Luxembourg, 8 January 2025
Judgment of the General Court in Case T-354/22 – Bindl v Commission
The General Court orders the Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website as a result of the transfer of personal data to the United States
—
By means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for transmission of the IP address of the individual concerned to the US undertaking Meta Platforms
A citizen living in Germany complained that the Commission had infringed his right to the protection of his personal data when, in 2021 and 2022, he visited the website of the Conference on the Future of Europe, 1 which is managed by the Commission. Specifically, he had registered for the ‘GoGreen’ event through that website using the Commission’s EU Login authentication service, having selected the option of signing in using his Facebook account.
According to the individual concerned, during his visits to that website his personal data, including his IP address and information about his browser and terminal, were transferred to recipients established in the United States.
The data were, he claims, transferred to the US undertaking Amazon Web Services, in its capacity as operator of the content delivery network Amazon CloudFront, which was used by the website in question. Moreover, when he registered for the ‘GoGreen’ event using his Facebook account, his personal data were transferred to the US undertaking Meta Platforms, Inc.
However, according to the individual concerned, the United States do not have an adequate level of protection. He maintains that those transfers gave rise to a risk of his data being accessed by the US security and intelligence services. The Commission had not indicated any of the appropriate safeguards that might justify those transfers. 2
On that basis, he seeks payment of €400 in compensation for the non-material damage which he claims to have sustained because of the transfers at issue.
He also seeks annulment of the transfers of his personal data, a declaration that the Commission unlawfully failed to define its position on a request for information and an order that the Commission pay him €800 in compensation for the non-material damage which he claims to have sustained as a result of the infringement of his right of access to information.
The General Court dismisses the application for annulment as inadmissible and finds that there is no longer any need to adjudicate on the claim for a declaration of failure to act. The General Court also dismisses the claim for damages based on infringement of the right of access to information, finding that there is no non-material damage as alleged.
As regards the claim for damages based on the disputed transfers of data, the General Court dismisses that claim in relation to the transfers of data via Amazon CloudFront.
The General Court finds that, during one of the connections at issue, data were transferred, according to the principle of proximity, 3 to a server 4 located in Munich in Germany, rather than to the United States. According to the contract concluded between the Commission and the Luxembourg undertaking, Amazon Web Services, which manages Amazon CloudFront, Amazon Web Services was required to ensure that data remain, at rest and in transit, in Europe.
In the case of another connection, it was the individual concerned who was responsible for its redirection, via the Amazon CloudFront routing mechanism, to servers in the United States. As a result of a technical adjustment, he appeared to be located in the United States.
However, as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must be imputed to the Commission.
At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. 5 The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform.
The Commission did not, therefore, comply with the conditions set by EU law for the transfer by an EU institution, body, office or agency of personal data to a third country.
The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address. There is, moreover, a sufficiently direct causal link between the Commission’s infringement and the non- material damage sustained by the individual concerned.
Since the conditions for establishing the European Union’s non-contractual liability are satisfied, the General Court orders the Commission to pay the individual concerned the sum of €400 claimed.
NOTE: An action for damages may be brought by any person who considers that the European Union has incurred non-contractual liability. Such liability presupposes that three cumulative conditions are satisfied: (1) a sufficiently serious breach of a rule of law intended to confer rights on individuals; (2) the fact of damage; and (3) the existence of a causal link between the unlawful conduct of the European Union and the harm suffered.
NOTE: An appeal, limited to points of law only, may be brought before the Court of Justice against the decision of the General Court within two months and ten days of notification of the decision.
Unofficial document for media use, not binding on the General Court. The full text and, as the case may be, an abstract of the judgment is published on the CURIA website on the day of delivery.
—
1 At https://futureu.europa.eu.
2 As provided for in Chapter V of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
3 The Amazon CloudFront service is based on a routing mechanism that directs requests of users of the ‘Conference on the Future of Europe’ website to the edge server that provides the lowest latency, according to a principle of proximity to the particular user’s terminal, so that content is delivered to users in the best possible conditions.
4 The server in question belongs to a German undertaking that is part of the Amazon CloudFront network of edge locations.
5 Adopted in accordance with the conditions laid down in Article 48(2) and (3) of Regulation 2018/1725.
Source – EU General Court