European General Court Orders the European Commission to Pay Damages for Transferring Personal Data to the United States

Introduction

On 8 January 2025, the European General Court rendered an impactful decision on the issue of data transfer in Case T-354/22, Thomas Bindl versus the European Commission. The case concerns the transfer of personal data to a third country, the United States, without the use of adequate safeguards, violating Regulation (EU) 2018/1725.

Background of the Case

The case was brought by a German citizen (the applicant) who visited the website of the Conference on the Future of Europe (CFE website) multiple times in 2021 and 2022. In particular, he visited the CFE website on 30th March 2022 to register for the ‘GoGreen’ event featured on the website. During his visits to the website, the applicant observed that the CFE website connected with third-party providers, including US-based Amazon Web Services (AWS) and Microsoft, transferring his personal data, such as IP address and browser details, to the United States.

He emailed the Commission twice, on 9th November 2021 and 1st April 2022, raising concerns about the CFE website’s connection with such third-party providers. In both emails, he requested details under Regulation (EU) 2018/1725 about data processing, storage, transfers to third parties, and safeguards for transfers to non-EU countries. In response to the applicant’s email dated 9th November 2021, the Commission informed the applicant via email on 3rd December 2021 that his data was processed and stored in Luxembourg by AWS EMEA, with no transfers outside the EU under its contractual arrangements. Moreover, in response to the applicant’s email dated April 2022, the Commission responded on 30th June 2022 that his information request of 1st April 2022 was identical to that of 9th November 2021 and that the Commission had already responded to it.

Through this case, the applicant demands the following from the European General Court:

1. an annulment of unauthorized data transfers;
2. declaration of the Commission's failure to address the applicant’s information request of 1st April 2022;
3. compensation of EUR 1,200 for non-material damages sustained as a result of an infringement of his right of access to information and damages sustained as a result of the transfer of the applicant’s data; and
4. coverage of legal costs.

A. Annulment of Data Transfers

The applicant sought annulment of alleged personal data transfers to non-EU countries lacking adequate protection, claiming these transfers violated his data protection rights. The court rejected the applicant’s claim as inadmissible because it considered that the transfers in question were technical IT operations moving data between servers during the applicant’s interactions with the Commission’s systems, like visiting a website. They were not legal actions by the Commission meant to create or change any legal rights or obligations and, hence, were not challengeable under Article 263 of the Treaty on the Functioning of the European Union (TFEU).

B. Declaration of Failure to Address Applicant’s Request

The applicant brought a claim under Article 265 of TFEU that the Commission failed to respond to his information request from 1st April 2022. The Commission argued this claim was invalid because it did respond to the applicant on 30th June 2022, whereby it mentioned that the information request of 1st April 2022 was virtually identical to the information request of 9th November 2021 and that it had already replied to the latter by its email of 3 December 2021, making the issue irrelevant. The court emphasized that Article 265 of TFEU relates to the failure to take a decision or define a position, not a failure to adopt a measure that the applicant desires. Therefore, the court agreed with the Commission, stating that once a response is given, even if it does not satisfy the applicant, there is no longer a failure to act under the law. Thus, this claim by the applicant is devoid of purpose and is no longer required to be adjudicated.

C. Claim for Damages

Within the claim for damages, the applicant sought:

1. a payment of EUR 800 in compensation for the non-material damages sustained because of the Commission’s failure to respect his right of access to information and the principle of transparency, contrary to Articles 4(1)(a), 14(3), 14(4), 17(1) and 17(2) of Regulation 2018/1725; and
2. a payment of EUR 400 in compensation for the non-material damage sustained as a result of the applicant’s data transfer at issue, contrary to Articles 46, 48(1) and (2)(b) of Regulation 2018/1725.

I. Damages for Failure to Provide Access to Information

The applicant alleged that the Commission did not reply to his email dated 1st April 2022 within the prescribed timeline of one month and failed to provide the reason for inaction, violating Articles 4(1)(a), 14(3), 14(4), 17(1)(c) and 17(2) of Regulation 2018/1725. He alleged that the Commission’s inaction prevented the applicant from controlling the processing of his personal data, which constitutes non-material damage. The applicant claimed that the Commission failed to follow the principle of transparency (Article 4(1)(a)) and failed to abide by the applicant’s right to have his information request responded to within one month (Article 14(3)) and if not responded, be informed why (Article 14(4)). The applicant further claimed that the Commission failed to fulfill his right to access information about the recipients of his personal data and the safeguards adopted in relation to the transfer of his personal data (Articles 17(1) and (2)).

