Did the Pot Call the Kettle Black? EU Court Fines EU Commission for Unlawful Data Transfers

Jan 27, 2025 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs

Just over a week into the New Year, the EU General Court made a first-of-its-kind ruling that stands to potentially influence the enforcement of data transfer violations. 

The case was brought against the EU Commission by Thomas Bindl, a German citizen who alleged his data was unlawfully transferred outside of the EU via the Commission’s website between 2021-2022.

During this period, the U.S. was in a limbo of sorts regarding data transfers. The 2020 Schrems II ruling invalidated Privacy Shield—a transfer mechanism that allowed data to flow from the EU to U.S. — and without an adequacy decision in place, EU institutions and businesses alike were required to rely on standard contractual clauses (SCCs) to lawfully transfer data.

Brindl alleged that his data was transferred to the U.S. via Amazon Web Services (AWS), which served as an operator for the Commission’s website, and to Meta via a ‘Sign in with Facebook’ option, which he elected to use. In its ruling, the Court dismissed the claim against AWS citing the data never left the EU and was transferred to a server in Munich. 

However, the Court found that the Facebook sign in option resulted in “a position of some uncertainty [in] regard [to] the processing of his personal data” and awarded accordingly nonmaterial damages to Brindl in the amount of 400 euros. 

 

Why is this a Big Deal?

Under the General Data Protection Rule (GDPR) — the EU’s law governing all things related to data protection — any data transferred from the EU externally must be transferred with appropriate safeguards to maintain similarly adequate levels of protection in accordance with GDPR standards. 

Similar to the GDPR, the Data Protection Regulation for EU institutions and bodies, offices, and agencies (EUDPR) is made up of guidelines for EU institutions to follow. These guidelines closely mirror, and are identical in some cases, to the responsibilities outlined in the GDPR, including the restrictions on how data can be transferred to a third country. 

To clarify, this was not a GDPR-related violation but a violation of the EUDPR, although the basis for the violation could have been substantiated against a company under the GDPR. 

In this instance, the data was alleged to be transferred from the EU to the U.S. unlawfully due to the lack of the appropriate safeguards. The press release issued by the Court noted that nothing “indicated that any of the appropriate safeguards that might justify those transfers.”  

An example of an appropriate safeguard that would have made this a lawful transfer of data are SCCs. They outline the terms and conditions for transfers of personal data, including how it is processed, protected, and safeguarded among other things. Without SCCs, there is little to no accountability for how data is handled when exported from the EU to a third country without an adequacy decision for said country. In this instance, SCCs were the only available option to the Commission and U.S.-based businesses in general as Privacy Shield’s replacement, the EU-U.S. Data Privacy Framework (EU-US DPF), would not come into effect until 2023.

The irony of the situation is rich; one of the leading bodies tasked with creating guidelines and enforcing laws related to data transfers has been fined for unlawful data transfers. 

It also highlights the need for businesses and organizations of all sizes—multinational and small and medium sized—to ensure they have a transfer mechanism in place and to regularly map the processes that trigger transfers.

 

What Does this Mean for Businesses?

A major takeaway for entities—whether they are classified as organizations, nonprofits, or businesses in the U.S—is to ensure that adequate data transfer mechanisms are in place. While the Commission has limited options for transfer mechanisms, companies in the U.S. have a few. 

There are the aforementioned SCCs, Binding Corporate Rules (BCRs), and as of July 2023, the EU-U.S. DPF.

For those looking to get started, or unsure of where to start, the EU-U.S. DPF is cost effective and has the lowest barrier to entry for newcomers. It requires less resources than SCCs, which can require frequent updates, and is significantly quicker to implement than BCRs which have an unpredictable approval period. 

The EU-U.S. DPF requires companies to have an Independent Recourse Mechanism (IRM), such as BBB National Programs, to help businesses navigate and resolve disputes and other complaints involving data transfers. An IRM offers businesses several benefits, among them reconciliation and binding arbitration so issues can be resolved without involving the courts. 

In addition to implementing transfer mechanisms, organizations must also map all functions that lead to data transfers, or that might create uncertainty or risk in regard to a transfer. Internal data audits should be the norm and frequently checked to ensure compliance and minimize the risk of regulatory fines.

 

Looking to the Future 

The downstream effects of the case are speculative, but they do emphasize the important role EU institutions must play in protecting data when using third party services. Furthermore, it establishes that damages can be awarded for unlawful transfer violations—both to and from EU government organizations and institutions.

This decision has undoubtedly placed data transfers back at center stage. EU institutions across the bloc will likely revisit and identify all avenues that create the risk of conditions of unlawful data transfers while companies that transfer data from the EU will need a heightened sense of attention to detail to ensure they are not creating those risks on their websites or through third party partnerships.

Luckily, businesses with an IRM are not alone

Will this usher in Schrems III? Or pave the way for global class actions? Nothing is certain, but overall it is quite a way to ring in the New Year, and a reminder that good international data transfer practices should always be part of a New Year’s Resolution.

Originally published in Infosecurity Magazine

Suggested Articles

Blog

Did the Pot Call the Kettle Black? EU Court Fines EU Commission for Unlawful Data Transfers

The EU General Court made a first-of-its-kind ruling that stands to potentially influence the enforcement of data transfer violations. The case alleged consumer data was unlawfully transferred outside of the EU via the Commission’s website between 2021-2022. Learn what it means for business.
Read more
Blog

Mentorship and Sponsorship: Shaping Careers and Growing Leaders

While mentorship and sponsorship are pathways for career growth, their real value goes deeper than traditional advice or support. With structure, an eye for opportunities, and the right nudge and follow-through, they can grow confident, forward-thinking leaders who drive an organization’s success and otherwise supercharge a career.
Read more
Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more