Over the past 18 months there have been a number of notable decisions from both the Court of Justice of the European Union (“CJEU”) and the Irish courts which provide further clarity regarding when compensation is payable for non-material loss under the GDPR, and some indicative guidance as to the levels of compensation that will be awarded (see our previous updates here and here).
On 8 January 2025, the EU General Court in Bindl v European EU Commission (Case T-354/22) ordered the EU Commission to pay €400 in damages to an individual whose data had been transferred to the US unlawfully without adequate protections, during the transition period between the EU-US Privacy Shield and the EU-US Data Protection Framework. The EU General Court held that the EU Commission “committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals”. This decision represents the first time an EU court has awarded non-material damages for a violation of EU data transfer rules. Whilst the issues in scope of the decision relate to Regulation 2018/1725 (the equivalent of the GDPR for personal data processing carried out by EU institutions), the findings will be of relevance to organisations that are subject to the GDPR, which contains similar provisions.
Facts
The plaintiff in this case is a German citizen and the founder of EUGD.org, a German-based litigation funding firm focused on EU data protection claims. The plaintiff was registering for an event forming part of the Conference on the Future of Europe in 2022. He attempted to access the website using his Facebook account through the EU Commission’s authentication process. On 30 March 2022, this information was transferred to Amazon Web Services through the “Amazon CloudFront,” a Content Delivery Network (“CDN”). The plaintiff accessed the website again on 8 June 2022, and his data was transferred again to Amazon CloudFront.
The plaintiff alleged that during his visits to the website, his personal data, including his IP address, along with information about his browser and terminal were transferred via the CDN and ended up on servers operated by Meta Platforms. The plaintiff was concerned that as a result, his data could be accessed by US security services.
The plaintiff made a claim for €800 in compensation for the non-material damage he claimed to have sustained as a result of the infringement of his right of access to information. He submitted an “inactivity claim” due to the EU Commission’s alleged failure to issue a position in response to his request for information. He argued that the transfers of personal data infringed Regulation (EU) 2018/1725 and the EU Charter of Fundamental Rights on the basis that the EU lacked adequate data protection standards.
The Court’s Finding on Non-Material Damage Claim
The EU General Court ultimately found that by providing the option (and associated hyperlink) to access the EU Commission’s website via Facebook log-in, the EU Commission had “created the conditions for the applicant’s IP address to be transmitted to Facebook”. As the IP address constituted the plaintiff’s personal data, this transmission amounted to “a transfer of personal data to a third country, within the meaning of Article 46 of Regulation 2018/1725”.
The EU General Court further found that at the time of the transfer of the data, no adequacy decision of the EU Commission with regard to the US existed. As such, the transfer of data to a third country could only be carried out if the controller (in this case, the EU Commission) had provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects were available, in accordance with Article 48(1) of Regulation (EU) 2018/1725. The EU General Court established that the mechanism to log in to its website via Facebook was administered accordingly to Meta’s terms and conditions only, and was therefore without the adequate safeguards. Further, the EU Commission had not demonstrated or claimed that such an appropriate safeguard was in existence.
As the EU Commission had created the conditions for the transfer of the plaintiff’s personal data to a third country in the absence of the necessary safeguards, it was held that the EU Commission had committed a sufficiently serious breach within the meaning of Article 46 of Regulation 2018/1725.
In summary, the EU General Court ultimately found that:
- not only material damage, but also non-material damage suffered as a result of infringement of Regulation (EU) 2018/1725 gives rise to compensation, “without any reference being made to any threshold of seriousness;”
- the non-material damage suffered must be “actual and certain”. Purely “hypothetical and indeterminate damage” does not give rise to compensation; and
- there was a sufficiently direct causal link between the EU Commission’s infringement and the non-material damage suffered by the plaintiff. The award was set at €400.
Key Takeaways
The Bindl decision is notable because it is the first time that the an EU court has awarded compensation to an individual for non-material damages where there has been a breach of EU data transfer rules. However, some of the findings of the EU General Court are difficult to reconcile, particularly the court’s finding that damage must be “actual and certain” whereas the court went on to award damages to the plaintiff because in all the circumstances he was “put in a position of some uncertainty as regarding the processing of his personal data.” It is also notable that the EU Commission was ordered to pay damages to an individual (i.e. public sector organisations are not exempt to regulatory consequences for violation of the Regulation (EU) 2018/1725).
The €400 in damages awarded by the EU General Court is to be welcomed by data controllers faced with non-material loss claims, and the relatively modest sum will hopefully be reflected in future awards from the Irish courts when considering such claims. The award in Bindl is certainly less than comparable awards issued by the Circuit Court and High Court in Ireland in the past 24 months, which have ranged from €500 up to €5,500.
With the enactment of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 last April, and the designation of NOYB as a ‘Qualified Entity’, it is conceivable that this decision may precipitate future class actions in Ireland where similar breaches of data transfer rules may have occurred under the GDPR. Whilst €400 is a relatively modest award for an individual case, a class action could result in many multiples of that figure. Organisations need to ensure that appropriate safeguards are in place for international data transfers to avoid costly breaches of the data transfer rules.
Irish practitioners also eagerly await the judgment of the Supreme Court in the case of Dillon v Irish Life [2024]. In that case, the Supreme Court will consider, inter alia, whether distress, upset and anxiety are a form of personal injury such that plaintiffs seeking non-material damages in respect of same are required to obtain prior authorisation from the Injuries Resolution Board before commencing proceedings.
For more information, please contact any member of our Davinia Brennan, Connor Cassidy Technology and Innovation Group or Commercial Litigation Group or your usual Matheson contact.