The Dresden Higher Regional Court this week delivered legally binding judgments against Meta Platforms Ireland Limited, ordering the company to pay four Saxon Instagram and Facebook users €1,500 each in damages for illegally collecting personal data across countless third-party websites and apps. The February 3, 2026, decisions mark the first final rulings of their kind in Germany. Meta cannot appeal to the Federal Court of Justice.

According to court documents in case 4 U 292/25, the 4th Civil Senate prohibited Meta from collecting data about the plaintiffs on third-party sites and apps with immediate effect. The rulings reference violations of German personality rights in conjunction with the General Data Protection Regulation and relevant decisions from the European Court of Justice.

The court's exclusion of revision to the Federal Court of Justice represents a particularly severe outcome for Meta's legal position. The Dresden panel determined the legal situation to be so clear that no further appellate review is warranted. While German district courts have issued contradictory rulings - the Dresden Higher Regional Court reversed the Leipzig District Court's judgment favoring Meta - no disagreement exists among German appellate courts regarding the illegality of Meta's data collection practices through Business Tools.

Technical infrastructure under scrutiny

Meta's Business Tools infrastructure operates through technologies including Meta Pixel, Conversions API, App Events via Facebook SDK, Offline Conversions, and App Events API. According to the court's analysis of Meta's usage terms, these tools enable third-party companies to collect personal data from online and offline customer interactions. The data flows to Meta's servers where it undergoes processing for various purposes, including but not limited to personalized advertising.

The system collects contact information - email addresses, phone numbers, names, dates of birth, gender, location, and external advertiser IDs. Event data captured includes website URLs, visit timestamps, referrer information, button clicks, and comprehensive interaction documentation that Meta terms "Events." Mobile app tracking encompasses app names, visit times, button interactions, and detailed behavioral records.

Business Tools usage terms specify that Meta can process event data for measurement solutions, analytics services, advertising targeting, delivery of commercial messages, and improvement of advertising delivery and personalization. The court found Meta uses event data to personalize features and content shown to users both within and outside Meta products, and for research, development, and integrity purposes across Meta's platform ecosystem.

Data processing mechanisms

According to court findings, third-party companies transmit data to Meta through Business Tools embedded on their websites, servers, or apps. The technologies operate subject to Meta's usage terms and data processing conditions. Companies implementing these tools face obligations under joint responsibility provisions outlined in Article 26 GDPR supplements.

Meta's usage terms reveal that contact information undergoes hashing before transmission, using SHA-256 cryptographic algorithms prescribed by Meta. The company maintains the capability to reverse this encryption through matching procedures that align hashed data with its internal user identification systems. Following matching processes, contact information undergoes deletion, though event data combined with matched user IDs remains stored and available for Meta's designated purposes.

The court determined that even when users refuse cookies on third-party sites, data transmission to Meta can still occur. Implementation errors by third-party companies contribute to unauthorized data flows, though Meta maintains it has deployed filtering systems to prevent receipt of prohibited information categories including health data, financial information, and data concerning children under 13.

Users who refuse to enable "Meta Cookies in other apps and on other websites" through platform settings reportedly receive Meta's assurance that their individual cookie information will not be used for relevant advertising. However, the company acknowledges continued receipt of information about user activities from apps and websites, which it claims to use for measurements and advertising system improvements though not linked to individual accounts.

Enforcement implications

The court valued damages at €1,500 per affected user, positioning the award within the mid-range of compensation amounts being determined across German courts. Leipzig Regional Court awarded €5,000 in a similar case decided in July 2025, while Munich Higher Regional Court granted €750 in a December 2025 ruling that permitted revision to the Federal Court.

Berlin law firm BK Baumeister & Kollegen represents more than 7,000 plaintiffs with legal expense insurance coverage in proceedings before German courts. According to attorney Max Baumeister, fewer than half of these cases have reached first-instance decisions, with approximately 60 percent favoring plaintiffs and 40 percent favoring Meta. Courts in Saxony and Saxony-Anhalt had previously ruled consistently for Meta, with Leipzig District Court providing a notable exception before the Dresden appellate reversal.

Baumeister indicated that Saxon district courts will likely modify their practices following the Dresden Higher Regional Court decisions. During oral arguments in early December 2025, the court subjected Meta's attorneys to intensive questioning regarding data processing justifications and technical implementations.

The exclusion of revision creates limited options for Meta to challenge the Dresden decisions. While Meta could theoretically attempt a non-admission complaint to the Federal Court of Justice, success appears unlikely. The court set dispute value at €9,000, well below the typical €20,001 minimum threshold for such proceedings. Though the Federal Court of Justice maintains discretion in determining complaint value independently of lower court valuations, it generally follows established dispute values, particularly when parties accepted those amounts during prior proceedings.

Regulatory context

The Dresden rulings arrive amid intensifying European enforcement against Meta's data practices. Austria's Supreme Court delivered a final judgment in November 2025 ordering Meta to provide comprehensive access to all personal datacollected from privacy advocate Max Schrems, including detailed information about data sources, recipients, and processing purposes. The ruling rejected Meta's trade secret arguments and established that Article 15 GDPR creates enforceable rights to detailed information about every aspect of data processing.

