European Commission forced to pay data protection damages due to ‘Sign In with Facebook’ feature
Posted: January 18, 2025
The European Commission has been ordered to compensate a German citizen who logged into a website using the “Sign in with Facebook” feature.
This highly significant case could lay the foundation for future legal claims against website operators. Here’s a look at what happened and what it implies for the law on international data transfers under the General Data Protection Regulation (GDPR).
What happened?
Thomas Bindl visited the European Commission’s Conference on the Future of Europe website three times:
- February 2021: Bindl logged into the website via his Facebook account.
- March 2022: Bindl used his Facebook account to register for an event called Go Green.
- June 2022: Bindl visited the website again.
Bindl’s case hinges on the Commission’s use of the following services:
- Facebook Login (or “Sign in with Facebook”), which allows Facebook users to log into external websites using their Facebook accounts
- Amazon CloudFront, a content delivery network (CDN) provided by Amazon Web Services (AWS), which speeds up the delivery of web content by routing users’ requests through a series of “edge servers” located across the world.
Based on his observations during his three website visits, Bindl alleged the following:
- When he visited the website in March 2022, his personal data was unlawfully transferred to an AWS server in Newark, US, via Amazon CloudFront.
- Due to Amazon’s obligations under EU law, his personal data was accessible to the US intelligence services even when stored on AWS servers in the EU, and this in itself constituted an unlawful transfer.
- When visited the website and used Facebook Login in March 2022, his personal data his IP address was unlawfully transferred to Meta in the US.
Bindl also made two requests for information under the “right of access” and alleges that the Commission’s handling of his request was also unlawful. The court agreed that the Commission mishandled his request but dismissed Bindl’s plea for damages.
The relevant law
This case was brought under Regulation 2018/1725, the data protection law that applies to EU institutions such as the European Commission.
Regulation 2018/1725 is substantially similar to the GDPR, particularly for the purposes of this case. Bindl’s main allegations relate to Chapter V of the regulation. Like Chapter of the GDPR, this part of the regulation deals with international transfers of personal data.
Transferring personal data outside the European Economic Area (EEA) requires one of the safeguards listed in Chapter V, such as an “adequacy decision” or Standard Contractual Clauses (SCCs).
The alleged violations occurred when the US did not have a valid “adequacy decision” due to the Schrems II case, which also challenged the validity of SCCs as a transfer mechanism to the US.
However, the US has since reformed its surveillance laws and established the EU-US Data Privacy Framework (EU-US DPF). As such, the outcome of the case might have been different if the relevant international data transfers were conducted today.
It’s also worth noting that this case was heard by the EU’s General Court, which hears cases against the EU’s institutions. As such, the outcome could change on appeal.
The AWS CloudFront allegations
As noted, the Commission’s website used the AWS CloudFront CDN, which bounces the user’s IP address around several geographically distributed servers to deliver website content faster.
Bindl alleged that, due to the Commission’s use of AWS CloudFront, his IP address was transferred to a server in Newark, US, as part of this content delivery process.
The court found that, if this transfer occurred, it was due to “technical manipulation” on Bindl’s part rather than the Commission’s actions.
Given how the Commission configured its website, a user visiting from Germany would not normally have their IP address directed to the US. The court concluded that the transfer to the US occurred due to Bindl’s device settings.
Bindl addresses this part of the judgment on his website.
The ‘AWS in the EU’ allegation
Bindl pointed out that as a company headquartered in the US, AWS “is obliged to transmit personal data to the US authorities, even if the data are stored on EU territory”.
Therefore, Bindl argued that the Commission effectively transferred his personal data to the US by using AWS CloudFront to deliver its website, even though the data never physically left EU territory.
This argument failed. The court accepted that an international data transfer would occur if the US authorities were to remotely access Bindl’s personal data on an AWS server in the EU. However, there is no evidence that such access occurred.
The court rejected Bindl’s claim, holding that “the mere risk of access to personal data by a third country cannot amount to a transfer of data”.
The Facebook Login allegation
Bindl used Facebook Login to register for an event at the conference. On logging into the Commission’s website via Facebook Login, his IP address was transferred to Meta in the US.
The court accepted that this constituted an “international data transfer” under Regulation 2018/1725 (and, impliedly, under the GDPR), stating that an IP address is personal data and the disclosure of that personal data to Meta met the conditions for an international data transfer.
Given that there was no adequacy decision in place at the time of the transfer, and the Commission had not implemented SCCs or any other safeguard, the court ruled that the Commission had violated the law.
The court awarded Bindl €400 in “non-material damages”, finding that the Commission had committed a “sufficiently serious breach of a rule of law that is intended to confer rights on individuals.”
The court found the transfer had “put the applicant in a position of some uncertainty as regards the processing of his personal data” and “caused him non-material damage consisting in a loss of control of his data and in his being deprived of his rights and freedoms”.
A significant decision
The General Court’s judgment in Bindl v Commission is significant for two main reasons:
- The court found that the transfer of Bindl’s IP address to the US without adequate safeguards was a “serious breach” of the law despite the ostensibly low-risk nature of the data.
- The court recognized Bindl’s claim for “non-material damages” based merely on a “loss of control” of personal data, without any assessment of whether Bindl had experienced distress or any other loss.
Most major US tech companies are now certified under the EU-US DPF, meaning that website operators using those companies’ services are currently at little risk of committing the same violation as the Commission.
However, if the EU-US DPF is invalidated (as its two predecessor agreements were), the Bindl case could provide fertile ground for legal claims by data subjects, civil rights groups, and litigation funders.
An implementation guide to consent and preferences
Balancing detailed notices, customization, and varying jurisdictional requirements is challenging, but privacy compliance, customer experience, and data flexibility can coexist with a well-planned strategy.
Use this document to help implement a Consent and Preference Management Platform (CPM) effectively by designing a comprehensive management framework.