ARTICLE
24 January 2025

Unlawful International Transfer Of Personal Data Results In Damages Awarded To EU Data Subject

H
Harneys

Contributor

Harneys is a full-service offshore law firm offering expert legal advice on the laws of jurisdictions including the British Virgin Islands, Cayman Islands, Luxembourg, and more. Established in 1960, the firm has grown to 11 global locations with over 180 lawyers, serving top law firms, financial institutions, investment funds, and high-net-worth individuals. Harneys provides comprehensive legal support across transactional, contentious, and private client matters, often in collaboration with Harneys Fiduciary, which delivers corporate and wealth management services. Known for its role in shaping offshore jurisprudence, the firm also advises on legislative developments and excels in handling complex cross-border transactions and disputes.

On 8 January 2025, the EU General Court (the Court) ruled in favour of a German citizen in Bindl v Commission (Case T-354/22)...
British Virgin Islands Privacy

On 8 January 2025, the EU General Court (the Court) ruled in favour of a German citizen in Bindl v Commission (Case T-354/22), ordering the European Commission to pay €400 in damages for unlawfully transferring personal data to the US.

Facts of the case

Mr Bindl registered for an event via an EU Commission website using the "Sign in with Facebook" option. This action led to his IP address and other personal data being transmitted to Meta Platforms, Inc. (Facebook) in the US. The transfer to the US took place during the period after the invalidation of the EU-US Privacy Shield but prior to the introduction of its successor, the EU-US Data Protection Framework. That is to say, the previous adequacy decision was invalid, leading the Court to make a finding that there were otherwise no legal arrangements in place to legitimise the transfer. Specifically, the Court noted that the Commission "neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause" to lawfully facilitate the transfer.

Commentary

For accuracy's sake, it is worth pointing out that the case turned on the legal provisions of Regulation 2018/1725, which regulates the treatment of personal data by the European institutions. This Regulation is however essentially equivalent to the GDPR and the widely agreed expectation is that the repercussions of this decision will apply equally for the GDPR.

There are a number of conclusions in the decision which can be picked apart, and the Commission retains the option to appeal the ruling before the Court of Justice of the European Union.

The key take-away from this decision however is that for the first time, the door has been opened to award damages to individuals with respect to unlawful transfers of personal data. This means that beyond regulatory fines, operators may also need to contend with the possibility of paying damages to individuals. Despite the rather minimal damages of €400 ordered to be paid in the present case, its significance becomes rather monumental when considering its possible application in the context of multiple data subjects/class action style lawsuits.

The Court's judgment can be found here and the official press release can be accessed here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More