João Pedro Sousa (master’s student in European Union Law at the School of Law of the University of Minho)
1. Introduction
Protecting personal data is a cornerstone of the European Union (EU) legal framework, safeguarded by Article 8 of the Charter of Fundamental Rights of the European Union (CFREU) and Article 16 of the Treaty on the Functioning of the European Union (TFEU), especially since the entry into force of the General Data Protection Regulation (GDPR). This regulation aims to ensure citizens’ privacy and establish clear standards for using personal data by both public and private entities.[1] However, international data transfer became particularly prominent, specifically after the Schrems II case exposed vulnerabilities in transatlantic data protection relations and the consequent annulment of the Privacy Shield by the Court of Justice of the European Union (CJEU).[2]
The judgment in case T-354/22, of January 8, 2025, known as Bindl v. Commission, delivered by the General Court (GC),[3] represents a milestone in strengthening the guarantees provided by the GDPR. For the first time, the European Commission was ordered to pay compensation for moral damages resulting from infringing stringent data protection laws.[4] This case, initiated by an EU citizen, concerns the improper transfer of personal data of users of the Conference on the Future of Europe (CFE) website to the United States (US), in violation of the regulation.[5]
This text aims to analyse judgment T-354/22 comprehensively, examining the legal reasoning supporting the court’s decision, the impact of the improper data transfer and its implications for personal data protection and digital citizenship in the EU. Additionally, the analysis highlights how this decision could reshape the accountability framework for the European Commission and other public institutions in their adherence to GDPR requirements.
2. The European legal framework for personal data protection
The protection of personal data is grounded in Article 16(1) TFEU and Article 8(1) CFREU. These provisions establish the right for every individual to have their personal data safeguarded, emphasising its significance as a fundamental right.[6]
The GDPR, applicable since May 25, 2018, is the primary legislative instrument of the EU concerning the protection of personal data as this regulation introduced a uniform regime across all Member States (MSs), eliminating previous legal disparities and reinforcing the fundamental rights of citizens in privacy and data protection. Among the central aspects of the GDPR is the concept of personal data, broadly defined in Article 4(1) as any information relating to an identified or identifiable natural person, including names, identification numbers, location data and online identifiers, allowing a comprehensive coverage of various forms of data, reflecting the complexities of the modern digital age.[7]
The GDPR recognises and guarantees several rights to data subjects,[8] including the right of access, which allows individuals to obtain detailed information about how their data is being processed, and the right to be informed, ensuring individuals are made fully aware of the collection, use, and processing of their data, including the purposes and extent of such activities.[9]
Furthermore, the GDPR in Chapter IV imposes significant obligations on data controllers, requiring them to adopt a proactive approach to compliance, including ensuring data security through appropriate technical and organisational measures and notifying individuals of data breaches that compromise confidentiality. Accountability is a fundamental principle underpinning the GDPR, compelling controllers to demonstrate compliance with its provisions actively. [10]
The sanctions regime set out in Article 83 of the GDPR is a revolutionary innovation, allowing for fines that can reach up to 20 million euros or 4% of the annual global turnover of the offending entity, whichever is higher, emphasising the EU’s commitment to safeguarding data protection and deterring non-compliance.[11]
In its turn, Regulation (EU) 2018/1725 regards the protection of personal data processed by EU institutions, bodies and agencies (EUIBAs) and aligns with the principles of the GDPR[12] to guarantee consistency across the Union while tailoring specific rules to the unique needs of the EU’s institutional context. The regulation ensures that personal data is processed lawfully, transparently, and with respect for individuals’ fundamental rights, particularly the right to data protection. It also establishes mechanisms for enforcing compliance and providing remedies for individuals whose data protection rights are infringed upon by EUIBAs.[13]
Cross-border data transfers represent a particularly challenging aspect of the GDPR, as under Chapter V, such transfers are permitted only if the recipient country ensures an adequate level of protection, as determined by adequacy decisions from the European Commission.[14] In the absence of such decisions, entities must rely on additional safeguards, such as standard contractual clauses (SCCs).[15] However, the Schrems II judgment highlighted the limitations of these measures, particularly when third-country laws allow excessive access to personal data by public authorities. The annulment of the Privacy Shield agreement exacerbated these challenges, leaving organisations reliant on temporary solutions to maintain compliance.[16] In July 2023, the Commission adopted the EU-US Data Privacy Framework (EU-US DPF), enabling the transatlantic transfer of personal data between the two regions, concluding the US ensures an adequate level of protection for personal data transferred from the EU to participating companies in the US. The introduction of the EU-US DPF marks a significant step toward resolving these challenges and providing legal certainty for companies engaging in transatlantic data transfers.[17]
