In Case T-354/22 (Bindl v Commission), the General Court of the European Union (General Court) ordered the EU Commission to pay damages. The EU Commission had transferred personal data of a visitor to a website operated by it to Facebook in the USA.
Personal data transferred to the USA
In 2021 and 2022, the plaintiff, who comes from Germany, had visited the website of the Conference on the Future of Europe operated by the European Commission. He had registered for the "GoGreen" event via this website. He used the authentication option "Log in with Facebook" via the "EU Login" service.
As a result, personal data, including the IP address as well as browser and device information, was transmitted to the US company Meta Platforms Inc. The company is the parent company of Facebook.
The plaintiff claimed that an adequate level of data protection was not guaranteed in the USA and that there was a risk of access by US security and intelligence services. Among other things, he demanded compensation for the non-material damage he suffered as a result of the data transfers in the amount of EUR 400.
Reading tip: EDSA examines EU-US Data Privacy Framework: This still needs to be improved
400 euros compensation for immaterial damage
The court rejected several of the plaintiff's applications. These included the application for annulment of the data transfers and the application for a declaration that the Commission had failed to act in relation to a request for information. The action for damages in connection with the transfers via the "Amazon CloudFront" service was also dismissed. The data had either remained in the EU or had been transferred to the USA due to technical settings made by the plaintiff himself.
On the other hand, the claim for damages due to the transmission of the IP address to Facebook via the "Sign in with Facebook" function was upheld. The court found that by providing this hyperlink, the Commission had created the conditions for the transfer of personal data to a third country without providing adequate safeguards such as standard contractual clauses. At that time (March 30, 2022), there was no adequacy decision for the United States.
The Commission was found to have committed a "sufficiently serious breach" of a legal provision intended to confer rights on individuals. The court also recognized non-material damage suffered by the plaintiff, as he was in an unclear situation regarding the processing of his data. There was also a direct causal link between the infringement and the damage suffered. The Commission was therefore ordered to pay the plaintiff damages in the amount of 400 euros.
This judgment clarifies the strict requirements that the General Data Protection Regulation and Regulation (EU) 2018/1725 place on the transfer of data to third countries. Union institutions and bodies must ensure that adequate safeguards are in place to ensure the rights of data subjects. The case also highlights the legal possibilities for data subjects to assert claims arising from non-contractual liability of the Union.
Source: ECJ judgment T-354/22 (Bindl v Commission) of 8.01.2024