In a judgment handed down on Wednesday 8 January (Case T-354/22), the General Court of the European Union has ordered the European Commission to pay €400 to a European citizen whose personal data was transferred to the United States via a website managed by the EU institution without the citizen having access to personal data protection guarantees equivalent to those in force in the EU.
In Germany, a citizen is claiming €1,200 in compensation for the non-material damage he allegedly suffered as a result of the European Commission’s violation of his right to the protection of his personal data when he consulted the website of the ‘Conference on the Future of Europe’ (https://aeur.eu/f/eyj ). He had registered via this site for the ‘GoGreen’ event, using the Commission’s ‘EU Login’ authentication service and choosing the option of logging in using his Facebook account.
The interested party believes that by consulting the Commission’s website, personal data (IP address, browser and terminal information) was transferred to recipients in the United States, in particular to Amazon Web Services. In addition, when he registered for the ‘GoGreen’ event using his Facebook account, certain data was allegedly transferred to the US company Meta Platforms.
However, according to the person concerned, the United States did not have an adequate level of protection for personal data at the time, insofar as the data transfers would have given rise to a risk of access to his data by the American security and intelligence services. And the Commission had not mentioned any of the appropriate safeguards that could justify these transfers provided for in Regulation (2018/1725) governing the protection of individuals with regard to the processing of their personal data by the EU institutions and bodies.
The General Court dismissed the claim for damages (€800) based on the infringement of the right of access to information, considering that the alleged non-material damage has not been demonstrated. It rejected a similar claim concerning data transfers via Amazon CloudFront, arguing that the data was transferred not to the United States, but to a server located in Munich, based on the principle of proximity to the user’s terminal.
On the other hand, as regards the registration of the person concerned for the ‘GoGreen’ event, the General Court considers that the Commission created, by means of the ‘sign in using Facebook’ hyperlink displayed on the ‘EU Login’ website, the conditions allowing the IP address of the person concerned to be transmitted to Facebook. This IP address constitutes personal data which, via said hyperlink, has been transmitted to Meta Platforms, a company established in the United States. This transfer must be attributed to the Commission, according to the General Court.
However, at the end of March 2022, there was no Commission decision stating that the United States provides an adequate level of protection for the personal data of EU citizens, just an agreement in principle between the Commission and the United States to replace the ‘Privacy Shield’ following the ‘Schrems II’ ruling by the Court of Justice of the EU (see EUROPE 12919/11).
Furthermore, the General Court notes, the Commission has not demonstrated - or even alleged - the existence of an appropriate guarantee, in particular a standard data protection clause or a contractual clause adopted in accordance with Regulation 2018/1725. The display of the ‘sign in using Facebook hyperlink on the ‘EU Login’ website was simply governed by the general terms and conditions of the Facebook platform.
As a result, the European Court considers that the Commission has infringed EU law and that the complainant has suffered non-material damage by finding himself in a situation of uncertainty regarding the processing of his personal data. Moreover, it adds, there is a sufficiently direct causal link between the infringement committed by the Commission and the non-material damage suffered by the person concerned. As the conditions for the Union’s non-contractual liability had been met, the European Court ordered the Commission to pay the interested party the sum of €400 requested for this loss.
To see the EU General Court judgment, go to https://aeur.eu/f/eyk (Original version in French by Mathieu Bion)