It is important to add that as per the settled case law, the European Union may incur non-contractual liability if three cumulative conditions are satisfied:

1. the unlawfulness of the conduct alleged against the institutions;
2. the fact of damage; and
3. the existence of a causal link between that conduct and the damage complained of.

On the first allegation, the court added that Articles 17(1)(c) and 17(2)  of Regulation 2018/1725 grant the data subject access to specific information but do not mandate its inclusion in a particular document or privacy statement, such as on the CFE website. Instead, the data subject retains the right to obtain this information by exercising their access rights under Articles 17(1)(c) and (2) of Regulation 2018/1725. While responding to the second allegation, the court elaborated that the Commission failed to meet the one-month deadline for the applicant’s 1st April 2022 information request dated 1st April 2022, constituting the only established unlawful conduct under Article 14(4) of Regulation 2018/1725. However, it could not be demonstrated that the Commission’s failure to observe the time limit prescribed in Article 14(3) of Regulation 2018/1725 was such as to cause the applicant the non-material damage alleged. Hence, the applicant’s first claim for damages was dismissed by the court. Consequently, since one of the cumulative conditions for establishing the European Union’s non-contractual liability, as mentioned above, was not satisfied, the court dismissed the applicant’s claim for damages caused due to the failure to provide access to information.

II. Damages for Applicant’s Data Transfer

The applicant claimed to have sustained non-material damages as a result of the transfer of his data to the third-party recipient based in the United States. The applicant added that the United States does not have an adequate level of protection, and the transfer of the applicant’s data to the US may give rise to a risk of his data being accessed by the US security and intelligence services.

The applicant mentioned different instances of data transfer during his visits to the CFE website. First, during his visit to the CFE website on 30th March 2022, where data was transferred to Amazon Web Services via Amazon CloudFront; second, when signing in to EU Login with his Facebook account on the same date, resulting in data transfer to Meta Platforms; and third, during a visit to the CFE website on 8th June 2022, where data was allegedly transferred to an Amazon CloudFront server in Newark, New Jersey. The applicant’s claim for damages originated from the Commission’s violation of the general principle for transfer (Article 46), adoption of appropriate safeguards related to data transfer (Article 48(1)), and adoption of standard data protection clauses (Article 48 (2)(b)) of Regulation 2018/1725.

The court dismissed the applicant’s claim for damages based on data transfer via Amazon CloudFront. The court added that data from one connection was transferred to a server in Munich, Germany, per the principle of proximity, under a contract with AWS. As per the contract, AWS was required to ensure that data remained within Europe at rest and in transit. In another case, the applicant was redirected to US servers via Amazon CloudFront. This redirection occurred due to the technical setup on the applicant’s end, making it appear as though they were located in the US.

However, with regard to the applicant’s registration for the ‘GoGreen’ event, the court found that by adding a "Sign in with Facebook" link on the EU Login webpage, the Commission allowed the applicant's IP address to be transmitted to Meta Platforms, an undertaking established in the United States. The court also noted that at the time of that transfer, dated 30th March 2022, there was no adequacy decision in place to establish that the United States ensured an adequate level of protection for the personal data of EU citizens. The Commission also did not have appropriate safeguards, including a standard data protection clause adopted by the Commission or a contractual clause in place. Instead, the ‘Sign in with Facebook’ was entirely governed by Facebook's general terms of conditions.

The court ruled that the Commission did not comply with the conditions set by EU law for transferring personal data by an EU institution, body, office, or agency to a third country. As a result of such a transfer, the applicant suffered non-material damage as he faced uncertainty concerning the processing of his personal data. Hence, a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned had been established. The court ordered the Commission to pay the individual a sum of €400 claimed because of the damages sustained as a result of unlawful data transfer.

D. Coverage of Legal Costs

The court ruled that the Commission should bear its own costs and also pay one-half of the costs incurred by the applicant while the applicant should bear the remaining one-half of the costs incurred by him.

Conclusion

The European General Court has set a new precedent by ordering the European Commission to pay damages to the applicant after his personal data was unlawfully transferred to the US without the use of adequate safeguards. Though the court has only awarded €400 damages to the applicant, this court judgment may open doors for damages worth billions of dollars to be awarded to the aggrieved individuals because of the unlawful transfer of their personal data to recipients in third countries without adequate safeguards.