In Bindl v Commission, an individual in Germany complained that the Commission had infringed his right to the protection of his personal data when, in 2021 and 2022, he visited a Commission website and registered using the Commission’s EU Login authentication service, having selected the option of signing in using his Facebook account. The individual said that when he visited the website, his personal data, including his IP address and information about his browser and terminal, was transferred to recipients established in the United States. The data was transferred to Amazon Web Services, in its capacity as operator of the content delivery network Amazon CloudFront, which was used by the website. In addition, when he registered for an event using his Facebook account, his personal data was transferred to the US undertaking Meta Platforms, Inc.
The individual claimed that the US does not have an adequate level of protection and the transfers risked his data being accessed by the US security and intelligence services. The Commission had not indicated any of the appropriate safeguards that might justify those transfers. He sought compensation of €400 in compensation for the non-material damage which he claimed to have suffered due to the transfers.
He also sought annulment of the transfers of his personal data, a declaration that the Commission unlawfully failed to define its position on a request for information and an order that the Commission pay him €800 in compensation for the non-material damage which he claimed to have suffered because of the infringement of his right of access to information.
The General Court dismissed the application for annulment as inadmissible and found that there was no need to adjudicate on the claim for a declaration of failure to act. The General Court also dismissed the claim for damages based on infringement of the right of access to information, finding that there was no non-material damage as alleged. In addition, regarding the claim for damages based on the disputed transfers of data, the General Court dismissed that claim in relation to the transfers of data via Amazon CloudFront. This was because the data was actually transferred to a server in Munich rather than the US. Amazon Web Services was contractually required to ensure that data remained in Europe. On another occasion it was the individual concerned who directed his data to the US.
However, when it came to the registration for the event, the General Court found that the “Sign in with Facebook” hyperlink displayed on the EU Login webpage meant that the individual’s IP address was transmitted to Facebook. That IP address constituted personal data which, by means of that hyperlink, was transmitted to Meta Platforms, an undertaking established in the US. That transfer was caused by the Commission.
At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the US ensured an adequate level of protection for the personal data of EU citizens. The display of the “Sign in with Facebook” hyperlink on the EU Login website was entirely governed by Facebook’s general terms and conditions.
This meant that the Commission did not comply with EU law rules for the transfer by an EU institution, body, office or agency of personal data to a third country.
The General Court found that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular his IP address. There was a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned.
The General Court ordered the European Commission to pay the individual concerned the sum of €400 claimed.
While this case was not brought under the GDPR but similar legislation which applies to EU institutions, the UK GDPR and Data Protection Act 2018 allow damages for non-material damage, so this may be an interesting (non-binding) precedent from a UK perspective.
Although €400 does not sound like a lot, if there were a successful class action along similar lines, it could be very expensive as many websites use Facebook log-in mechanisms.