Spanish authorities ordered Meta to pay €479 million in November 2025 for unfair competition violations stemming from illegal data processing that gave the platform competitive advantages Spanish digital publishers could not replicate. The Madrid court found Meta collected information not only from its own platforms but from other internet pages users visited, creating unlawful competitive advantages in behavioral advertising markets.

Research disclosed in June 2025 revealed Meta had implemented covert Android tracking through localhost port connections, allowing Facebook and Instagram apps to link browsing history with user identities while bypassing privacy protections including Incognito Mode and Android permission controls. Meta discontinued the practice following academic researchers' public disclosure.

Platform response

Meta declined to provide specific responses to questions about how it has modified Business Tools operations following the Austrian Supreme Court decision or whether it plans to adjust the tools within the European Economic Area or Germany specifically. In a brief statement, the company indicated disagreement with the Dresden decisions and maintained its position that it complies with all applicable laws. Meta indicated it would consider further legal steps without specifying particular actions.

The company faces structural challenges in defending its Business Tools infrastructure across multiple jurisdictions. Business Tools generate substantial advertising revenue through data collection and processing that courts have found violates GDPR requirements for lawful processing bases, data minimization, storage limitations, and transparency.

According to Meta's own usage documentation, the company processes Business Tools data for purposes extending beyond individual third-party advertiser needs, including aggregation with other data sources for advertising delivery improvements, personalization of Meta product features, and research and development activities. Courts have found this comprehensive data processing cannot be justified through user consent obtained on third-party websites, as such consent covers only the website operator's processing purposes, not Meta's independent commercial objectives.

The Dresden court grounded its decision in violations of general personality rights under German civil law in conjunction with GDPR provisions. Meta bears responsibility as a controller under Article 4(7) GDPR for data processing through Business Tools, despite the involvement of third-party website operators who also deploy these technologies.

According to the court's analysis, Meta qualifies as a joint controller with website operators under Article 26 GDPR for data collection occurring on third-party sites. The company provides Business Tools to third-party businesses, enabling Meta to receive substantial data volumes about users' online activities for its own commercial purposes. This arrangement creates joint responsibility for the initial data collection phase, though Meta remains independently responsible for subsequent processing on its own servers.

The court rejected Meta's argument that it processes data merely as a processor on behalf of third-party advertisers. Business Tools usage terms reveal Meta pursues its own processing purposes including advertising optimization across its platform ecosystem, feature personalization, and research activities extending beyond individual advertiser objectives. These independent commercial purposes establish Meta's status as a controller rather than a processor for the collected data.

Meta claimed it processes Business Tools data based on legitimate interests under Article 6(1)(f) GDPR for security and integrity purposes. The court found this justification insufficient to cover the full scope of data processing documented in Meta's own usage terms and privacy policies. Even assuming legitimate security interests, the extensive data aggregation and indefinite retention periods failed proportionality requirements under GDPR Article 5(1)(c) and (e).

The court found Meta cannot rely on user consent as a legal basis for Business Tools data processing. Users who register for Instagram or Facebook agree to platform usage terms that reference data policies, but these agreements do not encompass consent for data collection occurring on entirely separate third-party websites and apps outside Meta's direct control.

When users visit third-party websites equipped with Business Tools, any consent they provide through cookie banners or privacy notices covers only the website operator's data processing purposes. Such consent does not extend to Meta's separate commercial objectives including cross-site tracking, profile aggregation, and advertising optimization across Meta's platform ecosystem. The European Court of Justice established in its July 29, 2019, Fashion ID ruling that each joint controller must obtain separate consent for its own processing purposes.

Meta's privacy settings within Instagram and Facebook platforms allow users to control certain aspects of advertising personalization, but the court found these settings do not provide adequate mechanisms for users to consent to or refuse Business Tools data collection occurring before they even access Meta's platforms. The temporal and technical separation between third-party website visits and Meta platform usage prevents meaningful consent flows.

The court emphasized that hashing contact information before transmission does not eliminate the personal data character of the information or reduce consent requirements. Meta prescribes the specific hashing methodology (SHA-256) to third-party implementers precisely because the company maintains technical capability to reverse the hashing through matching with its own user database. The hashed data retains its link to identifiable individuals throughout the processing chain.

Data minimization violations

Article 5(1)(c) GDPR requires that personal data be adequate, relevant, and limited to what is necessary for processing purposes. The court found Meta's Business Tools data collection systematically violates this principle through indiscriminate aggregation of user behavior across unlimited websites and apps without temporal or categorical restrictions.

According to court analysis, Meta collects event data documenting every user interaction on equipped third-party sites - page views, button clicks, form submissions, purchases, and behavioral patterns. This comprehensive surveillance extends across diverse website categories including news media, e-commerce, travel booking, health information, and financial services. The aggregated data creates detailed profiles of users' interests, political views, health concerns, financial circumstances, and personal relationships.

