parties without your consent — is enough. You don’t have to show emotional distress or a financial loss. The fact that your data is “out there” is harm in itself.
The judges pointed to Recital 85 of the GDPR, which explicitly lists “loss of control over personal data” as one possible form of damage. They also looked at previous European rulings that hinted in the same direction.
In essence, the BGH said: Data protection is about control, not just damage after the fact.
Why This Matters So Much
This may sound like a small legal nuance, but it’s actually a major shift.
Until now, many European courts — including several in Germany — had taken a narrow approach. They often required plaintiffs to prove that they suffered emotional stress, reputation damage, or some other measurable consequence. That made it hard for ordinary users to claim compensation unless the data breach led to something tangible, like identity theft or fraud.
The BGH’s ruling changes that.
Now, just the fact that your personal information slipped out of your hands — even temporarily — can be considered a legitimate harm.
That opens the door to thousands of potential claims following big data leaks or scraping scandals. For instance, in the Facebook case alone, millions of users could theoretically file for compensation, even if their data hasn’t been misused.
How the Court Reached Its Decision
To understand the reasoning, it helps to know how GDPR claims work.
Under Article 82 GDPR, a person must prove three things:
- There was a violation of the GDPR.
- They suffered some form of damage.
- The violation caused that damage.
In the past, courts argued endlessly over point two — what counts as damage?
The BGH said it’s wrong to think of damage purely as something visible or financial. Losing control over your personal data is an invasion of privacy, which affects a person’s sense of security and autonomy. In other words, you may not be poorer, but you’ve still lost something valuable — control.
The court used an everyday analogy: if someone takes your keys and makes a copy without permission, even if they never enter your home, you’ve still lost control over who might. That feeling of exposure is itself a harm.
The BGH didn’t set an exact amount for compensation but suggested that around €100 per person could be reasonable for a case involving only loss of control, without additional emotional or financial harm. The case was sent back to a lower court to decide the exact figure.
What It Means for Everyday Users
For individuals, this decision is empowering. It reinforces the idea that privacy isn’t a luxury — it’s a right.
It means that when a company mishandles your data — whether it’s a leak, a hack, or a scraping incident — you may be entitled to compensation even if you can’t show concrete damage.
It also strengthens the idea of data sovereignty — the notion that people should have meaningful control over their digital identity and information.
This could spark more legal claims after data breaches, especially in Germany, where consumer rights groups are already testing collective actions under GDPR.
What It Means for Companies
For companies that handle user data — from tech giants to small online shops — the decision raises the stakes.
Previously, firms often treated minor data incidents as manageable risks. If no customers complained or lost money, the issue could often be resolved quietly. But now, even “minor” leaks could turn into hundreds or thousands of small compensation claims.
Businesses will have to take “data protection by design” much more seriously — meaning privacy and security must be baked into every system from the start, not added later as an afterthought.
It’s also a warning that compliance isn’t just about avoiding fines from regulators; it’s about potential civil liability to users.
Insurance companies are already warning that such claims could drive up the cost of cyber liability policies. And law firms specializing in mass claims are likely preparing for a wave of GDPR lawsuits.
The Legal Grey Areas That Remain
Despite its clarity on the main point, the ruling leaves a few questions open.
First, what exactly counts as “loss of control”?
Does a brief technical glitch that exposes data for a few minutes qualify? What if the data was already public on social media? The BGH didn’t define the boundaries clearly, leaving future courts to work out the details.
Second, how should damages be calculated?
The €100 figure mentioned in the ruling was an example, not a rule. Some argue it’s too low to deter big companies; others fear it will encourage opportunistic lawsuits over small breaches.
Third, how will this fit with EU-wide interpretations of GDPR?
The Court of Justice of the European Union (CJEU) has also ruled on data-protection damages but hasn’t gone quite as far as Germany’s BGH. If other member states interpret the law differently, the EU may face a patchwork of national standards — ironic for a regulation meant to unify privacy rules.
Finally, how will courts handle mass claims?
Germany allows limited forms of collective redress, but GDPR doesn’t provide an EU-wide mechanism for class actions. If thousands of people file separate €100 claims after a breach, courts could quickly become overloaded.
The Facebook Factor: Why This Case Hits Home
Meta (Facebook’s parent company) has been at the centre of many privacy controversies, from the Cambridge Analytica scandal to repeated GDPR investigations.
For users, the 2021 scraping incident was frustrating because it wasn’t caused by a hack in the traditional sense — it was the result of a feature Facebook had built. The company argued that the scraped data was already public, but regulators disagreed.
Ireland’s Data Protection Commission, which oversees Meta in the EU, fined the company €265 million in 2022 for failing to protect user data from this kind of automated collection.
The BGH case builds on that enforcement, turning a regulatory fine into something individuals can claim for themselves. It shows that privacy violations don’t just lead to government penalties — they can lead to personal compensation too.
Why “Control” Is Such a Big Deal
The idea of control is at the heart of modern privacy law.
When the GDPR was written, lawmakers wanted to move away from a world where users had no say over how their data was collected, shared, or sold. The regulation gives people specific rights — like the right to access, correct, or delete their data — all based on the principle of control.
The BGH ruling reaffirms that principle. It says that when control is lost, even briefly, that’s a violation of the very purpose of the GDPR.
This resonates especially strongly in Germany, where privacy has deep cultural and historical importance. After the surveillance of the Nazi regime and the East German Stasi, the idea of informational self-determination — that every person should control their own data — became part of the country’s legal DNA.
So while some critics see the ruling as opening the floodgates for lawsuits, others view it as a logical continuation of Germany’s long-standing commitment to personal autonomy and dignity in the digital age.
The Bigger Picture: Privacy in the Age of AI
The timing of this ruling couldn’t be more relevant. As artificial intelligence systems become more integrated into everyday life, they rely on massive amounts of personal data — from facial images to voice recordings to behavioural patterns.
That raises a question: what happens when you lose control of your data not because of a leak, but because it was fed into an AI model?
The EU’s upcoming AI Act will require AI providers to document training data, manage risks, and ensure transparency. The logic of the BGH decision — that loss of control itself is harm — could influence how courts view future AI-related data cases.
If your data is used to train an AI without your consent, or if the system makes decisions about you in ways you can’t understand or challenge, you might one day rely on this same principle to claim that you’ve lost control — and therefore suffered harm.
Final Thoughts
The BGH’s “loss of control” decision marks a new phase in Europe’s data-protection story.
For individuals, it’s validation that privacy violations matter even when the damage isn’t visible. For companies, it’s a reminder that compliance isn’t just about avoiding fines — it’s about respecting the trust users place in them.
It also shows how privacy law is evolving to meet a digital reality where data moves faster than ever and control is harder to maintain.
In 2026 and beyond, privacy will continue to sit at the crossroads of innovation and individual rights. The challenge for lawmakers, companies, and users alike will be to keep that balance — ensuring technology can progress without leaving human dignity behind.
Stay curious, stay informed, and let´s keep exploring the fascinating world of AI together.
This post was written with the help of different AI tools.
