Can a user who knowingly uses a global service like Facebook later claim damages for the associated transfer of data to the USA? The Regional Court (LG) of Munich I has drawn a clear line in a ruling that could serve as a major precedent for countless lawsuits. The court ruled that anyone who uses a service whose basic functionality (including US data transfers) is common knowledge acts in “bad faith” if they later sue for damages because of it (LG Munich I, Judgment of Aug. 27, 2025 – Case No. 33 O 635/25).
The Case: A Facebook User vs. US Data Transfers
A Facebook user sued the platform’s Irish operating company, seeking injunctive relief, information, and damages. His argument centered on the allegedly unlawful transfer of his data to the United States, particularly in light of the European Court of Justice’s (ECJ) landmark “Schrems II” ruling. The plaintiff claimed that this data transfer caused him significant mental and physical distress, including anxiety and sleep disorders.
The Court’s Decision: A Lawsuit in Breach of Good Faith
The Munich Regional Court dismissed the lawsuit in its entirety. The judges based their decision on several pillars, one of which is particularly noteworthy and sets a new precedent in its clarity:
- Lawful Data Transfer:
The court found that Facebook could lawfully rely on Standard Contractual Clauses (SCCs) and the new data privacy framework between the EU and the USA. - No Provable Damage:
The symptoms described by the plaintiff (insomnia, etc.) had no verifiable connection to the data transfer. - The Decisive Point: Abuse of Rights (§ 242 BGB):
The court declared the claims to be a violation of the principle of “Good Faith” (Treu und Glauben). This reasoning is a bombshell for the ongoing wave of lawsuits against tech companies:- The court noted that it is common knowledge that Facebook is a global communication service and part of a US corporation. At the latest since the Snowden revelations and the Schrems II ruling, the issue of US data transfers has been widely discussed in the public eye.
- Anyone who uses such a service despite being aware of these circumstances cannot later claim to have been “surprised” by the data transfer. It is contradictory to use a service voluntarily and then sue the provider for its fundamental and well-known functionality.
- The court suggested that the plaintiff was not concerned with actual damages, but rather with generating a cash payout from a formal legal technicality. This was further evidenced by the fact that the lawsuit consisted of standardized “cookie-cutter” text blocks and was part of a mass litigation campaign.
What This Ruling Means for Your Business
- A powerful new defense: This “Good Faith” objection is a potent weapon for companies facing mass, standardized, and potentially abusive GDPR lawsuits.
- The weight of “Common Knowledge”: For well-known global services, it will become harder for plaintiffs to complain about a “loss of control” when the basic data flows are obvious and widely known.
- Courts are scrutinizing motives: The ruling indicates a trend where courts are increasingly willing to question the true motives behind a lawsuit. Is it about genuine protection or a business model?
- Not a “blank check”: It is important to note that this argument primarily applies to obvious and well-known data processing. It does not shield companies from the consequences of hidden or non-transparent data processing.
FAQ: US Data Transfers and Abuse of Rights
What exactly does the principle of “Good Faith” (§ 242 BGB) mean?
It is a fundamental principle of German law stating that everyone must exercise their rights with due regard for the legitimate interests of others, and not in a contradictory or harassing manner.
Does this argument now apply to all GDPR lawsuits?
No. It is a strong argument specifically for cases where a plaintiff knowingly and voluntarily uses a service and then complains about the very data processing that is essential to that service and known to the user.
Is my company now safe from all US data transfer lawsuits?
No. This is a lower-court ruling. You must still ensure that your data transfers rest on a solid legal foundation (e.g., the EU-U.S. Data Privacy Framework or SCCs). However, the ruling provides an additional line of defense.
How is this different from the “Google Fonts” cases?
A key difference is active vs. passive use. In the Google Fonts cases, users often unknowingly visited a website that transmitted data. In the case of Facebook or Instagram, users make an active and repeated choice to use the service, despite knowing how it functions.
Conclusion: A Blow to the Data Transfer Litigation Wave
The ruling by the Munich Regional Court is a clear and a signal against an escalating wave of litigation that often seems to follow a business model rather than a need for genuine legal protection. It strengthens the position of companies facing plaintiffs whose behavior appears contradictory. By bringing common sense and the principle of good faith into the fold, this decision could mark the beginning of a more pragmatic judicial approach to GDPR damage claims.
