EC Is Ordered to Pay Damages for Unlawful Data Transfer to U.S.
In what one privacy expert called a "dam-bursting moment," the European Court of Justice's General Court Wednesday ordered the European Commission (EC) to pay $412 (400 euros) to a German visitor to one of its websites because the site unlawfully transferred his personal data to the U.S. (Case T-354/22/ Bindl v. Commission). The EC said it would "carefully study" the judgment and its implications.
Sign up for a free preview to unlock the rest of this article
The website let visitors register for a "Go Green" event by signing in with Facebook, which created conditions for transmission of the person's IP address, considered personal data, to Meta Platforms, the court said. It added that, unlike several claims by the visitor, Thomas Bindl, this particular transmission on March 30, 2022, was attributable to the EC, which at the time had not decided whether the U.S. ensured an adequate level of protection for Europeans' personal information after earlier data flow agreements (Safe Harbor and Privacy Shield) were ruled void.
Moreover, the court said, the EC didn't claim that the data was sent under some other appropriate safeguard, such as a standard contractual clause. Therefore, the EC didn't comply with EU rules for transfers by EU institutions or bodies of personal data to a third country: "It must therefore be concluded, without any examination of the applicant’s other arguments being required, that the Commission committed a sufficiently serious breach." The court ordered the EC to pay Bindl the money he requested. The judgment can be appealed to the Court of Justice.
The first award of damages for data transfers "is a dam-bursting moment that will catalyze a flood of complaints, including U.S.-style class-action complaints, that will reshape the data protection map," Joe Jones, International Association of Privacy Professionals research and insights director, said in an email. Having been "buffeted and bruised by the blows of regulatory enforcement, organisations will be bracing harder than ever for a new era under the EU General Data Protection Regulation -- litigation."
While the damages in this case seem small, Jones said, that they were awarded to an individual in a "state of some uncertainty" about loss of control of his data will embolden people and organizations to sue. Representative groups, such as privacy activist Max Schrems' organization noyb, can now act on behalf of thousands or millions of users, so some big damage awards could be coming, Jones added.