?? 2024-W48: BGH Rules on Facebook Data Breach Case, WhatsApp Data-Sharing Ban in India, EU Published Cyber Resilience Act and more

Hi privacy navigators,

Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by.

In today’s edition:

• BGH Rules on Facebook Data Breach Case: Loss of Data Control Qualifies as GDPR Damage
• WhatsApp Data-Sharing Ban in India: Meta Faces $25.4M Fine
• EU Published Cyber Resilience Act: EU's New Cybersecurity Standards for Digital Products
• New Australian Law will Mandate Age Checks, Data Deletion for Social Media Platforms

BGH Rules on Facebook Data Breach Case: Loss of Data Control Qualifies as GDPR Damage

On November 18, 2024, the German Federal Court of Justice (BGH) ruled on a case related to the 2021 Facebook data scraping incident, where personal data of 533 million users was exposed. The plaintiff claimed Facebook’s weak security measures caused a loss of control over their data and sought compensation under Article 82(1) GDPR.

Initially, the Regional Court of Bonn awarded €250 in damages to the plaintiff. However, the Higher Regional Court of Cologne overturned the decision, dismissing the case due to insufficient proof of harm. Upon appeal, the BGH partially reversed the Cologne court’s decision, stating that even a temporary loss of control over personal data constitutes immaterial damage under GDPR, without requiring proof of emotional distress or misuse of the data.

The court emphasized that Facebook’s default privacy setting, which allowed profiles to be searchable by phone numbers, likely breached GDPR principles of data minimization and data protection by design and default. The BGH instructed the appellate court to reassess the case, examining whether the plaintiff had been adequately informed about the default settings and whether valid consent was given for the data processing.

The BGH also provided guidance on assessing non-material damages under GDPR, suggesting that €100 could be a reasonable amount for cases involving loss of data control without further harm. However, higher compensation could be justified if psychological or other impacts are demonstrated.

The case was sent back to the Higher Regional Court of Cologne for further proceedings in line with these findings.

See the decision in german here.

NAVIGATE PRIVACY RESOURCES

Did you know that Privacy Navigator gives you much more than news in your inbox?

Research any topic using the Privacy Navigator in three easy steps:

1. Start an advanced search

Click the advanced search button below the search bar. If you want to make your search quicker you can start typing directly in the search bar.

2. Narrow down your search

For this example, let’s research data protection impact assessments [1]. After briefly browsing the resources, you can narrow them down by keyword [2], or resource type [3]. You can always reset the filters [4].

In this case, let’s show only guidelines.

3. ?Check the latest DPA decisions

To complete your research, you can find DPA decisions across the EU and the UK by using our Fine Tracker. Simply Select the country [1], sector [2], or the type of violation [3]. If you want a broader search, you can skip some of the filters.

The last step is to open the file by clicking “see more” [4].

TRY IT FOR FREE

All the above research tools are completely free. No subscription, no registration.

EU Published Cyber Resilience Act: EU's New Cybersecurity Standards for Digital Products

On November 20, 2024, the Cyber Resilience Act (CRA) was officially published in the Official Journal of the European Union. This regulation introduces mandatory cybersecurity requirements for products with digital components, aiming to ensure robust protection for consumers and businesses.

Key Features of the Cyber Resilience Act:

Mandatory Cybersecurity Requirements:

• Ensures all digital products are secure throughout their lifecycle.
• Sets harmonized rules for manufacturers and retailers.

Integration with AI Regulations:

• High-risk AI systems under the EU AI Act must comply with CRA’s cybersecurity standards.

Lifecycle Security Obligations:

• Manufacturers must maintain cybersecurity standards in the design, development, and maintenance phases.

Timeline for Implementation:

• CRA provisions will be enforceable from December 11, 2027, with some articles applying earlier in 2026.

The CRA promises to reshape cybersecurity across the EU, aligning safety standards for all digital products, including AI, to ensure a secure digital environment for all stakeholders Read the Act here.

New Australian Law will Mandate Age Checks, Data Deletion for Social Media Platforms

On November 25, Australian Prime Minister Anthony Albanese announced that social media platforms would be required to destroy personal data used for age verification as part of the country’s groundbreaking ban on under-16s using their services.

The proposed legislation aims to implement a strict age-verification system, potentially involving biometrics or government-issued identification, to enforce the age limit.

This legislation, touted as a world-leading measure, would affect platforms like Instagram, TikTok, Snapchat, and X, with no exceptions for parental consent or pre-existing accounts. Companies failing to comply with the requirements could face fines of up to $32 million.

The government aims to pass the law by the end of the parliamentary year, fast-tracking it through both houses of parliament. Elon Musk and other critics have expressed concerns, calling it an attempt to control internet access for Australians.

Read more here.

That's all for now, see you next week!

Eli

email:?[email protected]

Schedule a call with me