EU General Court Puts International Data Transfer Compliance on the Agenda for 2025

In most litigation matters, a damages award of €400 wouldn’t raise an eyebrow. Sometimes, however, the numbers are unable to convey the importance — indeed, the potentially far-reaching ramifications — of a particular ruling.  

A judgment issued yesterday (Wednesday 8 January 2025) by the European Union’s General Court falls squarely into the latter camp. Confounding the expectations of most observers, the General Court — a constituent court of the Court of Justice of the European Union that hears actions brought by individuals against EU institutions — awarded a German citizen €400 to compensate for the loss of control of personal data that were transferred to the U.S. when he registered via Facebook for a conference listed on the European Commission’s website.

The personal data in question? The claimant’s IP address, as well as information about his browser and terminal equipment. And the damage suffered? That the claimant found himself “in a position of some uncertainty” as regards the processing of his personal data, owing to the fact that its transfer occurred in the period of legal limbo between the annulment of the EU-U.S. Data Privacy Shield, in July 2020, and the introduction of the EU-U.S. Data Privacy Framework, in July 2023.

Most consequently, the General Court found that the claimant suffered “non-material damage” as a result of the transfer of his personal data to the U.S. 

This is to my knowledge the first time that that the General Court (or the CJEU) has made such a finding in the context of international data transfers. By contrast, the CJEU has in a series of cases (e.g. C-182/22 and C-189/22) made clear that the bar is high in order to establish a compensable finding of non-material damage — namely, that the claimant must prove:

• The infringement of the GDPR;
• The damage suffered; and
• A causal link between the two. 

Whether one considers that “some uncertainty” about the processing of personal data should be capable of proving non-material damage, that threshold now appears to be sufficient to do so. Similarly, while it is not unreasonable to consider the Court’s judgment ignores the reality of modern digital life (in which the Internet is borderless and the IP address of an individual registering for an environmental policy conference is extremely unlikely to be swept up in a foreign government’s surveillance activities), those arguments are of no moment.

The Commission may bring an appeal to the Court of Justice of the European Union within two months and ten days of being notified of today’s decision. But unless that happens, organisations should operate on the basis that European courts may be emboldened to issue similar rulings — and that privacy interest groups and litigation funders will almost certainly use the judgment to mount collective actions in relation to a wide range of processing activities, including international data transfers.

As such, compliance with the GDPR's cross-border data transfer rules is — once again — on the agenda and in the spotlight for 2025.

Subscribe to Ropes & Gray Viewpoints by topic here.