In a landmark ruling, the European Union (EU)’s General Court has directed the European Commission (EC) to pay €400 in damages to a German citizen over non-compliance with EU data protection regulations. The case marks the first time the court has penalised the Commission for breaching the bloc’s stringent data privacy rules.
The dispute arose when the citizen, Thomas Bindl, used the “Sign in with Facebook” option to register for a conference on the Commission’s ‘Conference on the Future of Europe’ website. During the process, data from Bindl’s device, including his IP address, was transferred to third-party providers, including Meta Platforms in the US. The transfer, according to the court, lacked the necessary safeguards required under EU data protection laws, thereby constituting a serious violation.
The judgment, delivered this week by the Sixth Chamber of the General Court, dismissed Bindl’s broader claims for annulment of data transfers and other damages but upheld his request for compensation for non-material harm. The court also criticised the Commission’s handling of Bindl’s repeated requests for clarity regarding the processing and transfer of his personal data.
Background of the case
Bindl, who has a keen interest in IT and data protection, initially contacted the Commission in November 2021, raising concerns about data transfers involving the conference website. He noted that connections to external service providers, such as Amazon Web Services (AWS) and Microsoft, were activated during his interactions with the site. Bindl requested detailed information about the processing and transfer of his personal data and sought assurances about compliance with EU data protection regulations.
In response, the Commission stated that no data had been transferred outside the EU and clarified that its contractual arrangements with AWS EMEA, a Luxembourg-based subsidiary of Amazon, did not permit such transfers. However, when Bindl repeated his concerns in April 2022, the Commission deemed the inquiry redundant, referring back to its earlier response.
Frustrated by the lack of a clear resolution, Bindl escalated the matter to the General Court in June 2022, alleging violations of the EU’s data protection framework, particularly the General Data Protection Regulation (GDPR).
The General Court found that the Commission had failed to adequately address Bindl’s requests and breached GDPR principles by allowing data transfers without sufficient safeguards. The ruling also criticised the Commission for not defining its position on Bindl’s inquiries in a timely manner. While the court declined to annul the Commission’s data transfer practices, it did order compensation for the non-material damage Bindl sustained due to the infringement of his digital privacy rights. Additionally, the court directed the Commission to cover half of Bindl’s legal costs.
The EC, which has often penalised global tech giants for GDPR violations, now finds itself held to similar scrutiny. “The Commission takes note of the judgment and will carefully study the Court’s judgment and its implications,” stated a Commission spokesperson, as reported by Reuters.
Read more: EC takes action as member states miss NIS2 directive deadline
