The new year is only just underway but the EU data protection landscape is already potentially in line for an impactful shake-up. In an 8 Jan. decision, the European General Court set a new precedent by ordering the European Commission to pay damages to an individual after their data was unlawfully transferred to the U.S. without adequate protections.
Though plaintiff Thomas Bindl was awarded just 400 euros in the matter, the court's ruling could open a new paradigm for EU data protection litigation and representative actions. The Commission has the ability to raise an appeal to the Court of Justice of the European Union.
According to the decision, the General Court found the Commission "committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals" when transferring Bindl's data to the U.S. during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The transfer occurred when Bindl used a Facebook login function to access a Commission-managed website, which collected his IP address along with browser and terminal information.
In a press release, the court explained the Commission "neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause" to lawfully facilitate the transfer. The court also explained the applicability of nonmaterial damages, indicating Bindl "found himself in a position of some uncertainty as regards the processing of his personal data" given alleged inadequate transfer safeguards.
In exclusive comments to the IAPP, Bindl called the ruling "a victory for the rights of consumers" that "clearly shows that infringements of privacy rights and the resulting damages must be compensated." Bindl is the founder of Europäische Gesellschaft für Datenschutz mbH, a German-based litigation funding firm focused on EU data protection claims.
Strengthening collective actions
The ruling marks a potential turning point for industry thinking around EU enforcement versus litigation.
Since the EU General Data Protection Regulation took effect in 2018, much attention has been paid to EU data protection authorities' scrutiny and where the subsequent financial penalties landed for various violations. Collective actions were always a consideration, but views of EU and national courts varied and did not generate the same financial burdens as DPA fines.
The Bindl decision may create more balance in the legal calculus as the risk of mass individual claims increases.
"The judgment could have a massive impact, and the 400 euros in damages awarded by the court could end up worth billions," University Grenoble Alpes law professor Théodore Christakis said. "By embracing an audacious approach in recognizing 'intrinsic harm,' the court effectively paves the way for activists and law firms to pursue large-scale collective redress actions on behalf of 'thousands or millions of individuals under similar circumstances. It also paves the way for 'Schrems III' that could now come sooner rather than later taking the form of a class action."
NOYB, the Max Schrems-led consumer data protection advocacy group, was recently granted the ability to bring collective redress actions in Austria and Ireland, the homes to EU headquarters for many of the world's largest technology companies. The jurisdictional approval means NOYB can file data protection claims on behalf of multiple plaintiffs within the EU courts, a status only provided to nonprofits, as well as file injunctions.
With particular attention to Bindl's complaint, there is a chance of a watershed moment for similar complaints around alleged inadequate transfer protections before the EU-U.S. DPF took effect. Digiphile Services Managing Director Phil Lee, AIGP, CIPP/E, CIPM, FIP, said the decision will "undoubtedly embolden" complainants to at least pursue litigation on pre-DPF and other unlawful transfer claims "whether that is actually the case or not."
Data transfer considerations
The ruling also brings EU-U.S. data transfers back into the spotlight for 2025. Looming challenges against the EU-U.S. DPF aside, the Bindl decision raises new technical questions around data transfers that regulators and courts appear likely to explore when assessing any violation of consumer rights.
"Similar to the Fashion ID ruling, this judgment seems to make clear that (a given company) will be held responsible for integrating third party tools that collect and make international transfers of IP addresses unlawfully," Lee said. "Ensuring there are appropriate safeguards in place for these transfers will be paramount."
Lee added the ruling also calls for reconsideration of what sorts of data transfer activities may qualify for nonmaterial damages moving forward.
Christakis said it was "stunning" to have "potential huge consequences" for EU data transfers stem from a case "involving an eventual transfer of a single IP address out of Europe in an almost zero-risk context." He also indicated the questions the General Court did not examine might be more notable toward future litigation.
"Did Meta actually transfer the claimant's IP address to the U.S.? If so, how likely would U.S. intelligence agencies be to request under (the Foreign Intelligence Surveillance Act Section) 702 an IP address in a case involving registrations for an event on 'European environmental policy?'" Christakis said. "And if they did make a request, how severe is the harm of accessing a simple IP address in this context?"
Joe Duball is the news editor for the IAPP.