The GDPR’s emphasis on transparency and accountability accentuates the EU’s commitment to protecting individuals’ fundamental rights in an era of rapid technological change. However, it also uncovers the pressing need for global harmonisation of data protection standards to ensure a balance between privacy and the legitimate needs for international data flows. The adoption of frameworks such as the EU-US DPF illustrates the ongoing efforts to bridge the gaps and create a more cohesive approach to data protection on a global scale.[18]
3. The Bindl v. Commission case (T-354/22): data protection, institutional accountability and fundamental rights
The Bindl v. Commission case (T-354/22) represents a landmark judgment by the GC, addressing the intersection of data protection, institutional accountability, and fundamental rights. In this case, Thomas Bindl, a German citizen concerned with technologies and the protection of personal data, acts against the European Commission for allegedly violating Regulation (EU) 2018/1725,[19] which regards the processing of personal data by EUIBAs (paras. 1-2). Mr Bindl claimed that his interactions with the CFE website, managed by the Directorate-General for Communication of the Commission, resulted in improper transfers of personal data to third countries without adequate levels of protection (para. 3).
The events occurred during his visits to the CFE website, in 2021 and 2022, specifically when he registered for the “GoGreen” event using the Commission’s EU Login service and opted to use the hyperlink “Sign in with Facebook”, which, according to him, resulted in the transfer of personal data, such as IP address, browser and terminal information, to third parties, namely Amazon Web Services and Meta Platforms, Inc., both based in the US (paras. 4-9, 12).
Given the absence of an EU-US adequacy decision at the time of the incident, the complainant contended that the US did not guarantee an adequate level of protection, citing risks of access by US security and intelligence agencies, and criticised the lack of safeguards by the Commission to justify these transfers (para. 6, 88).
As a result of these alleged infringements, the complainant claimed non-material damage sustained from the uncertainty about the use and security of his personal data. Consequently, he sought payment of EUR 400 in compensation for the data transfers to the US and requested EUR 800 for non-material damages sustained to the alleged violation of his right of access to information, contending the Commission unlawfully failed to address a request for clarification regarding his data (paras. 1, 13). In this context, the applicant also sought annulment of the data transfers and a declaration that the Commission had acted unlawfully (para. 13).
The Commission, in turn, requested the Court to dismiss the applicant’s claim for annulment and for a declaration of failure to act as inadmissible. The Court should also declare that there is no longer any need to adjudicate on the claim for a declaration of failure to act and dismiss the claim for damages as unfounded (para. 14).
Therefore, the Bindl case tests the EU’s legal frameworks regarding data protection, raising critical questions about the Commission’s responsibility in ensuring adequate data protection, particularly when transferring data to third countries (paras. 1, 13-14).
Mr Bindl, to contest the Commission’s actions regarding the alleged improper transfer of his personal data, invoked Articles 263, 265 and 268, litigation mechanisms provided by the TFEU, which outline the processes for action for annulment, action for failure to act and action for damages (para. 1).
Mr Bindl referred to Article 263 TFEU, which allows individuals to request the annulment of acts of EU institutions,[20] has he sought to annul the alleged transfers of his personal data to the US (para. 19). The Commission, however, argued that the claim was inadmissible because the transfers were not official acts but rather IT operations with no binding legal effects (para. 20). The Court, drawing on settled case law,[21] emphasised that for an act to be challengeable under Article 263, it must be an act that is intended to have binding legal effects and capable to bring about a distinct change in the applicant’s legal position (para. 24, citing Inclusion Alliance for Europe v. Commission, C-378/16 P). The Court examined the transfers and concluded that they were physical, not legal acts — IT operations involving data migration from one server to another, resulting from Mr Bindl’s interactions with the Commission’s systems (para. 33). As the transfers were not acts intended to regulate a legal situation and did not have binding legal effects, the Court ruled that they could not be considered challengeable acts under Article 263 TFEU (para. 34). Consequently, Mr Bindl’s claim for annulment was rejected as inadmissible (para. 35).
