Case T‑354/22
Thomas Bindl
v
European Commission
Judgment (Sixth Chamber, Extended Composition) of 8 January 2025
(Processing of personal data – Protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies – Regulation (EU) 2018/1725 – Concept of ‘transfer of personal data to a third country’ – Transfer of data when visiting a website – EU Login – Action for annulment – Act not open to challenge – Inadmissibility – Action for failure to act – Position taken ending the inaction – No need to adjudicate – Action for damages – Sufficiently serious breach of a rule of law conferring rights on individuals – Causal link – Non-material damage)
Actions for annulment – Actionable measures – Concept – Acts producing binding legal effects – Operations that may result in a transfer of personal data to a third country – Not included
(Art. 263 TFEU; European Parliament and Council Regulation 2018/1725, recital 79 and Arts 2(5), 3, point 3, and 64(1))
(see paragraphs 22-25, 30-34)
Actions for damages – Autonomy in relation to action for annulment and action for failure to act – Action for annulment inadmissible and no need to adjudicate on the action for failure to act – Damages claim not seeking the same outcome as that of the action for annulment – Admissibility
(Arts 263, 265 and 340, second para., TFEU)
(see paragraphs 35, 43, 56, 57)
Non-contractual liability – Conditions – Real and certain damage caused by an illegal measure – Non-material damage caused by the failure to observe the time limit prescribed for informing the requesting party of the reasons for the controller’s inaction – Not included
(Art. 340, second para., TFEU; European Parliament and Council Regulation 2018/1725, Arts 14(4) and 65)
(see paragraphs 77-80, 83-85)
EU institutions – Protection of natural persons with regard to the processing of personal data – Regulation 2018/1725 – Transfer of personal data to third countries – Concept – Transfer of such data, during a visit to a website, to a recipient established in the European Union – Not included
(European Parliament and Council Regulation 2018/1725, recital 63, Arts 3, point 1, and 46)
(see paragraphs 92-98, 100-105, 125, 126, 129-131)
Non-contractual liability – Conditions – Unlawfulness – Sufficiently serious breach of EU law – Risk of access to personal data by a third country – Not included – Rights to privacy, personal data protection and effective judicial protection – No infringement
(Art. 340, second para., TFEU; Charter of Fundamental Rights of the European Union, Arts 7, 8 and 47; European Parliament and Council Regulation 2018/1725, Arts 46 and 48(1) and (2)(b))
(see paragraphs 133-137, 139, 140)
Non-contractual liability – Conditions – Causal link – Non-material damage resulting from a loss of control over personal data – Transfer of such data to a third country during a visit to an institution’s website – Transfer attributable to the conduct of the data subject – No causal link between the damage and the conduct of the institution
(Art. 340, second para., TFEU; European Parliament and Council Regulation 2018/1725, Art. 65)
(see paragraphs 146-149, 156-164)
Non-contractual liability – Conditions – Unlawfulness – Sufficiently serious breach of EU law – Transfer of personal data to a third country – Transmission of such data by an institution by means of a hyperlink for signing in to a page on the website using Facebook – No adequacy decision by the institution or appropriate safeguards in respect of that country – Included
(Art. 340, second para., TFEU; European Parliament and Council Regulation 2018/1725, Arts 46, 47 and 48(1) and (2))
(see paragraphs 186-193)
Non-contractual liability – Damage – Damage for which compensation is available – Transfer of personal data to a third country – Transmission of such data by an institution by means of a hyperlink for signing in to the webpage of that institution’s authentication service using Facebook – Non-material damage caused to the applicant by the uncertainty as regards the processing of the applicant’s personal data – Included
(Art. 340, second para., TFEU; European Parliament and Council Regulation 2018/1725, Arts 46 and 65)
(see paragraphs 196-200)
Résumé
Ruling in extended composition, the General Court upheld in part the claims for damages brought by Mr Bindl, the applicant. In that regard, the Court rules for the first time on the interpretation of provisions of Regulation 2018/1725 ( 1 ) and, again for the first time, draws the appropriate conclusions from the ‘Schrems II’ case-law ( 2 ) in the context of the application of that regulation and of the ‘principle’ of consistent interpretation of similar provisions of Regulations 2016/679 ( 3 ) and 2018/1725.
