Skip Breadcrumb Navigation Links
Skip social share links
RSS for the current page

All the small things: EU – US transfers and non-material damages

On 8 January 2025, the General Court in Case T-354/22 (Bindl v Commission) awarded Thomas Bindl €400 damages in respect of an unlawful transfer of his personal data to the US via a Facebook sign-in link on a European Commission website.

05/02/2025
Briefing

The decision is a reminder of the broad approach of the European courts to the concept of non-material damage, and the strict interpretation of the requirements for robust controls in the context of EU-US transfers.

The timing of the unlawful transfer (30 March 2022) is relevant as at that point, following the Schrems II ruling, the European Commission had not yet adopted its adequacy decision for the EU-US Data Privacy Framework in respect of adequate protection for personal data transferred from the EU to companies participating in the Framework.

Background to the claim

The applicant, a German citizen and founder of Europäische Gesellschaft für Datenschutz (EuGD) – a German organisation focused on data protection litigation, raised concerns about his personal data when visiting the Conference on the Future of Europe (CFE) website, managed by the European Commission. In November 2021, he requested information about the processing of his personal data, specifically regarding the CFE’s website’s connection to third-party providers. He asked the Commission whether his data had been transferred to third parties, the legal basis for such transfers, and whether adequate protections were in place, especially for transfers to the United States.

In December 2021, the Commission responded, stating that no data had been transferred outside the EU and that data processing was managed by a third party in Luxembourg. However, in April 2022, the applicant repeated his access request, now also mentioning a connection to another third-party service provider when using his Facebook login to register on the website in March 2022. The Commission responded in June 2022, claiming that the two requests were similar and that a response had already been provided to his earlier inquiry. The applicant then filed a legal action in June 2022, seeking further clarification.

Non-material damages

The applicant sought several forms of order including two specific applications for non-material damages arising from infringements of Regulation 2018/1725 regulating processing personal data by EU institutions, Bodies, Offices and Agencies. (Regulation 2018/1725 brings data protection rules for those institutions and bodies in line with the standards imposed on other organisations and businesses by the General Data Protection Regulation.)

  • The first part of the applicant’s damages application sought €800 in compensation for non-material damage due to the Commission’s failure to respect the right of access to information, and to the principle of transparency laid down in Regulation 2018/1725.
  • Under the second element, the applicant sought payment of €400 in compensation for non-material damage for loss of control over his personal data. The applicant argued that there was a direct causal link between the non-material damage suffered and the transfer of his login details (including his IP address, name, profile picture and email) to a third party in the United States, in contravention of Regulation 2018/1725.

The judgment

On the first element of the claim, while the General Court found that the Commission did, as a matter of fact, breach their obligations to issue a response within the required deadline of one month, the delay was not severe enough to cause non-material damage, as the applicant had already received some information in response to an earlier request. Consequently, the impact of the delay was not severe enough to result in significant harm, and this aspect of the claim was dismissed.

On the second element, however, the Court found in favour of the applicant. In coming to this conclusion the court considered the following:

  • The Commission neither demonstrated or claimed there was an appropriate safeguard in place, in particular a standard data protection clause or contractual clause adopted in accordance with Regulation 2018/1725, and, by contrast it was demonstrated that the Facebook login on the Commission’s website was entirely governed by the terms and conditions of the Facebook platform.
  • As a result, the Commission created the conditions for a transfer of the applicant’s personal data to a third country to proceed without ensuring compliance with Regulation 2018/1725, thereby resulting in a significantly serious breach of the law in relation to the 30 March 2022 transfer.
  • Referring to the judgment in the Austrian Post case (C‑300/21), the Court noted under Regulation 2018/1725, both material and non-material damages resulting from violations of the Regulation entitle affected persons to compensation, without needing a specific threshold of seriousness.
  • Further, the court noted that the non-material damage claimed must be considered to be “actual and certain” insofar as the unlawful transfer put the applicant in a position of “some uncertainty” with regards to the processing of his personal data.
  • Finally, the court found that there was a sufficiently causal link between the infringement by the Commission and the non-material damage claimed, ordering the Commission to pay the sum of €400 damages, plus half of the applicant’s legal costs.

Failure to establish damage due to the applicant’s own actions

Notably, the court also found in relation to alleged transfers of the applicant’s IP address to the third party service in the US in June 2022, that the applicant’s conduct (meaning a technical adjustment made by the applicant changing his apparent IP address location between the EU and the US) must have been regarded as the direct and immediate cause of part of the non-material damage claimed, and not alleged misconduct on part of the Commission in using the third party service. This part of the applicant’s claim could not be justified where the applicant was responsible for triggering that transfer. On this aspect of this claim the applicant therefore failed to establish a link between the Commission’s conduct and the damage invoked. The implications of this finding are significant as it could impact the manner in which those defending data protection claims challenge an applicant’s evidence of a controller’s alleged infringement.

Significance for data controllers

This judgment highlights the continued scrutiny with which the European courts review EU-US data transfers. Although it relates to the GDPR’s sister law, it is no less significant, in that it indicates that mere “uncertainty” can, according to the General Court, become a qualifying threshold for demonstrating loss in relation to personal data.  In a recently published decision, M.H. – v- Child and Family Agency [2023] IECC 11 the Irish courts continue to show willingness to award compensation at higher levels (€7,500) where non-material damage (e.g., distress) is proven and deemed to be at the serious end of the scale.

The Bindl decision may be appealed to the Court of Justice of the EU, but for now, controllers should exercise caution with the use of uncertain or conditional language in privacy notices, especially when describing international data flows.

The authors would like to thank Jennifer Floyd for her contribution to this briefing.

Representative Actions in Ireland: 2024 in Review – Arthur Cox LLP

Summary of 2024’s Key CJEU Data Protection Judgments – Arthur Cox LLP

Related Knowledge

Responding to the Public Consultation on the Tax Treatment of Interest in Ireland

05/02/2025briefing

Horizon Scanner: Finance

04/02/2025briefing

“Manifestly Excessive” Requests Under the GDPR: Numbers Alone Are Not Enough

22/01/2025briefing