EU Court Awards Damages for Breach of EU Data Transfer Rules

On January 8, 2025, the second highest court of the European Union (EU), the General Court of the Court of Justice of the EU (the Court), ordered (in Bindl v European Commission, Case T-354/22) the European Commission (EC) to pay EUR 400 in damages to an individual for transferring their personal data to the U.S. without having implemented a data transfer mechanism under EU law.

While the awarded amount is low, it is the first time an EU court has recognized that individuals can be awarded damages for illegal data transfers without having to demonstrate material loss, which opens the door to potential claims, including class actions, for non-material damages relating to violations of the EU’s data transfer rules. The ruling may be appealed, but it indicates that companies should carefully consider how they comply with EU rules on data transfers.

Background

The judgment relates to Regulation 2018/1725, which is the General Data Protection Regulation (GDPR) equivalent for EU institutions. Regulation 2018/1725 contains similar provisions to Regulation 2016/679 (i.e., GDPR), and Recital 5 of Regulation 2018/1725 states that the Court of Justice of the EU should interpret provisions in both the Regulation 2018/725 and the GDPR homogeneously where those provisions follow the same principles. The findings in the judgment on damages and data transfer rules are therefore also relevant to organizations that are subject to the GDPR.

Under EU law, personal data can only be transferred outside the EU to the extent that it receives an adequate level of protection. This is the case, for example, when personal data is transferred to a country for which the EC has issued an ‘adequacy’ decision, or when companies enter into model contractual clauses approved by the EC. This is also the case when personal data is transferred to a U.S. company that has self-certified to the EU-U.S. Data Privacy Framework (DPF) which was finalized in 2023.

In 2022, an individual in Germany registered for an EC-run event by using the “Sign in with Facebook” button displayed on the EC department's website. As a result, some of his personal data—including his IP address which constitutes personal data under EU law—was transferred to Meta in the U.S.

Key Takeaways

1. The EC’s Transfer of Personal Data to Meta in the U.S. Was Unlawful. The Court found that, by allowing individuals to register for the event by using “Sign in with Facebook,” the EC facilitated the transfer of the individual’s IP address outside the EU without ensuring that it was adequately protected. This transfer occurred before the implementation of the DPF and without any alternative approved data transfer mechanism. As a consequence, the Court concluded that the individual was “in a position of some uncertainty as regards the processing of his personal data,”¹ which the Court considered to be non-material damage.
2. This Marks the First Time a Pan-EU Court Has Awarded Non-Material Damages for Data Transfer Violations. The EU Court of Justice has already allowed the award of non-material damages for violations of the GDPR under certain conditions (for example, in Österreichische Post AG, Case C-300/21 and Scalable Capital GmbH, Joined Cases C-182/22 and C-189/22). However, this judgment marks the first time an EU court has explicitly awarded compensation for non-material damages related to a violation of the EU’s data transfer rules. The non-material damages included: i) loss of control over personal data, and ii) the individual being deprived of his rights and freedoms. The judgment references the Österreichische Post case mentioned above according to which there is no minimum threshold for awarding compensation for non-material damages.
3. The Judgment May Lead to Significant Class Actions. This judgment may open the door to more potential claims, including class actions, for non-material damages relating to violations of the EU’s data transfer rules. While EUR 400 may be an insignificant sum, a class action would multiply that figure by the number of claimants and the total compensation could therefore reach a significant amount.
4. The EC’s Use of Services by Amazon Web Services (AWS) in the EU Did Not Constitute a Transfer. The individual had argued that because the EU subsidiary of AWS is obliged to transmit personal data to U.S. authorities, even if the data are stored on EU territory, a transfer of his personal data occurred to the U.S., and that the data could in theory be accessible from the U.S. The Court rejected this argument because, under the facts of the case, it represented only the mere risk of access to personal data by a third country, which does not constitute a transfer.

Next Steps

The EC may appeal the judgment. However, regardless of whether an appeal occurs and is successful, companies should consider the countries to which they are sending personal data and review whether they have adequate data transfer mechanisms in place. Rules on data transfers will likely continue to be a focus for regulators and courts throughout 2025, and the judgment may signal the start of significant class actions in the EU related to data protection claims.

^[1]Paragraph 197 of General Court judgment in case T‑354/22, Bindl v European Commission, January 8, 2025.