The applicant visited the website of the Conference on the Future of Europe (‘CFE’) on 30 March 2022 and, using his Facebook account, registered for the ‘GoGreen’ event featured on it. On 8 June 2022, he visited that website again. The European Commission is the data controller for the purposes of that website.
By two requests for information of 9 November 2021 and 1 April 2022, reiterated on 22 April and 2 May 2022, the applicant asked the Commission to provide him with information about the processing of his data and the possible transfer of such data to third countries. He stated in particular that he had noticed that when he logged in to the CFE website, a connection with third-party providers, such as the United States (US) undertaking Amazon Web Services, had been activated.
By email of 3 December 2021, the Commission sent him a list of his personal data which had been processed and informed him that his data had not been transferred to recipients outside the European Union and that the CFE website used a content delivery network managed by Amazon Web Services EMEA SARL (‘AWS EMEA’), established in Luxembourg (Luxembourg).
The applicant brought the present action on 9 June 2022.
Findings of the Court
The Court rules, first of all, on the admissibility of the claims for annulment of transfers of personal data to third countries which are said to have taken place on 30 March and 8 June 2022 (‘the transfers at issue’).
In that regard, the Court points out that not all operations that may result in a transfer of personal data, within the meaning of Regulation 2018/1725, constitute challengeable acts for the purpose of Article 263 TFEU.
In the present case, assuming that the transfers at issue are established, the Court notes that they are physical, not legal, acts. Those transfers are IT operations migrating data from one terminal or server to another that result from interactions between the applicant and the Commission’s IT systems or services.
Accordingly, in so far as the transfers at issue are not acts of the Commission that have binding effect, they are not likely to have binding legal effects capable of affecting the interests of the applicant and cannot therefore be considered challengeable acts for the purpose of Article 263 TFEU.
The Court then goes on to rule on the merits of the four claims for damages put forward by the applicant.
As regards, first of all, the first claim for compensation for non-material damage resulting from an infringement of the right of access to information, the Court finds that no such non-material damage has been demonstrated in the present case.
The only unlawful conduct established in the present case is that of the Commission’s failure to observe the one-month time limit prescribed by Regulation 2018/1725 ( 4 ) with regard to the information request of 1 April 2022. However, since that time limit was not exceeded by more than two months and, moreover, the applicant received at least a partial response to his information request of 3 December 2021, the unlawful conduct does not seem to have been such as to cause the applicant the non-material damage alleged, consisting in his being prevented from controlling the processing of his personal data.
Consequently, the Court dismisses the applicant’s first claim for damages.
As regards, next, the second claim for compensation for non-material damage resulting from the disputed transfer at the time of the visit to the CFE website on 30 March 2022, the Court notes that, during that visit, there was indeed a transfer of the applicant’s personal data, within the meaning of Regulation 2018/1725, including of his IP address. However, it also observes that it has not been demonstrated in this instance that, during that visit to the CFE website, there was a transfer of the applicant’s personal data to a third country ( 5 ) and, in particular, to the United States.
In addition, the mere risk of access to personal data by a third country – should AWS EMEA, because of its status as a subsidiary of a US undertaking, be unable to object to a request from the US authorities concerning access to data stored in servers located within the European Economic Area (EEA) – cannot amount to a transfer of data, within the meaning of Regulation 2018/1725. In other words, the risk of an infringement of Regulation 2018/1725 cannot be treated as being akin to a direct infringement of that regulation. In that regard, the mere risk of an infringement of the provisions of Regulation 2018/1725 relating to transfers to third countries cannot, in any event, be sufficient to establish misconduct on the part of the Commission amounting to a sufficiently serious breach of those provisions.
