The decision in Bindl v Commission (T-354/22) suggests a low bar for compensation claims for non-material damages resulting from data protection breaches. We consider if this will act as a catalyst for claimants across the EU to pursue civil, or even class action, lawsuits.

A recent decision of the General Court (Bindl v Commission, T-354/22) demonstrates just how low the bar can be regarding claims for non-material damages for data protection breaches in the EU.

Merely putting an individual “in a position of some uncertainty as regards the processing of his personal data”, such as an individual’s IP address, can justify compensation. In this case the General Court awarded the individual €400 to compensate for the “uncertainty”. 

In the wake of several high-profile data privacy investigations in the headlines, this judgment could serve as a catalyst, incentivising claimants across the EU to pursue civil, or even class action, lawsuits. Such lawsuits pose considerable risks due to the number of potential claimants, and therefore the high level of potential damages, based on the ‘Bindl tariff’. Commentators have called the decision “stunning” with potentially “huge consequences”.

What happened?

The case relates to transfers of personal data to the US under Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by EU institutions. This is the equivalent of the GDPR for EU institutions and bodies.

The EU Commission hosted a GoGreen event where the registration process offered multiple options for signing up, including via Facebook. One applicant, Thomas Bindl, selected this option, allegedly resulting in the transmission of his IP address to Meta Platforms Inc.in the United States.

Mr Bindl, a German citizen, submitted the following claims, arguing that the General Court should:

• Annul the transfers of his personal data to third countries that do not have an adequate level of protection; the transfers took place between 30 March and 8 June 2022.
• Declare that the Commission unlawfully failed to “define its position” on the subject access request Mr Bindl made on 1 April 2022. In particular, the Commission failed to explain: (i) what personal data about him had been processed; (ii) which of his personal data had been transferred to third parties; and (iii) the legal basis for such transfers, and the “guarantees” in place for countries lacking adequate levels of protection.
• Order the Commission to pay €1200 in compensation plus interest, which consisted of: (a) €800 for non-material damage sustained as a result of the failure to respond to his subject access request; and (b) €400 for non-material damage sustained as a result of the international transfers of his personal data.

The applicant only succeeded in the claim about international transfers. He was awarded the €400 in non-material damages he had sought. He did so by arguing that the “sign-in with Facebook” option on the EU login webpage, which made use of Mr Bindl’s own Facebook account details, infringed his right to protection of his personal data.

The General Court found that this method of sign in “created the conditions” for the transmission of the applicant’s IP address to the United States, for which the Commission was responsible. There was no adequacy decision in place for the United States at the time of transfer, and no other safeguards had been put in place by the Commission (such as standard contractual clauses). Therefore, the Commission failed to comply with EU law requirements for the transfer of personal data by an EU institution to a third country.

The General Court further concluded that the applicant suffered non-material damage due to the “position of some uncertainty as regards the processing of his personal data”.

Finally, the court determined that the Commission had committed a sufficiently serious breach of the regulations, that the standard under which the Commission must pay out compensation to individuals was met.

Key takeaways

Firstly, IP addresses, even “dynamic” IP addresses which change over time, “must be classified as personal data”. That is because a dynamic IP address corresponds to a precise identity at “a given point in time”. While the judgment cites Breyer C‑582/14, it is not clear this sweeping finding is consistent with that or other recent decisions (e.g. Scania C-319/22).

Secondly, prior to the introduction of the Data Protection Framework, Schrems I and II affirmed that the United States did not have adequate levels of protection for the transfer of personal data from the EU. This was the position at the time of the transfer of Mr Bindl’s IP address. Therefore, the Commission had a duty to: (i) implement safeguards to protect the transfer (such as through the use of Standard Contractual Clauses); and (ii) assess and confirm the viability of those safeguards (and where necessary adduce supplementary measures) before facilitating any transfers.

Thirdly, importantly, the Commission ”neither demonstrated nor claimed” that appropriate safeguards had been put in place. No evidence on this point was adduced. Instead, the Commission attempted to argue, unsuccessfully, that the conditions for establishing non-contractual liability against the Commission were not satisfied.

Fourthly, as an aside, the General Court rejected the applicant’s argument that there was a separate transfer of personal data to the US by virtue of its being transferred to AWS EMEA in Munich. AWS EMEA is a subsidiary of a US AWS entity that might be required to disclose personal data to US authorities under the US law enforcement regime. While the General Court found that a risk of disclosure to US authorities existed, the Court went on to say that “the mere risk of access to personal data by a third country cannot amount to a transfer of data” and the “risk of an infringement of Article 46 cannot be treated as being akin to a direct infringement”. This is potentially an important finding in the preparation of transfer impact assessments. However, note that the Court suggested that a separate transfer could have occurred if US authorities had actually accessed the data.

Lastly, the applicant claimed he suffered non-material damage due to the transfer of his data to the US, a jurisdiction without adequate safeguards or protections. The General Court agreed, stating that the transfer caused non-material damage due to “some uncertainty as regards the processing of his personal data, in particular of his IP address”. The reasoning is slight on this point, but the court noted that, as a result of Austrian Post (C-300/21) etc., non-material damage did not have to meet any “threshold of seriousness” but must be “actual and certain”. Readers may have their own views about how actual and certain Mr Bindl’s “some uncertainty” must have been to entitle him to €400; nonetheless, the General Court was persuaded.

Although this case does not fall under the GDPR, it serves as a crucial warning for all organisations involved in the transfer of personal data to third countries without an adequacy decision. While the US currently benefits from an adequacy decision due to the Data Privacy Framework, it is not clear whether the new Trump presidency may affect that position.

Where litigation funders and activist groups may pounce

While a €400 award for damages might seem modest, many multinational corporations are and have been involved in transfers of personal data from the EU to the United States involving millions of individuals. Given that scale of processing, any successful claim for breach of the GDPR requirements might result in compensation awards of [X million individuals] x €400. That would result in very significant compensation claims for “non-material damages”.

Historically, class actions in Europe for data protection breaches have struggled because of how challenging it has been to demonstrate that a class has suffered similar types and degrees of loss. If every user’s data is different, how can they be said to have suffered sufficiently similar loss that a class can be created? But Bindl, by setting the bar for non-material loss so low – “some uncertainty as regards the processing of his personal data” – risks making that issue a thing of the past.

When considering how likely class action claims based on a concept of “some uncertainty” might be, there is perhaps one other important piece of information about Mr Bindl to bear in mind. Mr Bindl is the founder of Europäische Gesellschaft für Datenschutz mbH, a German-based litigation funding firm focused on EU data protection claims.

Clearly, given the potentially far-reaching and problematic implications of this judgment, there must be a strong possibility that the case will be appealed to the Court of Justice.