EU Court Orders Commission to Pay Damages for Non-compliant Data Transfer
The General Court of the Court of Justice of the European Union has ordered the European Commission to pay €400 in damages to an individual for transferring personal data to the U.S. without implementing a proper data transfer mechanism. This landmark decision marks the first time an EU court has awarded damages for illegal data transfers without requiring the demonstration of material loss. It highlights the importance of adhering to EU data transfer rules and the potential for future claims, including class actions, for non-material damages.
The judgment pertains to Regulation 2018/1725, which is the GDPR equivalent for EU institutions. Similar to the GDPR, this regulation requires that personal data transferred outside the EU must receive adequate protection. The court found that the European Commission unlawfully transferred an individual’s IP address to Meta in the U.S. without ensuring adequate protection, as the transfer happened before the implementation of the EU-U.S. Data Privacy Framework and without any alternative approved mechanism.
The court’s decision underscores the potential for significant class actions in the future. While the €400 awarded may seem insignificant, the possibility of class actions could lead to substantial total compensation amounts. This ruling serves as a reminder for companies to carefully evaluate their data transfer practices and ensure compliance with EU regulations to avoid potential legal repercussions.
Although the European Commission may appeal the judgment, companies are advised to review their data transfer mechanisms and ensure they comply with EU data protection laws. The focus on data transfers is expected to continue throughout 2025, and this judgment could signal the beginning of significant class actions related to data protection claims in the EU.