With regard, moreover, to the third claim for compensation for non-material damage resulting from the disputed transfer at the time of the applicant’s visits to the CFE website on 8 June 2022, the Court examines, in the present case, whether the Commission’s use of the Amazon CloudFront service as the content delivery network for the CFE website is the direct cause of the non-material damage claimed, consisting in a loss of control over the applicant’s personal data.
The Court finds that it is indeed the operation of the Amazon CloudFront service, with its routing mechanism which functions according to the principle of proximity and which covers a geographic area greater than the territory of the EEA, including, in particular, the United States, that made it possible for the applicant’s IP address to connect, during visits to the CFE website, to Amazon CloudFront servers located in the United States.
However, although the Commission’s use of the Amazon CloudFront service is a necessary condition for the transfers of personal data to the United States, that is not sufficient to establish a sufficiently direct causal link between the non-material damage invoked by the applicant and the Commission’s allegedly unlawful conduct. In fact, it is the applicant’s conduct that must be regarded as being the direct and immediate cause of the non-material damage claimed, and not the alleged misconduct on the part of the Commission in using the Amazon CloudFront service. Thus, it is the applicant who, while in Germany, made technical adjustments to change his apparent location and created the conditions required to trigger connections to servers located in the United States through the operation of the Amazon CloudFront service, by causing the routing mechanism of that service to redirect his requests to visit the CFE website to servers located in the United States.
Moreover, the applicant is not justified in behaving in such a way as to trigger a certain outcome (namely, the transfer of his personal data to a third country), only subsequently to claim compensation for damage allegedly caused by that outcome, which was in fact directly caused by his conduct. Accordingly, the Court considers that the applicant’s situation cannot be assessed in the same way as that of a user who has actually travelled to the United States and who therefore may have accessed the CFE website from within that country.
As regards, lastly, the fourth claim for compensation for non-material damage resulting from the disputed transfer on signing in to EU Login on 30 March 2022, the Court states that, in the present case, it has been demonstrated that, first, of the various options for signing in to EU Login, the applicant chose to sign in with his Facebook account. Secondly, the ‘Sign in with Facebook’ hyperlink contains a link to a URL address of the Facebook website. Thirdly, when the applicant activated that hyperlink by clicking on it, his browser accessed the URL address of the Facebook website and then transmitted his IP address to Facebook.
The Court concludes from this that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the applicant’s IP address to be transmitted to Facebook. That IP address constitutes the applicant’s personal data, which, by means of that hyperlink, was transmitted to Meta Platforms, an undertaking established in the United States. That transmission amounts, therefore, to a transfer of personal data to a third country, within the meaning of Regulation 2018/1725.
Furthermore, at the time of that transfer of data, on 30 March 2022, no adequacy decision of the Commission, within the meaning of Regulation 2018/1725, ( 6 ) existed with regard to the United States. In the absence of such a decision, personal data may be transferred to a third country or to an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, in accordance with Regulation 2018/1725. ( 7 )
In the present case, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. By contrast, it has been demonstrated that the displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website is entirely governed by the general terms and conditions of the Facebook platform.
Consequently, the Commission created the conditions for a transfer of the applicant’s personal data to a third country to proceed, without, however, complying with the conditions laid down in Regulation 2018/1725. ( 8 ) Accordingly, the non-material damage invoked by the applicant must be considered to be actual and certain, in so far as the transfer referred to above, which was contrary to Regulation 2018/1725, put the applicant in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address.
In the light of the above, the Court orders the Commission to pay the sum of EUR 400 to the applicant for the non-material damage sustained as a result of the disputed transfer on signing in to EU Login on 30 March 2022.
( 1 ) Chapter V of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39).
( 2 ) Judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559).
( 3 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).
( 4 ) Under Article 14(4) of Regulation 2018/1725, the data controller is required, if he or she should decide not to take action on a request for information, to inform the person making the request, within one month, of the reasons for not taking action.
( 5 ) Article 46 of Regulation 2018/1725.
( 6 ) Article 47 of Regulation 2018/1725.
( 7 ) Article 48(1) of Regulation 2018/1725.
( 8 ) Article 46 of Regulation 2018/1725.