On 8 January 2025, the European General Court (EGC) delivered a landmark judgment in case T-354/22, Bindl v Commission. The case looks at the processing of personal data by EU institutions and raises significant questions about the transfer of such data to third countries. Although this ruling primarily concerns Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and not the GDPR, it is of interest to businesses and institutions handling personal data within the European Union, as it reaffirms fundamental principles of data protection and security.
The facts
The applicant, Mr. Thomas Bindl, a German citizen interested in information technology and data protection, accessed the European Commission's "Conference on the Future of Europe" website ("https://futureu.europa.eu") multiple times in 2021 and 2022. On 30 March 2022, he registered for the "GoGreen" event using his Facebook account, and he revisited the website on 8 June 2022.
During these visits, the applicant observed connections to third-party providers, notably US-based Amazon Web Services (AWS). On 9 November 2021, the applicant emailed the Commission's Data Protection Officer, inquiring about the processing and potential transfer of his personal data to third countries. The Commission responded on 3 December 2021, stating that his data was processed by AWS EMEA SARL, based in Luxembourg, and that no transfers to recipients outside the EU had occurred.
Unsatisfied, the applicant sent another request on 1 April 2022, seeking detailed information about data processing and transfers, including copies of his data stored by third parties like Facebook. The Commission replied on 30 June 2022, indicating that his April request was nearly identical to his November 2021 inquiry, to which they had already responded.
Consequently, on 9 June 2022, the applicant filed an action before the General Court, seeking three claims:
- annulment of the transfers of his personal data to third countries lacking adequate protection (claim 1)
- a declaration that the Commission unlawfully failed to act on his 1 April 2022 information request (claim 2)
- compensation of €1,200 for non-material damage resulting from the alleged violations (claim 3).
The judgment
The General Court held that claims (1) and (2) was were inadmissible bult addressed several key issues regarding claim (3) in its judgment:
Conditions for establishing the EU’s non-contractual liability under Regulation 2018/1725
Under Article 65 of Regulation 2018/1725, individuals who suffer material or non-material damage due to an infringement of the Regulation have a right to compensation, subject to the conditions set out in Article 340 TFEU. The European Union’s non-contractual liability arises if three cumulative conditions are met: a sufficiently serious breach of EU law; actual and certain damage; and a direct causal link between the breach and the damage.
A sufficiently serious breach occurs when an EU institution manifestly and gravely disregards the limits of its discretion. Damage must be actual and certain, meaning that hypothetical or indeterminate harm does not suffice for compensation. The causal link requires that the institution’s conduct be the direct and determining cause of the damage.
First claim for damages – non-material damage from infringement of the right of access to information
The applicant sought €800 in compensation for non-material damage caused by the European Commission’s failure to meet its obligations under Regulation 2018/1725, including not responding to the applicant’s April 2022 access request within the prescribed time limit and providing allegedly incorrect information about data transfers. He argued that this failure prevented him from exercising control over his personal data, constituting non-material damage.
The Court recognised that the Commission breached its obligation under Article 14(4) of Regulation 2018/1725 by exceeding the one-month response time by approximately two months. However, it ruled that the applicant had not demonstrated actual and certain non-material damage. The applicant had already received a partial response to an earlier, substantially similar request in December 2021, mitigating the impact of the delay. Since the applicant failed to prove damage resulting directly from the delay, the Court dismissed the claim, noting that one of the cumulative conditions for establishing EU non-contractual liability was not met.
The second claim for damages: compensation for non-material damage from data transfers
The applicant sought €400 in compensation for non-material damage allegedly caused by the transfer of his personal data to the United States on three separate occasions: his visit to the CFE website on 30 March 2022, his signing in to EU Login on the same date, and subsequent visits to the website on 8 June 2022. He argued that the transfers of personal data infringed Regulation 2018/1725 and the EU Charter of Fundamental Rights, as the US lacked adequate data protection standards on the date of those data transfers.
The Court outlined the framework for personal data transfers to third countries under Chapter V of Regulation 2018/1725. Transfers require either an adequacy decision from the Commission or appropriate safeguards. The absence of an adequacy decision for the United States at the time in question following the Schrems II ruling therefore placed additional compliance burdens on controllers such as requiring them to put in place supplementary technical and organisational measures to safeguard the data transfers including those carried out under Standard Contractual Clauses.
The Court found that during a visit to the CFE Website on 30 March 2022, the applicant's data was transmitted to servers within the EU and no transfer to the US took place. The applicant argued that because the data was transferred to a subsidiary of US company AWS, there was a risk that it might be required to transfer the data to the USA on receipt of a request from a US surveillance authority. Significantly, the Court said, however, that the mere risk of US authorities accessing this data did not constitute a direct transfer, so no serious breach or causal link to non-material damage was established.
On 8 June 2022, data transfers to US servers occurred – however, this was due to the applicant's technical manipulation, severing the causal link between the Commission's actions and alleged damage. Finally, on 30 March 2022, when using EU Login via Facebook, data was transferred to Meta Platforms (US), breaching Article 46 of Regulation 2018/1725 as no additional safeguards within the meaning of Schrems II were in place. The applicant suffered non-material damage including uncertainty about data security and was awarded €400 compensation.
What does this mean?
It is important to note, that the judgment does not concern the GDPR directly. Nevertheless, the Court's reasoning can partially be applied to cases falling under the GDPR to uphold the principle of the unity of the law.
The judgment underscores the strict requirements for third-country data transfers, emphasising the need for a clear legal basis, robust safeguards, and transparency. The €400 damages awarded for the transfer of an IP address do set a precedent for a high compensation, amplifying liability risks for controllers – whether EU institutions or other private or public bodies. The risk for controllers is potentially higher in countries where class actions are available.
The judgment does, however, fail to address several points of interest in sufficient detail. Some commentators have, for example, suggested that the Court’s distinction between a "transfer" and the mere risk of third-country access to personal data raises questions about evidentiary burdens in a court proceeding. It also appears to be a departure from the views of other DPAs and courts which have placed more emphasis on risk. The inconsistent treatment of the applicant’s actions in breaking causality across different data transfers highlights two points of interest: first, there will be a need for forensic analysis by controllers to assess user behaviour impact on liability; second, the reasoning behind the different treatment of user behaviour impact on causality remains superficial. It is anticipated that there will be an increased requirement for meticulous documentation of the facts, irrespective of whether the party in question is a claimant or a defendant.
The Court also missed the opportunity to comment on the safeguards that are necessary in addition to the use of Standard Contractual Clauses.
Finally, the Court did not address potential joint responsibility between the Commission and Meta for Facebook-based authentication at all, leaving uncertainties in shared data controller scenarios and despite previous rulings like the Fashion-ID case.
Overall, the judgment serves as a wake-up call for businesses to enhance compliance, while key gaps in interpretation and evidentiary requirements warrant further clarity. The decision may yet be appealed to the Court of Justice but for now, the General Court's decision clearly reinforces the obligations of EU institutions and other controllers under data protection law, particularly concerning the handling of personal data involving third-country service providers.
