A German court has ruled that Facebook cannot access or process contact data belonging to individuals who are not registered on the platform through its “Find Friends” feature, marking a significant decision under European data protection laws.

Legal Battle Under GDPR

The Regional Court of Berlin ordered Meta Platforms Ireland, Facebook’s parent company, to cease uploading, processing, or transferring personal contact data stored on users’ mobile or desktop devices to its servers without proper legal grounds.

The case stems from a 2018 lawsuit filed by the Federation of German Consumer Organizations, which challenged Facebook’s data practices under the European Union’s General Data Protection Regulation (GDPR). Legal proceedings took several years as courts clarified who holds standing to bring GDPR-related claims.

Under the ruling, which is not yet final, Meta could face fines of up to €250,000 if it repeats the violation. The court determined that collecting user data from external sources to build “usage profiles” for advertising purposes without explicit and prior consent is unlawful.

Privacy Concerns and Platform Practices

Judges emphasized that social media platforms cannot indiscriminately gather personal data, particularly when it concerns individuals who are not members of the service. Ramona Pop, a board member of the consumer protection federation, said the ruling reinforces the principle that platforms must respect privacy boundaries.

She noted that when users activate the “Find Friends” function, contact information from their devices is transmitted to Meta’s servers — a practice the court found unlawful when it involves third parties who have not consented.

However, the court did not grant the consumer group’s request to prohibit the creation of usage profiles for non-registered Facebook visitors. Meta denied engaging in such advertising practices, and the plaintiffs were unable to provide sufficient evidence to substantiate the claim.

Implications for Tech Regulation

The decision highlights increasing regulatory pressure on major tech companies operating in the European Union and reinforces the strict standards imposed by GDPR on personal data processing, consent requirements, and digital privacy protections.

With data privacy becoming a central issue in the digital economy, this ruling could influence similar cases across Europe. The European Data Protection Board has previously stated that companies must ensure transparency and user consent in data collection practices.

Meta has faced several regulatory challenges in the EU in recent years, including a €1.2 billion fine from France’s data protection authority in 2021 for misleading users about data handling. The current case adds to the growing list of legal hurdles for the company.

Consumer advocates are calling for stricter enforcement of data protection laws, citing the need for clearer guidelines on how tech firms can collect and use personal information. The ruling could also prompt further litigation against other social media platforms operating in the EU.

As the case moves forward, the German court’s decision could set a precedent for how data privacy laws are interpreted and enforced. The ruling may also prompt Meta to reassess its data collection policies in the EU to avoid potential penalties.