Op-Ed: Data protection damages without proof, courtesy of shortcuts in legal reasoning (Case T-354/22, Bindl)

This op-ed was first published on EULawLive on 21 January 2025 and is now republished here, in accordance with the EULawLive guidelines & terms for guest authors.

The header image is of course an easy pun about the implications of a broader application of judgment T-354/22 and how data subjects might be in a position to misuse its lessons, but you'll get the reason for it after reading this op-ed.

There is both good and bad in the General Court’s judgment in Bindl (T-354/22) of 8 January 2025. It says that ‘the mere risk of access to personal data by a third country cannot amount to a transfer of data’ – a departure from many supervisory authorities’ approach. It questions the existence of a causal link between misconduct and loss when the aggrieved party’s own decision or free choice is to blame. Yet it also rushes to a conclusion that IP addresses are personal data, awards damages in a situation to which the aggrieved party contributed and suggests that mere uncertainty as regards the processing of one’s personal data can qualify as a demonstration of loss.

Bindl is a noteworthy judgment by any standard. It is the first significant General Court judgment on data protection since the SRB one (T?557/20) and the OC/Commission one before that (T-384/20, regarding OLAF). It finds that the Commission has to pay 400 EUR to the applicant, Thomas Bindl, because of the fact that the transfer of his IP address to Meta was ‘contrary to Article 46 of Regulation 2018/1725’ and that it put the applicant ‘in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address’ (para. 197).

First, some background. Following the Schrems II judgment (C-311/18), many U.S.-based service providers took measures to mitigate the (often hypothetical) risk of U.S. intelligence agencies getting their hands on their data. Examples include data localisation measures to empower EU-based subsidiaries and limit the involvement of non-EU teams in their data processing activities. But would this be sufficient? Not according to some, claiming that an EU subsidiary would ultimately have to provide data, by way of its U.S. parent company, in the event of a request based on FISA section 702 or the Cloud Act, however hypothetical the request might be for certain data.

From that perspective, Bindl is refreshing: if ‘the mere risk of access to personal data by a third country cannot amount to a transfer of data’ (para. 135), surely this must mean that hypothetical, unproven transfers are not actual transfers? Some commentators reject this position, saying that the General Court made this statement in the context of assessing whether there is harm. Yet ‘the risk of an infringement of Article 46 cannot be treated as being akin to a direct infringement of that provision’ (also para. 135). In this author’s eyes, this shows that the General Court considers a hypothetical, unproven transfer (a risk of a transfer) insufficient to establish an infringement of data transfer provisions (in the EUI GDPR, but the GDPR ones are similar).

It is worth recalling that Schrems II was not about hypothetical transfers but about the question of whether sufficient measures were taken in relation to actual, established transfers, notably to limit the risk of onward transfers. If asked by way of an appeal in Bindl, the Court of Justice might consider the importance of facts in (data protection) law. After all, if assumptions or unproven allegations trump actual facts, all processing might as well be prohibited.

This leads us to another point in Bindl – a less positive one. The entire case hinges on the transfer of IP addresses, and as is well known, the (EUI) GDPR only applies to the processing of personal data. Yet the General Court’s reasoning that the relevant IP address is personal data is limited: ‘First, that information relates to a natural person and, secondly, it relates to a person who is identified or identifiable, in this case, the applicant’ (with references to SRB [T?557/20], Scarlet Extended [C-70/10] and Breyer [C-582/14]). ‘Even ‘dynamic’ IP addresses – which by nature change over time – correspond to a precise identity at a given point in time, which, in this case, coincides with the point in time at which the visit to the CFE website took place’ (para. 122).

It therefore seems to assume that SRB, Scarlet Extended and Breyer establish that IP addresses are personal data. Yet that is incorrect:

• SRB’s call to fame is its recognition of the relative nature of personal data – i.e. what might be personal data from controller A’s perspective might not be personal data from recipient B’s perspective and might thus not need to be handled as such in accordance with the (EUI) GDPR by recipient B.
• Scarlet Extended was about an Internet Service Provider, who obviously has some information at its disposal enabling it to link a particular subscriber with a particular IP address due to the very nature of the service being provided to its subscriber.
• Breyer explicitly established that IP addresses can be personal data if the potential controller not only has reasonable means at its disposal to enable identification (in accordance with Recital 26 of Directive 95/46 [the same as Recital 26 GDPR and Recital 16 EUI GDPR]) but also if those means are legal.

In other words, IP addresses can be personal data, but one still has to establish that there are legal and reasonable means of identification.

The broader context of the case is the use of certain means of identification as part of EU Login, the EU authentication service. But in this particular case, the applicant was not yet identified when the IP address was shared with Meta, at the time when the applicant (voluntarily) chose the possibility to sign in using his Facebook account.

Put differently, the General Court concludes too quickly that the IP address was indeed personal data in this particular context.

This matters because while the Court of Justice has gradually refined the contours of the notion of ‘personal data’, notably through Breyer but also Scania (C-319/22) and IAB Europe (C-604/22), the core requirement to establish identifiability remains valid.

Some commentators have dismissed this point, saying that Recital 30 of the GDPR and Recital 18 of the EUI GDPR clearly list IP addresses as personal data. Yet those Recitals explicitly state that the examples given – online identifiers provided by devices, applications, tools and protocols, ‘such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags’ – can become personal data: ‘This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them’. Note the conditionality: ‘may’, ‘when combined’. These identifiers are not personal data in and of themselves. Rather, additional data is needed to enable identification and thus to transform them into personal data.

Yet if one does not establish that there is processing of personal data, no allegation of infringement of the (EUI) GDPR should succeed.

Here, the General Court finds that the use of the Facebook account login feature at the applicant’s own initiative caused a transfer to Meta – without establishing that this is indeed processing of personal data by the Commission.

Even if one were to agree that this is processing of personal data, the next phase of the judgment is puzzling.

First, the Commission appears to have dropped the ball in its defence. No apparent reference to Meta Ireland, the Meta Business Tools Terms or Meta’s Joint Processing table. No provision of documentation to establish the contractual framework of the use of Facebook Login. Paragraph 191 of the judgment suggests that the Commission did not demonstrate anything in this respect: ‘the Commission has neither demonstrated nor claimed that there was an appropriate safeguard’.

Next, the General Court takes a far-reaching position in its paragraph 197: ‘the non-material damage invoked by the applicant must be considered to be actual and certain […] in so far as the transfer […] put the applicant in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address’.

In this respect, the applicant (already a Facebook user) chose to use the Facebook Login feature, as one of several options. That he thus contributed to the alleged ‘uncertainty’ is disregarded, despite the fact that ‘no […] causal link is demonstrated when the loss invoked is the direct consequence of the applicant’s own decision or free choice’ (para. 149).

In addition, as highlighted earlier, it is unclear that there is processing of personal data, let alone unlawful processing. If ‘some uncertainty’ as regards the processing is ‘actual and certain’ damage, what is to stop data subjects from claiming damages (here, 400 EUR requested and awarded) in relation to every single controller? If a privacy notice includes the verb ‘may’ to show that processing might occur in some instances but not systematically, is that not ‘some uncertainty’ regarding the processing?

Uncertainty is easy to claim, but the damage or loss itself remains unproven. The General Court appears to have gone too far and to have made too many shortcuts along the way, courtesy perhaps also of the Commission’s defence.

Every judgment deserves to be taken into account, but some are worth questioning – the General Court’s judgment in Bindl is such a one.