The General Court, the European Union’s first instance Court, recently handed down a decision on privacy (T-354/22) that stands out. The decision involves alleged shortcomings regarding compliance with data protection laws by an EU authority, underscoring that the European Commission must also adhere to applicable EU data protection rules. In the case at hand, the Court awarded a notably high compensation of EUR 400 to a visitor of the Commission’s website because the visitor’s IP address was allegedly shared with a recipient based in the US due to the inclusion of an URL on the website.
What happened?
A German individual claimed damages from the Commission following an alleged infringement of data protection rules related to an event registration page at a time when there was no adequacy decision for EU-US data transfers in place. To register for an EU-hosted event, the claimant used a login functionality provided by the Commission on its website. By clicking on the respective button, the claimant was redirected to US-located servers of a social network that could be used for logging in.
Additionally, the Commission employed a content delivery network (CDN) to optimise website performance. CDNs distribute content across multiple servers worldwide to minimise latency. Because the claimant spoofed his location to appear as if he were in the US, the CDN served website content from US-based servers, resulting in his IP address being transmitted to those servers.
Amongst other things, the claimant argued that the aforementioned processing of his IP address on servers located in the US constituted unlawful data transfers under EU data protection rules. He sought non-material damages, claiming he had lost control over his personal data.
What was decided?
The Court ruled that the Commission must pay EUR 400 in non-material damages to the claimant due to an allegedly unlawful transfer of his IP address to the US lacking adequate data protection. The Court found that the Commission’s inclusion of a URL linking to US servers triggered the claimant’s device to transmit its IP address to these servers, thereby in its view violating EU data protection rules.
However, the Court dismissed claims related to the transmission caused by location spoofing. It determined that the injury must result directly from the alleged illegality and not from the claimant’s choice as to how to react to the allegedly unlawful act, and that the mere fact that the unlawful conduct constituted a necessary condition for the (claimed) damage is not sufficient to establish such a direct link. It was the claimant’s own actions, not the Commission’s alleged misconduct, that directly caused the alleged data transfer to the US in this context. In addition, the Court noted that the claimant is not justified in such a way as to trigger a certain outcome (namely the transfer of his personal data to the US), only to subsequently claim for damages.
Takeaways from the decision
This ruling has sparked significant discussion, with some commentators labeling it an ‘impactful decision on data transfer litigation’ (see, for example, IAPP). However, the decision’s broader significance may be limited for several reasons:
- Limited jurisdiction and precedent: The ruling was issued by the General Court, the European Court of first instance, not the European Court of Justice (ECJ), the European top court. Moreover, it was rendered in an individual case dealing with the EU’s non-contractual liability under Article 340(2) TFEU and the applicable data protection regime was not the GDPR but the data protection rules specifically applicable to Union bodies only. The ECJ has already set a different standard for compensation claims under the GDPR, adhering to a more nuanced approach as regards the requirements for non-material damage as well as the resulting potential compensation.
- Unclear basis for damages: The award of EUR 400 in non-material damages in this case lacks a clear explanation. The Court has neither provided a reasoning for the existence of the alleged non-material damage nor the amount granted. This is astonishing as the claimant, in fact, did not demonstrate any harm. The ruling contrasts sharply with the ECJ’s restrictive line as regards the requirements for a compensation, in particular with a view to ‘loss of control’, and also with national rulings in cases with more extensive data disclosures concerning the amount granted.
- Inconsistent causality assessment: The Court’s decision is also inconsistent on causality between the alleged infringement and any non-material damage. The Court dismissed the claim related to location spoofing, attributing causality to the claimant’s actions. Yet it accepted causality for IP transmission in the context of the social login, despite the fact that the claimant’s choice to make use of an US-based social network for logging in directly resulted in the data transmission by the claimant’s device.
- EU-US Data Privacy Framework (DPF): The transfers occurred after the ECJ's Schrems II decision, which invalidated the EU/US Privacy Shield, but before establishing the EU-US Data Privacy Framework (DPF) which provides adequate safeguards for EU-US data transfers (for further details, see our previous DPF summary and DPF FAQs). Today, transferring personal data to US companies certified under the EU-US DPF complies with EU data transfer rules. Consequently, this case would be decided differently under the current legal framework.
Hence, while the decision serves as a reminder that EU institutions are not exempt from GDPR principles, its broader scope of application may be limited due to the aforementioned inconsistencies. The Commission has stated that it will ‘carefully study’ the judgment, so it may turn out that the case ends up on appeal in front of the ECJ, which will likely take a more reasoned approach, in particular regarding causality, the existence and amount of non-material damage claimed by the claimant.