EGC - T‑354/22 - Bindl v Commission
| General Court - T‑354/22 Bindl v Commission | |
|---|---|
 | |
| Court: | General Court |
| Jurisdiction: | European Union |
| Relevant Law: | Article 14 EU GDPR Article 17 EU GDPR Article 46 EU GDPR Article 48 EU GDPR |
| Decided: | 08.01.2025 |
| Parties: | EU Commission |
| Case Number/Name: | T‑354/22 Bindl v Commission |
| European Case Law Identifier: | ECLI:EU:T:2025:4 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | ao |
The European General Court ordered the European Commission to pay a data subject €400 in non-material damages due to the transfer of personal data to the USA following two visits to one of the Commission’s websites.
English Summary
Facts
In 2021 and 2022, the data subject visited the website on the “Conference on the future of Europe” which is managed by the European Commission. The data subject alleged that his personal data including his IP address and information on his browser and terminal were transferred to recipients in the United States on three occasions through this website.
On the 30 March 2022, the data subject’s IP address and browser and terminal information were transferred to Amazon Web Services through the “Amazon CloudFront”. The “Amazon CloudFront” provided the basis for the website visited by the data subject.
On the same day, in order to sign up for an event, the data subject used the option of signing in with his Facebook account as provided for by the Commissions authentication service. The data subject alleged that this transferred his personal data to the American company Meta Platforms Inc. The data subject again visited the website on the 8 June 2022 and again his data was transferred to Amazon CloudFront.
Claim one for non-material damages valued at €400
The data subject brought forward that the United States does not provide an adequate level of protection of personal data and that his data was at risk of being disclosed to US security and intelligence services. The data subject claimed for compensation of €400 for the non-material damage he had suffered due to the data transfer in violation of Article 46 of Regulation (EU) 2018/1725 ("EUDPR") and Article 48(1)&(2)(b) EUDPR. In addition, the data subject sought the annulment of the transfer of his personal data.
Claim two for non-material damages valued at €800
On the 1 April 2022, the data subject requested access to information from the Commission to which it responded on the 30 June 2022 via email. However, the data subject alleged that information provided in the email was insufficient. He therefore claimed that the Commission had failed to issue a position (inactivity claim) in response to the data subject’s request for information. Further, he alleged that no information on the data transfer to the United States was included in the privacy policy. For this, the data subject claimed €800 compensation for the infringement of his right to access to information in violation of Article 14(3)&(4) EUDPR and Article 17(1)&(2) EUDPR as well as the principle of transparency under Article 4(1)(a) EUDPR.
Holding
annulment of the transfer
The court dismissed the data subjects application for annulment as inadmissible since the transfers at issue are not likely to have binding legal effects or are capable of affecting the interests of the data subject changing their legal position.
Claim two for damages valued at €800
The court found that the unlawful conduct only established in the case was that the Commission failed to observe the one-month time limit stiipulated in Article 14(4) EUDPR. However, the data subject's argument concerned the substance of the information rather than the procedural rule that was actually infringed. Therefore, the data subject failed to demonstrate any non-material damage resulting from said infringement. The court therefore discarded the data subject’s claim for damages due to an infringement of the Commission's information obligation and of his right to access to information under Article 14 EUDPR and Article 17 EUDPR.
Claim one for damages valued at €400
- Amazon CloudFront
The court found that for the first data transfer to Amazon CloudFront, the data remained within the EU. In the second instance, the data was transferred to the United States due to a technical adjustment caused by the data subject. Since the transfer to the United States was caused primarily by the data subject's conduct the court found no sufficiently direct causal link between the Commission's allegedly unlawful conduct and the non-material damage claimed by the data subject.
- Facebook sign-in
The court found that through the “sign-in with facebook” hyperlink displayed on the EU login webpage, the Commission created the conditions for the transfer of personal data to Meta Platforms, which is established in the United States. Therefore, the transfer of data was attributed to the Commission. The court stipulated that at the time of the transfer, there was no decision by the Commission showing that the United States ensure an adequate level of protection for personal data. The Commission neither showed that appropriate safeguards were in place nor that standard data protection clauses or contractual clauses protected the personal data.
The court established that the “sign-in with facebook” function was administered entirely according to Meta’s terms and conditions and therefore without appropriate safeguards. Therefore, the Commission did not comply with the required conditions for transfer of personal data by an EU institution to a third country contrary to Article 46 EUDPR and Article 48 EUDPR.
As the data subject found himself in a position of uncertainty as regards the processing of his personal data, in particular of his IP address, the court assessed that he had suffered non-material damage and ordered the Commission to pay him damages valued at €400.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
