The European Commission was caught failing to comply with its own data protection regulations and, in a first, ordered to pay damages to a user for the violation. The €400 ($415) award may be tiny compared to fines levied against Big Tech by European authorities, but it’s still a win for users and considerably more than just a blip for the “talk about embarrassing” file at the commission.
The case, Bindl vs. EC, underscores the principle that when people’s data is lost, stolen, or shared without promised safeguards—which can lead to identity theft, cause uncertainty about who has access to the data and for what purpose, or place our names and personal preferences in the hands of data brokers —they’ve been harmed and have the right to hold those responsible accountable and seek damages.
Some corporations, courts, and lawmakers in the U.S. need to learn a thing or two about this principle. Victims of data breaches are subject to anxiety and panic that their social security numbers and other personal information, even their passport numbers, are being bought and sold on the dark web to criminals who will use the information to drain their bank accounts or demand a ransom not to.
But when victims try to go to court, the companies that failed to protect their data in the first place sometimes say tough luck—unless you actually lose money, they say you’re not really harmed and can’t sue. And courts in many cases go along with this.
The EC debacle arose when a German citizen using the commission’s website to register for a conference was offered to sign in using Facebook, which he did—a common practice that, surprise, surprise, can and does give U.S.-based Facebook access to signees’ personal information.
Here’s the problem: In the EU, the General Data Privacy Regulations (GDPR), a comprehensive and far-reaching data privacy law that came into effect in 2018, and a related law that applies to EU institutions, Regulation (EU) 2018/1725, requires entities that handle personal data to abide by certain rules for collecting and transferring it. They must, for instance, ensure that transfers of someone’s personal information, such as their IP address, to countries outside the EU are adequately protected.
The GDPR also give users significant control over their data, such as requiring data processors to obtain users’ clear consent to handle their personal data and allowing users to seek compensation if their privacy rights are infringed—although the regulations are silent on how damages should be assessed.
In what it called a “sufficiently serious breach,” a condition for awarding damages, the European General Court, which hears actions against EU institutions, found that the EC violated EU privacy protections by facilitating in 2022 the transfer of German citizen Thomas Bindl’s IP address and other personal data to Meta, owner of Facebook. The transfer was unlawful because there were no agreements at the time that adequately protected EU users’ data from U.S. government surveillance and weak data privacy laws.
“…personal data may be transferred to a third country or to an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available,” the court said. “In the present case, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause…”
(The EC in 2023 adopted the EU-US Data Privacy Framework to facilitate mechanisms for personal data transfers between the U.S. and EU states, Great Britain, and Switzerland with protections that are supposed to be consistent with EU, UK, and Swiss law and limit US intelligence services’ access to personal data transferred to America.)
Bindl sought compensation for non-material—that is, not involving direct financial loss—damages because the transfer caused him to lose control of his data and deprived him of his rights and freedoms.
Applying standards it had set in a data mishandling case from Austria involving non-material damage claims, the court said he was entitled to such damages because the commission had violated the GDPR-like regulation 2018/1725 and the damages he suffered were caused by the infringement.
Importantly, the court specified that the right to compensation doesn’t hinge on an assessment of whether the harms are serious enough to take to court, a condition that some EU member state courts have used to dismiss non-material damage claims.
Rather, it was enough that the data transfer put Bindl “in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address,” the court said. This is criterion that could benefit other plaintiffs seeking non-material damages for the mishandling of their data, said Tilman Herbrich, Bindl’s attorney.
Noting the ease with which IP addresses can be used to connect a person to an existing online profile and exploit their data, Bindl, in conversation with The International Association of Privacy Professionals (IAPP), said “it’s totally clear that this was more than just this tiny little piece of IP address, where people even tend to argue whether its PII (personal identifiable information) or not.” Bindl is the founder of EuGD European Society for Data Protection, a Munich-based litigation funder that supports complainants in data protection lawsuits.
The court’s decision recognizes that losing control of your data causes real non-material harm, and shines a light on why people are entitled to seek compensation for emotional damage, probably without the need to demonstrate a minimum threshold of damage.
EFF has stood up for this principle in U.S. courts against corporate giants who—after data thieves penetrate their inadequate security systems, exposing millions of people’s private information—claim in court that victims haven’t really been injured unless they can prove a specific economic harm on top of the obvious privacy harm.
In fact, negligent data breaches inflict grievous privacy harms in and of themselves, and so the victims have “standing” to sue in federal court—without the need to prove more.
Once data has been disclosed, it is often pooled with other information, some gathered consensually and legally and some gathered from other data breaches or through other illicit means. That pooled information is then used to create inferences about the affected individuals for purposes of targeted advertising, various kinds of risk evaluation, identity theft, and more.
In the EU, the Bindl case could bring more legal certainty to individuals and companies about damages for data protection violations and perhaps open the door to collective-action lawsuits. To the extent that the case was brought to determine whether the EC follows its own rules, the outcome was decisive.
The commission “should set the standard in terms of implementation of how they are doing it,” Bindl said. “If anyone is looking at somebody who is doing it perfectly right, it should be the commission, right?”