In a groundbreaking judgment that could pave the way for a wave of similar lawsuits, the Leipzig Regional Court has ordered Meta Platforms Ireland to pay €5,000 in compensation to a Facebook user for violations of European data protection law. The decision, handed down by the 5th Civil Chamber of the court on July 4, underscores the growing judicial support for robust enforcement of the EU General Data Protection Regulation (GDPR) through civil courts.
The court found that Meta’s deployment of its business tools—software integrated into countless websites and mobile apps—constitutes a “massive” breach of European data protection rules. These tools allow Meta, the operator of Facebook and Instagram, to collect personal data from users as they navigate the internet, even if they are not logged into their social media accounts. This data is then transmitted to third countries, particularly the United States, where Meta uses it to create detailed user profiles for targeted advertising.
Citing Article 82 of the GDPR, which allows for compensation in cases of non-material damage, the Leipzig judges argued that the scale and opacity of Meta’s data processing practices violate users’ fundamental rights. In particular, the court emphasized the psychological harm caused by the feeling of constant surveillance. “The virtually unlimited collection and analysis of personal data results in the near-complete monitoring of a user’s online life,” the judgment stated.
In determining the €5,000 compensation, the court considered the enormous commercial value of personal data in Meta’s business model. Referring to a 2022 decision by the German Federal Cartel Office, the court highlighted that Meta generated 97% of its $118 billion revenue in 2021 from personalized advertising—underscoring the critical importance of user data to the company’s bottom line. “The financial value of an individual user profile is enormous,” the court noted, adding that this assessment aligns with public perceptions of the value of personal data.
Notably, the court declined to hold an oral hearing with the plaintiff, reasoning that an individual user’s account of data loss would add little to the overall assessment. Instead, it focused on the perspective of a reasonable “average” data subject under GDPR standards, stressing that uncertainty over how data is used and what may happen in the future contributes meaningfully to the harm suffered.
By grounding its decision squarely in European rather than national law, the Leipzig Regional Court departed from other German courts that have based similar rulings on national legal concepts of personal rights. The court drew heavily on recent findings from the European Court of Justice, which has also scrutinized the legality of Meta’s business tools.
The chamber acknowledged that its ruling could open the door to further claims from Facebook users who have not experienced specific individual harm. However, it emphasized that this outcome is consistent with the broader purpose of the GDPR: to strengthen privacy enforcement, not only through regulatory authorities but also through private legal action.
