On 8 January 2025, the European General Court (the Court) ruled on the lawfulness of transferring personal data to countries outside the European Union (EU), in particular the United States (case T‑354/22). The judgment (Judgment) caused a stir among both businesses and data protection experts. This blog post gives you an overview of the most important aspects of the Judgment and answers the question: Is it worth the hype?
A. Factual and legal background:
The plaintiff, a German national (who is also the managing director of a company that assists in the mass enforcement of General Data Protection Regulation (GDPR) damage claims in Germany, click here and here for more information on such claims) sued the European Commission (EC) for damages related to the website https://futureu.europa.eu (Website) which used a Content Delivery Network (CDN) operated by an EU-based subsidiary of an United States company. The Website also offered an option to log in using existing social media accounts via the EU Login system. As part of this process, the Website communicated with servers of a social media network in the United States to verify the plaintiff’s authentication and enable the login. The plaintiff visited the Website several times in 2021 and 2022 and used the EU Login system. He claimed that his personal data, including his IP address, was unlawfully transferred to the USA during Website visits and usage of the EU Login system in 2021 and 2022. In consequence, the plaintiff had exercised his right of access to his personal data and had asked for specific information regarding the processing and transfer of his data by the Website and its third-party providers. The plaintiff claims that the EC did not provide the requested information within the statutory time limit. The EC processed the data, so the Judgment is based on EU Regulation 2018/1725, not the GDPR. But the rules are similar.
B. Analysis of damage claims
The Court dismissed most of the plaintiff’s claims, but ordered the EC to pay 400 EUR in damages for the unlawful transfer of personal data in the context of the EU Login system.
In more detail:
I. Damages for right to access
The Court dismissed the claim for damages related to the allegedly delayed response to the plaintiff’s data subject access request. It emphasized that non-compliance with the statutory time limit for granting access to information, on its own, does not necessarily constitute a qualified breach of Regulation 2018/1725. To succeed in such a claim, the plaintiff must also demonstrate that the EC’s failure to meet the deadline was likely to have caused the alleged damages. In this case, the plaintiff failed to do so.
II. Damages for unlawful data transfer to third-countries
The plaintiff alleged that his personal data was transferred to servers in the United States during three different occasions: when visiting the Website on 30 March 2022 and 08 June 2022, and when registering on EU Login on 30 March 2022. The Court rejected the first two claims, but upheld the third one:
i. Data transfer when visiting the Website on 30 March 2022
The Court found that there was no data transfer to a third country, as the plaintiff’s IP address and browser and device information were transmitted to a server in Munich. The Court also ruled that the mere risk of a data transfer does not constitute a data transfer. The fact that the operator of the CDN was a subsidiary of an United States company did not mean that the personal data was accessible by United States authorities. The Court also pointed out that the arguments relating to the Schrems II judgment were irrelevant, as this judgment dealt with the conditions for data transfers to the United States, not the processing of personal data in the EU by subsidiaries of United States companies.
ii. Data transfer when visiting the Website on 08 June 2022
The Court found that even if the transfer to the USA was a breach, it could not be causal for any damage. The plaintiff had visited the Website several times on that day when his IP address was connected to servers in Munich, London, Hillsboro, Newark and Frankfurt. However, the Court found that this was because the plaintiff was in Germany, but used technical settings to change his apparent location, by pretending online to be someone who was in places near Munich, London, Hillsboro, Newark and Frankfurt am Main on the same day (e.g. via VPN). The Court stated that a claim for damages requires direct causality between the breach and the damage, and that the behavior of the controller must be the immediate cause of the asserted non-material damage, the loss of control over personal data. In this case, the Court assumed that the direct and immediate cause of the alleged damage was not the alleged violation of the EC, but the behavior of the plaintiff. The plaintiff had deliberately provoked the transfer to the USA, in order to claim damages afterwards, which could not rightly cause any causal damage.
iii. Data transfer when registering on EU Login on 30 March 2022
The Court ordered the EC to pay 400 EUR in non-material damages due to the unlawful transfer of the plaintiff’s personal data to the United States without having an adequate transfer mechanism in place. The EU Login system allowed users to log in to the EC’s websites using their existing social media accounts. When users clicked the “Sign in” button (a hyperlink), they were redirected to an external page of the social media network, during which their IP address was transmitted to the United States. At the time of the transfer, no adequacy decision or alternative legal basis for such a data transfer existed, as this occurred during the transitional period following the invalidation of the Privacy Shield and before appropriate mechanisms under the GDPR were implemented. The Court considered the EC to be responsible as a controller for data protection, as it had created the conditions for the transmission of the plaintiff’s IP address by placing the hyperlink on the Website. The Court also deemed the requested 400 EUR as appropriate, as the data transmission had placed the plaintiff in a situation where he was uncertain how his personal data was being processed.
Take aways
The Judgment shows that any claim for damages due to a breach of data protection law requires direct causality between the breach and the damage. If the person concerned interferes with the ‘normal’ course of events in such a way that their actions are a necessary condition or prerequisite for the alleged damage to occur, causality is ruled out from the outset. The Judgment also highlights the importance of ensuring compliance with data transfers, especially to the United States, and the responsibility for sign-up links, such as those for third-party authentication services. Companies should clearly inform users about data collection and transfer, and regularly review their data protection processes, especially when using third-party services, to minimize liability risks.
However, the Judgment leaves several important questions unresolved, such as the potential joint controllership between the social network and the EC, and the meaning of “loss of control” over data transfers. Companies should closely monitor these developments and adjust their data protection strategies accordingly.
Update from March 19, 2025:
As announced by the plaintiff on their website, both the European Commission and the plaintiff have filed appeals against the judgment.