On January 8, 2025, the General Court of the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Bindl v Commission (Case T-354/22), ruling that the European Commission (the “Commission”) must pay damages to a German citizen whose personal data was transferred to the U.S. without adequate safeguards.

Background

The case concerned the Commission’s website for the “Conference on the Future of Europe,” which offered users the ability to register for events by signing in using their Facebook account, among other sign-in options.

The claimant, a citizen living in Germany, alleged that selecting this option caused his personal data—including his IP address and browser details—to be transferred to U.S.-based Meta Platforms, Inc. In addition, the claimant asserted that his personal data had been transferred to Amazon Web Services via the Amazon CloudFront content delivery network used on the website. He argued that the transfer posed risks, as the U.S. did not ensure an adequate level of data protection under EU law and that the data could potentially be accessed by U.S. intelligence services. At the time of the transfer in March 2022, the Commission had not yet finalized a new adequacy decision regarding the U.S., following the invalidation of the EU-U.S. Privacy Shield Framework by the CJEU in the Schrems II case.

The claimant sought €400 in damages for the non-material harm he allegedly suffered due to the transfers and €800 for an alleged infringement of his right of access to information. He also sought a declaration that the Commission acted unlawfully in failing to respond to his request for information and annulment of the data transfers.

Anyone who believes the European Union (through one of its institutions) is responsible for non-contractual liability can file a claim for damages. For such liability to apply, three conditions must be met: (1) a serious violation of a law that gives rights to individuals; (2) actual damage; and (3) a direct connection between the unlawful actions and the harm caused.

The Findings

The General Court issued a mixed ruling in this case:

• The General Court dismissed the claim regarding the transfer of data to Amazon Web Services, finding insufficient evidence that the transfer had occurred unlawfully. During one of the individual’s connections to the website in question, the General Court found that data was transferred to a server in Munich, Germany, rather than the U.S. In the case of another connection, the individual was responsible for redirecting the data via the Amazon CloudFront routing mechanism to servers in the U.S. Due to a technical adjustment, the individual appeared to be located in the U.S.
• The General Court also rejected the claims related to the alleged infringement of the claimant’s right to access information, ruling that no harm had been demonstrated.
• Further, the General Court dismissed the annulment application as inadmissible and found no need to adjudicate the claim of failure to act.
• However, the General Court held the Commission responsible for enabling the transmission of the claimant’s personal data―specifically, the claimant’s IP address―to Meta Platforms, Inc. via the “Sign in with Facebook” The General Court found that the Commission had not implemented appropriate safeguards to legitimize such transfer and had therefore committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. In this case, the claimant argued that he had suffered non-material damage due to uncertainty about how his personal data, especially his IP address, was being processed. The General Court found that there was a sufficiently direct causal link between the Commission’s violation and the harm sustained by the individual. As a result, the General Court granted the complainant damages and ordered the Commission to pay €400.

An appeal addressing only legal issues may be filed within two months and ten days of receiving the General Court's decision.

Read the judgment.