Italian Court Accepts Legal Action Over Facebook Mass Breach

The 2018‑19 Facebook data‑scraping incident, first disclosed by Meta in 2021, revealed that personal details of 533 million accounts were harvested from publicly accessible profiles. While Meta initially framed the incident as a breach of “old” data that had been patched, the scale of the exposure—spanning Europe, the Americas, and Asia—underscored systemic weaknesses in the platform’s data‑governance architecture. Analysts note that the breach’s delayed disclosure, only after a hacker forum post, eroded user trust and highlighted the challenges of policing massive social networks.

European regulators have responded with a cascade of enforcement actions. Ireland’s Data Protection Commission imposed a €265 million fine—roughly $286 million—on Meta in 2022 for violating GDPR’s “data protection by design and default” principle. Germany’s Federal Court of Justice followed in 2024, granting German users the right to claim damages. The recent Italian court decision to accept a class‑action lawsuit, filed by the consumer group CTCU, extends this trend, offering a collective avenue for compensation under GDPR. Together, these rulings illustrate the EU’s willingness to leverage both monetary penalties and private litigation to compel compliance.

For Meta, the mounting legal pressure translates into significant financial and reputational risk. Beyond the immediate fines, the prospect of a multi‑nation class action could generate billions in settlement costs and force the company to overhaul its data‑privacy framework. Industry observers predict that the case will accelerate the adoption of stricter data‑minimisation practices across the tech sector, as firms seek to pre‑empt similar GDPR challenges. Moreover, the litigation reinforces the EU’s position as a global benchmark for privacy enforcement, prompting non‑European platforms to reassess their compliance strategies worldwide.