In his second claim, Mr Bindl sought a declaration under Article 265 TFEU that the Commission had unlawfully failed to act regarding his information request of 1 April 2022 (para. 36).[22] The Commission, in its defence, argued that the claim was inadmissible because it was not required to act in this case as per the second paragraph of Article 265 TFEU. Additionally, the Commission contended that its reply to the applicant’s request on 30 June 2022 rendered the claim irrelevant (para. 37). Mr Bindl, however, argued that the Commission’s response was insufficient and inaccurate, asserting that it still had an obligation to provide a more comprehensive reply (para. 38).
The Court recalled that the remedy under Article 265 TFEU is based on the premise that an institution’s failure to act unlawfully can be challenged before the EU Courts for a declaration that the inaction is contrary to the Treaty unless the matter is resolved by the institution itself (para. 39). In situations where an institution adopts the missing act after the action is filed but before judgment, the failure to act claim becomes obsolete, as the lack of action is remedied (para. 40). In Mr Bindl’s case, the Commission had already responded to his request by 30 June 2022 (paras. 11, 41), meaning that the initial failure to act had been rectified. Therefore, the Court concluded that the claim for a declaration of failure to act no longer had any purpose (para. 42). Consequently, there was no need for the Court to adjudicate on the applicant’s claim or address the Commission’s admissibility argument (para. 43).
In his third claim, Mr Bindl seeks damages for two distinct types of harm: non-material damage resulting from the Commission’s failure to respect his right of access to information (EUR 800), and non-material damage caused by the unlawful transfers of his personal data to third countries without adequate protection (EUR 400). These claims are made under Article 268 TFEU, invoking the EU’s non-contractual liability based on the Commission’s alleged breaches of Regulation (EU) 2018/1725.
The Court begins by outlining the conditions for establishing the EU’s liability in these cases. According to settled case law, for the EU to be liable for non-contractual damages, three cumulative conditions must be met: (i) the unlawfulness of the conduct alleged against the EU institution, (ii) the existence of damage, and (iii) a causal link between the unlawful conduct and the damage (para. 48, citing Bergaderm and Goupil v. Commission, C-352/98 P). If any of these conditions are not fulfilled, the claim must be entirely dismissed (para. 49, citing Lucaccioni v. Commission, C-257/98 P).
Regarding the unlawfulness of the conduct, the Court stresses that there must be a “sufficiently serious breach” of EU law, meaning the institution must have manifestly and gravely disregarded the limits of its discretion (para. 50). The Court assessed the seriousness of the breach, considering the institution’s margin of discretion, the complexity of the legal issue, and whether the error was inexcusable or intentional (paras. 52-53, citing Artegodan v. Commission, T-429/05).
The second condition, the existence of damage, requires the harm to be actual and certain. The applicant must prove this damage, and hypothetical or indeterminate damage does not qualify for compensation (para. 54).
Finally, regarding the causal link, the Court reiterates that the damage must be directly caused by the alleged unlawful conduct of the institution (para. 55). The burden of proof lies with the applicant to establish this direct nexus between the breach and the harm suffered.
Therefore, while the Commission’s failure to act is no longer in question due to the action taken after the claim was filed (para. 41), the claim for damages must still be examined based on whether the conditions for establishing the EU’s non-contractual liability are met. The Court is clear that the dismissal of the application for annulment or declaration of failure to act does not automatically render the claims for damages inadmissible (para. 57).
Regarding the first claim for damages, the Court found that the only unlawful conduct by the Commission was its failure to observe the one-month time limit prescribed in Article 14(4) of Regulation (EU) 2018/1725 (para. 79). However, the Court concluded that the two-month delay in observing that time limit, particularly since the applicant had already received a partial response to his request of 9 November 2021 (paras. 77 and 83), was insufficient to assess actual and certain non-material damage, as required by case law (paras. 81 and 85). Consequently, as the applicant failed to demonstrate harm arising from the Commission’s conduct, the Court dismissed the first claim for damages, noting that one of the cumulative conditions for the EU’s non-contractual liability was not satisfied (para. 86).
