A view from Brussels: Commission's tough week on data transfers

We are not even half-way through January and 2025 is already giving us a lot to chew on. The big items this week in Brussels are multi-pronged challenges to the European Commission's data transfers compliance, playing out in both Luxembourg and Brussels.

The European General Court issued 8 Jan. a decision against the European Commission that could have significant repercussions, pending potential appeal proceedings. The "Bindl decision" is set to be impactful. First, for its data transfers finding against the EU institution's practices. Second, for the precedent it might set on monetary compensation granted to an individual for nonmaterial damages related to the noncompliant processing of their personal data.

The latter point is particularly noteworthy considering the EU rules on collective redress adopted in 2020. The directive is, to this day, largely untested across the EU. The Bindl decision could drastically change that as organizations like Max Schrems' NOYB are recognized to bring collective claims before national courts across the EU.

This decision also resonates with ongoing developments in Brussels. In March 2024, the European Data Protection Supervisor issued two orders against the European Commission, respectively requiring that: effective 9 Dec. 2024, the Commission suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries outside the EU/European Economic Area not covered by an adequacy decision; and by 9 Dec. 2024, the Commission bring its processing operations into compliance through corrective measures imposed by the EDPS.

Fast forward to January 2025, the battle is on between the Commission and the EDPS, as Euractiv reports the Commission is not only challenging the EDPS's findings, but is allegedly suing the EDPS over its orders' "erroneous interpretation and application" of the EU Data Protection Regulation, the EU General Data Protection Regulation's sister law which applies to EU entities.

All that happens as the nomination process for the position of supervisor is at its peak. On 16 Jan., the European Parliament's Committee on Civil Liberties, Justice and Home Affairs will hold a public hearing with the four shortlisted candidates for the job, including current EDPS Wojciech Wiewiórowski, who is running for a second term. Member states will also have a say in the process. While the EDPS mission goes well beyond the issue at hand, these latest developments are expected to play a role in the nomination process.

These developments may also prompt data transfer compliance to again be front and center of much wider debates merging security and industrial self-sufficiency considerations in Europe. At a political level, the dynamics between the Commission's Executive Vice-Presidents Henna Virkkunen and Stéphane Séjourné will be a strong indicator to watch, as they respectively lead the bloc's tech sovereignty strategy and industrial strategy.

Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.