Do data transfers to the USA have a price tag of 400 EUR/per person since the latest EC ruling? The good news is first of all: No, not automatically. The facts of the judgment of the European Court of First Instance of January 8, 2025 (T-354/22) take place in 2021 and 2022, during which time there was greater legal uncertainty regarding data transfers to the USA due to the overturned EU-US Privacy Shield. Since July 10, 2023, there has been a new adequacy decision for the USA in the form of the EU-US Privacy Framework. Meta, Amazon, Microsoft and the other major providers are now all certified under this new framework.
The facts of the case were as follows: In the lawsuit, a citizen resident in Germany took action against the EU Commission and claimed damages for the fact that his IP address was transmitted to the Facebook company in the USA (Meta Platforms, Inc.). He had visited the website of the Conference on the Future of Europe (a website of the EU Commission) several times in 2021 and 2022 and also registered for an event. As part of the registration process, he used the “EU Login” offered by the EU Commission and chose the “Facebook Login” option, a verification via his Facebook account. As part of this verification request, the corresponding website transmits the IP address of the registrant to Meta. The EC confirmed the plaintiff's view with regard to the one claim for damages and considered the transmission of the plaintiff's IP address to a company based in the USA to be unlawful. The plaintiff had suffered non-material damage in that he had lost control over his data and had been deprived of his rights and freedoms.
The judgment is not final and can be challenged before the ECJ. It is not yet known whether the EU Commission will take action against the ruling. At first glance, there would certainly be points of attack, particularly with regard to the unlawfulness of the transfer and the requirements for the causal connection.
Practical implications
Even if the facts of the case would be assessed differently today under the EU-US Privacy Framework, the ruling still has important practical implications. It is not new that there must be a corresponding legal basis for data transfer to the USA. However, this decision, which mind you awarded a claim for damages even against an EU authority (the EU Commission itself!), shows how strict the courts can be when it comes to third country transfers. Furthermore, there is a risk that this decision could now also be used in any legal dispute regarding (alleged) data protection violations in third country transfers, especially when it comes to quantifying specific claims for damages. If the transmission of the IP address alone can trigger damages of EUR 400, higher sums are conceivable in the case of more serious infringements. And with many visitors to the website, the liability risk for the operator can increase accordingly. It is also to be feared that so-called “warning law firms” will become active as a result of this decision. It is therefore advisable for companies to take this decision as an opportunity to “clean up” their websites once again with regard to the topic of “third country transfer” and, in particular, to review their data protection information to ensure that users are adequately informed about the transfer of their data. The same generally applies to the use of third-party service providers on websites and the use of cookies.
The decision is also interesting from another practical perspective: in this case, the court specifically examined whether there was a “genuine” transfer of the IP address to servers in the USA. The court did not consider the mere risk of access from a third country to be a “transmission”. This is very relevant in practice, as almost all major US providers contractually leave themselves the option of being able to access support requests from a third country, for example. This also applies if Europe has been selected as the server location. This decision can therefore also be used for other proceedings in the event of a defense.
In this article, we would only like to provide a brief classification for companies in practice. However, for people who are particularly interested in complex issues of data protection law, it is also interesting to look at the comments on the “causal connection” of the damage in this judgment. In particular, the court denied the causal link with regard to a further claim for damages because, according to the court, the damage was due to the conduct of the plaintiff himself. He had used technical settings to pretend that he was in the USA. This then led to Amazon's content delivery network (Amazon CloudFront), which is based on a routing mechanism that works via proximity, selecting servers in the USA.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
