Introduction
In a judgment of January 8, 2025 (in Bindl v European Commission, Case T-354/22) (the “Judgment”) the EU General Court (the “Court”), the second highest court of the European Union (“EU”), ordered the European Commission (the “Commission”) to pay 400 EUR in damages to a German citizen (the “claimant”) for transferring his IP address to Meta Platforms in the United States (“US”) without having first implemented a data transfer mechanism. It is the first time an EU court has awarded compensation for non-material damage caused by a violation of international data transfer rules. The case may encourage more similar compensation claims in the EU, including class actions. The Commission has two months and ten days from the date of the Judgment to appeal.
Background
The legal framework relevant to the Judgment is Regulation 2018/1725 (the “Regulation”), which is the equivalent of the General Data Protection Regulation (the “GDPR”) for EU institutions and contains similar provisions. The Regulation itself is clear that EU courts should treat provisions in both the Regulation and GDPR uniformly where they follow the same principles; although the Judgment relates to the regulation, its findings are relevant to claims for damages under the GDPR.
Under the Regulation and the GDPR, transfers of personal data outside of the EU are prohibited unless that data is afforded an adequate level of protection. Unless the recipient country is deemed adequate by the Commission or a derogation is available, transferring organisations must rely on a transfer mechanism, such as Commission approved standard contractual clauses (“Standard Contractual Clauses”).
The Judgment, amongst other things, involved the claimant using websites operated by the Commission on several occasions in 2021 and 2022. This includes an occasion in 2022, when the claimant used the “Sign in with Facebook” option on the Commission’s website to register for a conference. The claimant asserted that the Commission had, as a result of his website visits, transferred his personal data, including his IP address and information about his browser and terminal, to third party providers in the United States, including AWS and Meta Platforms, without having implemented the legally required appropriate safeguards. In relation to the transfers, the claimant sought damages of EUR 400 for non-material harm.
The Judgment
The claimant sought 400 EUR in compensation for the unlawful transfer of his personal data by the Commission to vendors in the United States on three occasions between 2021 and 2022. According to the claimant, the transfers gave rise to a risk of his data being accessed by US security and intelligence services and prevented him from exercising control over his data.
AWS
The Court rejected the claim in relation to two of the claimant’s visits to the Commission’s website. The first time, his personal data was transferred to AWS EMEA in the EU, not to a third country. The claimant argued that AWS EMEA is obliged to transmit personal data to the US authorities, even if the data is stored on EU territory, but the Court held that the mere risk of access to personal data by a third country does not amount to a transfer of data. On a second occasion, there was an actual transfer of the claimant’s personal data to AWS servers in the United States, but this was because the claimant, when visiting the EC’s website, had made technical adjustments to change his apparent location as though he were in various countries on the same day. As such, the Court held that the claimant’s actions were the cause of any resulting damage, and not the EC’s alleged misconduct.
Meta Platforms
In relation to the transfer of the claimant’s IP address to Meta Platforms when he used the “Sign in with Facebook” feature on the Commission’s website, the Commission argued that it was the claimant’s choice to sign in using his Facebook account so that he, and not the Commission, initiated the data transfer. Further, the Commission contended that Meta Platforms collected the data directly from the claimant through Facebook cookies, and that the Commission was not involved in that exchange. The Court disagreed and held that, when the claimant clicked on the “Sign in with Facebook” hyperlink, his browser transmitted his IP address to the United States. By offering the feature on its website, the Commission created the conditions for the claimant’s IP address to be transmitted to Meta Platforms.
The Court established that the transfer was unlawful because there was no adequacy decision from the Commission regarding the United States when the transfer was carried out and the Facebook general terms and conditions which govern “Sign in with Facebook” do not incorporate the Commission’s own Standard Contractual Clauses. The Court concluded that the transfer put the claimant in ‘a position of some uncertainty’ as regards the processing of his IP address, which constitutes actual and certain non-material damage, giving rise to a right to compensation.
Key take-aways
- Compensation for non-material damage: It is the first time an EU court has awarded compensation for non-material damage caused by an unlawful transfer of data outside of the EU. The case illustrates that even seemingly minor cases of distress can give rise to a right to compensation under the GDPR; the claimant’s damage amounted to loss of control of his data and in his being deprived of his rights and freedoms, resulting in the claimant’s ‘position of some uncertainty as regards the processing of his personal data’. Notably, the data consisted of a single IP address. The Court refers to the European Court of Justice’s decision regarding Österreichische Post AG (C-300/21) of May 4, 2023, which confirms that actual damage is required to give rise to a right to compensation so that infringement of the GDPR by itself is not sufficient, but that there is no ‘de minimis’ threshold of damage to be passed before compensation can be awarded.
- Emboldening class actions: The Judgment is likely to encourage more individuals to initiate damages claims for data transfer violations, and may pave the way for more class actions in the EU. Importantly, the Court’s ruling renders it plausible that all website visitors who clicked “Sign in with Facebook” suffered substantially similar harm, as the Court did not require concrete evidence of the specific way and degree the claimant suffered damage, nor of the actual risk of access by US intelligence. This could act as a motivator for organisations looking to pursue data protection related class actions in the EU, which are often made challenging due to the requirement to demonstrate individual damage.
- No impact on the United Kingdom. In the UK, class actions arguably face additional hurdles since the Lloyds v Google decision of 2021. In that case, the UK Supreme Court rejected a representative claim because mere “loss of control” does not give rise to a right to compensation under the UK Data Protection Act and each member must demonstrate actual harm, which requires an individualised assessment.
What’s Next?
Although the Judgment may be appealed, the case underscores the importance for businesses to comply with rules on international data transfers, including when integrating third party tools which collect data like IP addresses. It is noteworthy that the transfers in this case were carried out following the invalidation of the Privacy Shield in 2020 but prior to the adoption of the EU-U.S. Data Privacy Framework (“DPF”) on 10 July 2023. Since the DPF, organisations can carry out data transfers to recipients who have self-certified to the DPF (like Meta Platforms) in the United States without restriction. However, the long term validity of the DPF is still uncertain. What is certain, however, is that data transfers will continue to be a focus for companies, regulators, courts and consumers in the coming year.
The post EU court orders damages for the unlawful transfer of personal data to the United States appeared first on Data, Privacy & Cybersecurity Insights.