The second claim for damages involves the unlawful transfer of the applicant’s personal data to the US, at a time when there was no adequacy decision under Regulation (EU) 2018/1725 (para. 88). The Court found that the Commission’s conduct was unlawful because it failed to comply with the conditions in Article 46 of Regulation (EU) 2018/1725 for the transfer of personal data to the US (para. 193). The Commission did not demonstrate the existence of appropriate safeguards for these transfers, in particular SCCs, nor did it ensure enforceable rights and legal remedies for the applicant, adopted under the requirements of Article 48 of Regulation (EU) 2018/1725 (para. 190-191). It was shown that the display on the EU Login website of the “Sign in with Facebook” hyperlink was entirely governed by Facebook’s general terms and conditions (para. 183 above). As a result, the Commission created the conditions for the transfer of Mr Bindl’s personal data to a third country without fulfilling the conditions set out in Article 46 of Regulation (EU) 2018/1725 (para. 192), consequently, without the need to examine the applicant’s other arguments, the Court concluded that the Commission committed a sufficiently serious breach of Article 46 of Regulation (EU) 2018/1725 regarding the disputed transfer during the sign-in to EU Login on 30 March 2022 (para. 50, 193).
After evaluating the other conditions to access the Commission’s non-contractual liability, specifically damage and causal link (para. 194), the Court concluded that the applicant’s claims of non-material damage were confirmed. The applicant argued that the unlawful transfer of his IP address to a US-based company resulted in a loss of control over his personal data and a deprivation of his rights and freedoms (para. 195), which, as a result of an infringement under Article 65 of Regulation (EU) 2018/1725, entitles the individual to the right to compensation, with no threshold of seriousness required (para. 196).
The Court found that the non-material damage claimed by Mr Bindl was actual and certain, as the unlawful transfer created uncertainty regarding the processing of his personal data (para. 197). A sufficiently direct causal link was established between the Commission’s breach of Article 46 of Regulation (EU) 2018/1725 and the applicant’s non-material damage (para. 198). Therefore, the Court ordered that the Commission should compensate Mr Bindl the non-material damage with an equitable sum of EUR 400 (para. 199).
An appeal, limited to points of law only, may be brought before the Court of Justice against the decision of the GC within two months and ten days of notification of the decision.[23]
4. Legal and practical implications of the judgment
The GC judgment in T-354/22 Bindl v. European Commission significantly reinforces the applicability of the GDPR within the EUIBAs, through its parallel in Regulation (EU) 2018/1725. By concluding the Commission breached Article 46 of the Regulation, the judgment validates that EU institutions are not exempt from stringent data protection obligations when processing and transferring personal data to third countries.
While EU regulators like the Irish Data Protection Commission have consistently imposed significant fines on companies, such as Meta’s EUR 251 million fine in December 2024 for a data breach,[24] this judgment demonstrates that EU institutions must also comply with the same high standards of data protection, as public bodies are equally accountable for safeguarding personal data.
As digital technologies develop, new challenges emerge as global data flows become increasingly interconnected. The adequacy of existing frameworks and sufficiency of current safeguards, such as EU-US DPF, may be tested by advances in Artificial Intelligence (AI), as the European Data Protection Board warns.[25] These developments stress the need for robust safeguards and the continued relevance of frameworks that ensure compliance with data protection principles.[26] This reinforces the principle that appropriate safeguards or adequacy decisions must always be in place to ensure the respect of fundamental rights to data protection, guaranteed under Article 8 of the CFREU.[27] EU institutions must, therefore, diligently implement mechanisms such as SCCs or equivalent safeguards for international data transfers. As this case shows, non-compliance can lead to financial accountability and reputational risks, urging EUIBAs not to overlook the highest standards of data protection in their practices.[28]
By setting a precedent for liability in cases of non-compliance, the ruling could push for stricter data handling protocols within the EU’s institutional framework.[29] The GC’s decision accompanies ongoing efforts by regulators to ensure that data breaches carry tangible consequences, and the evolving landscape underscores the importance of ongoing vigilance and adaptation in the EU’s approach to data protection.[30]
Conclusions
The GC’s judgment in T-354/22 Bindl v. European Commission represents a revolutionary step in reinforcing the principle that no entity, private or public, is exempt from the EU’s strict data protection responsibilities. By holding for the first time the European Commission accountable for breaching Article 46 of Regulation (EU) 2018/1725, the judgment stresses the equal application of data protection rules across EUIBAs, aligning them with the obligations imposed on private entities under the GDPR.
By holding the European Commission accountable for not implementing appropriate safeguards in data transfers to third countries, the judgment strengthens the need for both public and private actors to ensure compliance with high data protection standards, setting a legal precedent that will influence the future of both EU and international data protection practices.
