ARTICLE
16 January 2025

European Commission Fined For Unlawful Transfer Of Personal Data To The United States

SJ
Steptoe LLP

Contributor

Steptoe LLP logo
In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Explore Firm Details
On January 8, 2025, the European General Court issued a significant ruling against the European Commission (the "Commission"), finding it in breach of the European Union ("EU") data protection laws...
European Union Privacy
Leigh Mallon,Anne-Gabrielle Haie, and Shannon Reid

On January 8, 2025, the European General Court issued a significant ruling against the European Commission (the "Commission"), finding it in breach of the European Union ("EU") data protection laws by unlawfully transferring personal data to the United States without adequate safeguards. The court awarded €400 in damages to the plaintiff, Thomas Bindl, marking the first time the EU has been fined for violating its own data protection regulations. The case is notable not only for its legal implications but also for emphasizing the accountability of EU institutions in their compliance with data protection laws. This decision reinforces the necessity for all entities handling personal data within the EU to rigorously comply with data protection laws when conducting international data transfers.

A. Restrictions on Transfers of Personal Data under European Privacy Law

The European data protection framework is primarily governed by three key regulations: the General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679), Regulation (EU) 2018/1725 and Regulation (EU) 2018/1726. These regulations establish a comprehensive set of rules ensuring the protection of personal data across both the private and public sectors within the European Union, including requirements for lawful data processing, data subject rights, and international data transfers. Relevantly, the GDPR applies to private organizations whereas Regulation (EU) 2018/1726 applies to EU institutions.

Articles 44 to 50 of the GDPR and Regulations 2018/1725 and 2018/1726 restrict transfers of personal data outside of the European Economic Area ("EEA") unless certain conditions ensuring an adequate level of protection are met. The primary mechanisms for lawful data transfers include:

  • Adequacy Decisions. The European Commission may determine that a third country offers a level of data protection equivalent to that of the EU.1
  • Standard Contractual Clauses. These are pre-approved contractual clauses which impose obligations on data importers and exporters to ensure data protection compliance.2
  • Binding Corporate Rules. Binding Corporate Rules allow multinational organizations to transfer data within their corporate structure, provided they implement sufficient safeguards approved by supervisory authorities.
  • Derogations for Specific Situations. In limited cases, personal data may be transferred without SCCs or an adequacy decision, such as when data subjects give explicit consent or when the transfer is necessary for the performance of a contract.

If an organization or institution breaches a data subject's privacy rights, the data subject has the right to seek compensation for material and non-material harm resulting from the breach.3 In England, the Supreme Court has interpreted the equivalent provision under the Data Privacy Act 1998 (UK) as requiring claimants to demonstrate actual damage or distress in addition to a breach of the law.4

B. Background

On July 16, 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-US Privacy Shield in the landmark Schrems II decision on July 16, 2020.5 This decision rendered the Privacy Shield mechanism invalid because US government surveillance meant that there could not be an adequate level of protection. Ultimately, on July 10, 2023, the Commission replaced the Privacy Shield with the EU-US Data Privacy Framework.

As a result, there was no relevant adequacy decision in place with respect to the United States between at least July 16, 2020 and July 10, 2023. During that period, Thomas Bindl, a German citizen, registered for an EU-hosted conference using the "Sign in with Facebook" feature. That feature enables individuals to use their existing Facebook access credentials to sign on to third-party sites. On March 30, 2022 and June 8, 2022, while accessing the conference registration page, Mr. Bindl's IP address and other browser-related information were apparently transferred by the EC to Meta Platforms in the United States.

On April 1, 2022, Mr. Bindl submitted a request for information to the EC, questioning the safeguards applied to the data transfer and the measures implemented by the EC to ensure compliance with the relevant data protection regulations. The Commission had failed to implement alternative safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to protect the transfer of Mr. Bindl's personal data to the United States. As a result, Mr. Bindl commenced proceedings against the EC seeking damages.

On January 8, 2025, the European General Court ruled that the Commission had committed a "sufficiently serious breach" of Regulation (EU) 2018/1725.6 Specifically, the court held that the Commission transferred personal data to a third country without ensuring adequate protection, as mandated under Article 46 and Article 48(1) and (2)(b) of the regulation. The court awarded Mr. Bindl €400 in damages in recognition of the non-material harm caused by the unlawful data transfer.

C. Key Takeaways

This decision serves as a reminder that for in-house legal teams overseeing data privacy and compliance within the EU. Below are the primary lessons derived from this ruling:

  1. Compliance with Data Transfer Regulations. The ruling reinforces that any transfer of personal data from the EU to a third country must be supported by an appropriate legal mechanism, such as SCCs or BCRs, and accompanied by adequate safeguards. Counsel should review all current data transfer mechanisms to ensure they align with GDPR requirements.
  2. Continued Vigilance. This case highlights the risks of continuing data transfers during periods of legal uncertainty. Following the Schrems II decision, there was no immediately available framework for EU-US data transfers and the Commission proceeded to transfer data without adopting SCCs or alternative mechanisms. As EU privacy law continues to develop, in-house legal teams need to be agile in response to significant privacy decisions such as Schrems II.
  3. Potential for Increased Litigation. The decision to award monetary damages, even for non-material harm, sets a precedent for future claims and is a clear divergence from the approach adopted by the UK Supreme Court (which requires a claimant to demonstrate actual damage). This decision may encourage individuals in the EU to seek compensation for GDPR violation, increasing litigation risk for both public and private entities. For large scale transfers, even nominal damages of €400 per individual or per breach can result in claims for very significant amounts if proceedings are brought on behalf of a class.
  4. Review Data Transfer Mechanisms. The decision also serves as a reminder for organizations subject to the GDPR to perform regular reviews of their data transfer mechanisms to ensure continuing compliance. That review should include verifying third-party processors' adherence to data protection standards and implementing additional safeguards where necessary.

D. Conclusion

This ruling from the European General Court serves as a critical reminder that GDPR compliance applies to all entities processing personal data within the EU, including public institutions. In-house counsel must take proactive steps to ensure their organizations implement the appropriate safeguards for international data transfers. This includes reassessing data transfer mechanisms, maintaining up-to-date documentation of safeguards, and continuously monitoring regulatory developments to mitigate legal and financial risks. By staying vigilant, legal teams can help their organizations avoid costly breaches and reputational damage while fostering a culture of data privacy compliance.

Footnotes

1 Currently, there are 16 adequacy decisions in place, respectively for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (for commercial organizations certified under the EU-US Data Privacy Framework) and Uruguay.

2 The current Standard Contractual Clauses were adopted by the European Commission by Implementing Decision 2021/914 ([https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj]).

3 Article 82 of the GDPR, Article 65 of Regulation 2018/1725 and Article 65 of Regulation 2018/1726.

4 Section 13(1) of the DPA 1998 provided that "An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage." The Supreme Court ruled in Lloyd v Google LLC [2021] UKSC 50 that it was not sufficient for the claimant to establish a breach of the act, it was also required to demonstrate actual damage or distress.

5 [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62018CJ0311].

6 [https://eur-lex.europa.eu/eli/reg/2018/1725/oj/eng]

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Leigh Mallon
Leigh Mallon
Photo of Anne-Gabrielle Haie
Anne-Gabrielle Haie
Photo of Shannon Reid
Shannon Reid
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More