Background
On January 8, 2025, the European General Court set a new precedent when it ordered the European Commission to pay a monetary judgment to an individual in Bindl v. Commission (Case T-354/22). The applicant, Mr. Thomas Bindl, is a German resident who alleged that the European Commission unlawfully infringed upon his data protection rights by transferring his personal data to the United States without adequate safeguards. Bindl alleged the transfer occurred when he logged into a Commission website through his Facebook account, which collected his data, including his IP address. This decision is noteworthy as it is the first time the European General Court has ordered individual damages and provides valuable insights about potential risk exposure for any businesses that process EU personal data.
In 2021 and 2022, Bindl accessed the European Commission's "Conference on the Future of Europe" website. While browsing the website, he used the "Sign in with Facebook" feature provided on the EU Login page to register for an event. Bindl alleged that this action resulted in the transfer of his personal data to Meta Platforms, Inc., a U.S. company. Additionally, he alleged that his data was transferred to the U.S.-based Amazon Web Services via the Amazon CloudFront content delivery network used by the website.
Bindl sent two separate information requests to the Commission alleging that these data transfers exposed his information to potential access by U.S. intelligence services. At that time, the United States lacked an adequacy decision from the European Commission that would apply to a transfer of data from the EU to the U.S. In response, the Commission claimed that it did not transfer data to recipients outside the EU.
Bindl filed an action at the General Court seeking compensation for the non-material damage which he claims to have sustained as a result of: (i) the transfers at issue; and (ii) the infringement of his right of access to information.
Decision
The General Court made several key findings regarding Bindl's claims:
1. Transfer via "Sign in with Facebook":
a) Commission's responsibility: The Court determined that by incorporating the "Sign in with Facebook" hyperlink on its EU Login page, the Commission facilitated the transmission of users' personal data, notably IP addresses, to Meta Platforms in the United States. This transfer was directly attributable to the Commission.
b) Lack of safeguards: At the time of the transfer on March 30, 2022, the U.S. did not have an adequacy decision in place to legally facilitate transfers of data from the EU to the U.S., confirming that the United States ensured an adequate level of data protection. Furthermore, the Commission did not implement appropriate safeguards, such as standard contractual clauses, to legitimize the transfer.
c) Violation of data protection regulations: The Court concluded that the Commission violated Article 46 of Regulation (EU) 2018/1725 governing data processing by EU institutions, as the Commission did not comply with the conditions for the transfer by an EU institution of personal data to a third country.
2. Transfer via Amazon CloudFront:
a) Data remained in the EU: The Court found that during one of Bindl's connections to the website that data was transferred to a server located in Munich, Germany, rather than to the United States. This was consistent with the contract between the Commission and Amazon Web Services, which stipulated that data should remain within Europe.
b) Transfer caused by user: In another Bindl connected to the Commission's website and the data was routed to servers in the United States due to a technical adjustment Bindl made that caused him to appear to be located in the U.S. The court noted that this redirection was caused by the user's actions, and thus, the Commission could not be held responsible for this transfer.
3. Compensation for Non-Material Damages
Under EU law, individuals who suffer material or non-material damage based upon European Union non-contractual liability may be compensated when there is: (1) a sufficiently serious breach of EU law; (2) the fact of damage; and (3) a direct causal link between the breach and the damage. These conditions were met as follows:
a) The General Court concluded that the Commission had committed a sufficiently serious breach of Regulation 2018/1725 by transferring the data to Meta's U.S. servers.
b) The Court found that the unauthorized transfer of personal data to the United States through the "Sign in with Facebook" feature left Bindl in a state of uncertainty about how his information was being processed. In particular, Bindl was uncertain about potential access by U.S. authorities.
c) The Court found a clear and direct connection between the Commission's breach and the non-material harm Bindl suffered.
As a result of its findings, the Court ordered the Commission to pay €400 in compensation to Bindl. The decision to award individual damages widens the aperture of penalties European courts may levy upon businesses and government institutions for violations of EU data protection laws.
Practical Considerations
a) Businesses operating websites in the EU should thoroughly evaluate third-party services integrated into their platforms to ensure compliance with data protection standards, notably where data may be transferred internationally.
b) When transferring to third countries without an EU adequacy decision to facilitate data transfers, businesses must establish appropriate safeguards, such as standard contractual clauses, to legitimize data transfers to third countries.
c) Clear communication regarding data processing activities, including potential international transfers, is essential to maintain transparency and uphold individuals' rights.
d) Businesses should conduct regular audits of their data processing activities to identify and rectify potential compliance issues proactively.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