The European Court of Justice addressed data minimization requirements in its October 4, 2024, Schrems II decision, establishing that controllers cannot process all personal data obtained about users without temporal limits or distinction by data type, even when users consent to personalized advertising. The principle of data minimization applies regardless of the legal basis claimed for processing. Controllers must demonstrate which specific data categories are necessary for defined processing purposes and retain data only for periods justified by those purposes.

Meta's Business Tools operate on a model of maximal data collection subject only to filtering for obviously prohibited categories like Social Security numbers. The court found this approach inverts the data minimization principle by collecting first and evaluating necessity afterward, if at all. Meta provided no evidence during proceedings demonstrating which specific data points from Business Tools are necessary for stated purposes like security monitoring or advertising effectiveness measurement.

Storage periods compound the minimization violations. Meta's usage terms specify event data may be stored for up to two years, while the company acknowledged during proceedings that security and integrity processes require indefinite retention periods that cannot be precisely specified due to "complexity and nuances." The court found these indefinite retention justifications incompatible with Article 5(1)(e) GDPR, which requires storage limitation to periods necessary for processing purposes.

Special category data processing

The court addressed Meta's handling of special category personal data under Article 9(1) GDPR, which provides enhanced protection for information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

Business Tools do not technically distinguish between ordinary personal data and special category data during collection and transmission processes. According to court findings, the automated data flows capture whatever information users interact with on equipped websites, making special category data processing inevitable when users visit health information sites, political advocacy platforms, religious organizations, or LGBTQ+ resources.

Meta prohibited third-party advertisers from intentionally transmitting special category data through Business Tools usage terms. However, the court found this contractual prohibition insufficient to prevent actual processing of such data. Meta cannot control what content users access on third-party sites or what information those sites associate with user interactions. The company acknowledged its filtering systems attempt to identify and block obvious special category data, but provided no evidence these systems reliably prevent all such data from entering its processing systems.

The European Court of Justice addressed this issue in its July 4, 2023, decision, finding that when automated processing systems do not distinguish between ordinary and special category data during collection, the entire processing operation must be evaluated as processing of special categories. Article 9(1) GDPR prohibits such processing absent specific exceptions under Article 9(2), none of which Meta successfully invoked.

The court rejected Meta's argument that it processes special category data only when users make such information "manifestly public" under Article 9(2)(e) GDPR. That exception applies when individuals deliberately disclose sensitive information publicly, not when they privately browse health information or visit websites addressing sensitive topics. The mere act of visiting a website does not constitute making one's health conditions, sexual orientation, or political views manifestly public in the legal sense required by the exception.

Market implications

Approximately 10,000 claims from German internet users against Meta Platforms are currently pending in German courts for data protection violations. The Dresden decisions establishing legally binding precedent without possibility of Federal Court of Justice review may accelerate filing of additional claims and influence outcomes in pending cases.

Legal expense insurance providers that have declined coverage for Meta claims citing uncertain legal outcomes may face pressure to reconsider their positions following establishment of clear appellate precedent in Saxony. The Dresden court's finding that the legal situation is sufficiently clear to exclude revision suggests reduced litigation risk for potential plaintiffs.

For marketing professionals, the rulings underscore growing regulatory scrutiny of third-party tracking technologies. Millions of websites currently implement Meta Pixel and other Business Tools for advertising effectiveness measurement and campaign optimization. The Dresden decisions suggest current implementations violate European data protection law, potentially exposing website operators to compensation claims alongside Meta.

The court indicated that website operators embedding Meta's tracking tools may share liability for GDPR violations. Joint responsibility provisions under Article 26 require website operators and Meta to establish transparent arrangements for their respective GDPR obligations, including mechanisms for users to exercise their rights. Many current implementations lack such arrangements or fail to obtain proper user consent before activating tracking technologies.

Timeline

Summary

Who: The Dresden Higher Regional Court's 4th Civil Senate ruled in four parallel proceedings brought by Saxon Instagram and Facebook users represented by BK Baumeister & Kollegen against Meta Platforms Ireland Limited.

What: The court ordered Meta to pay €1,500 per plaintiff for illegally collecting personal data through Business Tools embedded on third-party websites and apps, prohibited future collection from these plaintiffs, and excluded Meta's right to appeal to Germany's Federal Court of Justice.

When: The court delivered its decisions on February 3, 2026, with oral arguments having occurred in early December 2025. The rulings address data collection practices extending from May 25, 2018, when GDPR took effect.

Where: The Dresden Higher Regional Court issued the rulings in Saxony, Germany, under case numbers including 4 U 292/25. The decisions have implications throughout the European Economic Area where Meta operates identical Business Tools infrastructure.

Why: The court found Meta's Business Tools violate German personality rights in conjunction with GDPR because the company collects, stores, and processes personal data from third-party sites without valid legal justification under Article 6 GDPR, fails to minimize data collection, and processes data in ways that create comprehensive surveillance of users' online behavior.

Share this article
The link has been copied!