In conclusion, the Bindl case demonstrates the EU’s determination to uphold the highest standards of data protection, promoting resilience and accountability in its institutional and regulatory practices, serving as a reminder for EU institutions, private entities, and international partners to prioritise the fundamental right to data protection in all aspects of their operation.
[1] Recital 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, May 4, 2016, 1–88.
[2] Judgment Facebook Ireland v. Schrems, 16 June 2020, case C-311/18, EU:C:2020:559.
[3] Judgment Bindl v. Commission, 8 January 2025, case T-354/22, ECLI:EU:T:2025:4.
[4] Article 46 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. OJ L 295, November 21, 2018, 39–98.
[5] CJEU, Press Release No 1/25 “The General Court orders the Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website as a result of the transfer of personal data to the United States”, January 8, 2025. Accessed January 8, 2025. https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf.
[6] Alessandra Silveira, Larissa Araújo Coelho, Maria Inês Costa and Tiago Sérgio Cabral (eds.), The Charter of Fundamental Rights of the European Union: A Commentary (Braga: JusGov/ UMinho Law School | Escola de Direito da Universidade do Minho, 2024), 83-104.
[7] Tiago Sérgio Cabral, AI Regulation in the European Union: democratic trends, current instruments and future initiatives (Master Thesis: Universidade do Minho, 2019), 131 and following. https://hdl.handle.net/1822/74323.
[8] For further details, see Alessandra Silveira, Joana Rita Sousa Covelo de Abreu and Tiago Sérgio Cabral, “Breves apontamentos quanto aos direitos dos titulares de dados no RGPD”, in Direito à informação administrativa e proteção de dados pessoais (Lisbon: CEJ, 2021), 93–111.
[9] Chapter III, Articles 13 to 15 of GDPR.
[10] Article 5(2) of GDPR.
[11] Article 83(6) of GDPR.
[12] Recital 5 and Article 99 of Regulation (EU) 2018/1725.
[13] Recital 79 and Article 64(1) of Regulation (EU) 2018/1725.
[14] Article 45(3) of GDPR.
[15] Article 46 of GDPR.
[16] Judgment Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, 16 June 2020, case C-311/18, EU:C:2020:559.
[17] Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework. OJ L 231, September 20, 2023, 118–229.
[18] European Commission, Press Corner. “Questions & Answers: EU-US Data Privacy Framework”. July 10, 2023. Accessed January 8, 2025.
[19] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
[20] Pedro de Gouveia e Melo, “Recurso de anulação”, in Enciclopédia da União Europeia, ed. Ana Paula Brandão, Francisco Pereira Coutinho, Isabel Camisão, Joana Covelo de Abreu (Braga: Petrony, July 2017), 366-368.
[21] Judgment Inclusion Alliance for Europe v. Commission, 16 July 2020, case C-378/16 P, EU:C:2020:575.
[22] Francielle Vieira Oliveira, “Recurso de omissão”, in Enciclopédia da União Europeia, 369-371.
[23] Statute of the Court of Justice of the European Union, Article 56 and 58.
[24] Data Protection Commission, “Irish Data Protection Commission fines Meta €251 Million”. Accessed January 13, 2025. https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-fines-meta-eu251-million.
[25] European Data Protection Board, “EDPB opinion on AI models: GDPR principles support responsible AI”. December 18, 2024. Accessed January 12, 2025. https://www.edpb.europa.eu/news/news/2024/edpb-opinion-ai-models-gdpr-principles-support-responsible-ai_en.
[26] Judgment Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems.
[27] Alessandra Silveira, Larissa Araújo Coelho, Maria Inês Costa and Tiago Sérgio Cabral (eds.), The Charter of Fundamental Rights of the European Union: A Commentary, 100.
[28] Reuters, “In a first, EU Court fines EU for breaching own data protection law”, January 8, 2025. Accessed January 8, 2025. https://www.reuters.com/world/europe/first-eu-court-fines-eu-breaching-own-data-protection-law-2025-01-08/.
[29] See Judgment Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, as a comparative benchmark.
[30] The Times, “Uber fined £245m by Dutch data regulator for violating drivers’ privacy”, August 26, 2024. Accessed January 12, 2025. https://www.thetimes.com/business-money/article/uber-fined-245m-dutch-data-regulator-violating-drivers-privacy-tzg0n75r3.
Picture credits: by panumas nikhomkhai on pexels.com.
