EGC - T‑354/22 - Bindl v Commission
The European General Court ordered the European Commission to pay a data subject €400 in non-material damages due to the transfer of personal data to the United States following two visits to one of the Commission’s websites.
English Summary
Facts
In 2021 and 2022, the data subject visited the website on the “Conference on the future of Europe” which is managed by the European Commission. The data subject alleged that his personal data including his IP address and information on his browser and terminal were transferred to recipients in the United States on three occasions through this website.
On the 30 March 2022, the data subject’s IP address and browser and terminal information were transferred to Amazon Web Services through the “Amazon CloudFront”. The “Amazon CloudFront” provided the basis for the website visited by the data subject.
On the same day, in order to sign up for an event, the data subject used the option of signing in with his Facebook account as provided for by the Commissions authentication service. The data subject alleged that this transferred his personal data to the American company Meta Platforms Inc. The data subject again visited the website on the 8 June 2022 and again his data was transferred to Amazon CloudFront.
Claim one for non-material damages valued at €400
The data subject brought forward that the United States does not provide an adequate level of protection of personal data and that his data was at risk of being disclosed to US security and intelligence services. The data subject claimed for compensation of €400 for the non-material damage he had suffered due to the data transfer in violation of Article 46 of Regulation (EU) 2018/1725 ("EUDPR") and Article 48(1)&(2)(b) EUDPR. In addition, the data subject sought the annulment of the transfer of his personal data.
Claim two for non-material damages valued at €800
On the 1 April 2022, the data subject requested access to information from the Commission to which it responded on the 30 June 2022 via email. However, the data subject alleged that information provided in the email was insufficient. He therefore claimed that the Commission had failed to issue a position (inactivity claim) in response to the data subject’s request for information. Further, he alleged that no information on the data transfer to the United States was included in the privacy policy. For this, the data subject claimed €800 compensation for the infringement of his right to access to information in violation of Article 14(3)&(4) EUDPR and Article 17(1)&(2) EUDPR as well as the principle of transparency under Article 4(1)(a) EUDPR.
Holding
annulment of the transfer
The court dismissed the data subjects application for annulment as inadmissible since the transfers at issue are not likely to have binding legal effects or are capable of affecting the interests of the data subject changing their legal position.
Claim two for damages valued at €800
The court discarded the data subject’s claim for damages due to an infringement of his right to access to information. Primarily, the court found that the email response did prove to be a valid response and therefore the data subject’s inactivity claim against the Commission was invalid. Secondarily, the claims of the data subject under Article 14 GDPR and Article 17 GDPR failed as no non-material damage could be constituted.
Claim one for damages valued at €400
- Amazon CloudFront
The court found that for the first data transfer to Amazon CloudFront, the data remained within the EU. In the second instance, the data was transferred to the United States due to a technical adjustment caused by the data subject.
- Facebook sign-in
The court found that through the “sign-in with facebook” hyperlink displayed on the EU login webpage, the Commission created the conditions for the transfer of personal data to Meta Platforms, which is established in the United States. Therefore, the transfer of data was attributed to the Commission. The court stipulated that at the time of the transfer, there was no decision by the Commission showing that the United States ensure an adequate level of protection for personal data. The Commission neither showed that appropriate safeguards were in place nor that standard data protection clauses or contractual clauses protected the personal data.
The court established that the “sign-in with facebook” function was administered entirely according to Meta’s terms and conditions and therefore without appropriate safeguards. Therefore, the Commission did not comply with the required conditions for transfer of personal data by an EU institution to a third country contrary to Article 46 GDPR and Article 48 GDPR.
As the data subject found himself in a position of uncertainty, the court assessed that he had suffered non-material damage and ordered the Commission to pay him damages valued at €400.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
