EGC: EU Commission must pay plaintiff 400 euros for data transfer to the USA

Contents

The EU Commission, which is responsible for ensuring compliance with the General Data Protection Regulation when transferring data to third countries, has suffered a defeat before the European Court of Justice: a German legal tech entrepreneur sued the EU Commission – and has now won on two key points in the first of two instances before the court in Luxembourg.

Money for the plaintiff

It is a judgment with implications for website operators: The judges of the sixth chamber of the court, which is directly responsible for legal disputes with the Commission as an administrative unit, ruled that the EU Commission was responsible for the fact that the website operator had not complied with its obligations: The EU Commission was responsible for the fact that personal data was transferred to the USA when the website "https://futureu.europa.eu" was accessed, although there was no legal basis for this. In the period between the ruling of the European Court of Justice in the Privacy Shield case and the subsequent new adequacy decision of the EU Commission under the name Transatlantic Data Privacy Framework. However, such a decision or another legal basis for the data transfer that complies with data protection law would be a prerequisite for lawful data transfer, argued the plaintiff – and the judges at the lower court have now followed this.

In their ruling, the judges dealt in detail with individual data processing operations. For example, in the case of an Amazon CloudFront data transfer, it was contractually stipulated between the EU Commission as the website operator and AWS that the data had to remain in the EU. In another case, the data subject himself – probably triggered processing in the USA by using a VPN.

Damages due to "Sign in with Facebook"

The judges assessed the case of a "Sign in with Facebook" button differently: the data processing was attributable to the website operator due to the integration. And since there was no agreement between the EU Commission and Meta that could stipulate otherwise, the EU Commission was to be assessed as the data controller under data protection law in every respect. "In the present case, the Commission has not shown, or even claimed, that there is a suitable guarantee, such as a standard data protection clause or a contractual clause pursuant to Article 48(2) and (3) of Regulation 2018/1725 (...). The display of the hyperlink 'Sign in with Facebook' on the website of 'EU Login' has been shown to be governed simply by Facebook's terms of use," it is stated in paragraph 191 of the judgment. The integration was a "sufficiently serious infringement".

Due to this infringement, the claim for non-material damages was also in a "sufficiently direct causal link": The conduct of the EU Commission had "placed the plaintiff in a situation in which he is not certain how the personal data concerning him, in particular his IP address, will be processed". The judges in Luxembourg considered 400 euros to be an appropriate amount in this case.

Integration must be regulated and with clear responsible parties

For website operators, the ruling means that when integrating third-party services, they must ensure that data protection law is complied with –, otherwise they may themselves be liable for damages. This is particularly important against the backdrop of emerging disputes between the future US government under Donald Trump and its support from US technology companies such as Meta: if either the European Court of Justice were to declare the current adequacy decision invalid or Donald Trump were to reverse his predecessor's assurances of better data protection, this would fundamentally call into question the legal basis and use of US services – and the situation now deemed unlawful by the EGC would become the norm.

While US data transfers are still on a more or less legally secure footing, at least for a few weeks, this does not apply to the use of services from other countries without an adequacy decision. For example, there is no such decision for the People's Republic of China or the Russian Federation. An unregulated integration of elements or the use of software through which data is transferred to these countries, for example, could also lead to liability for damages.

(mki)