The EU Court Ruling on the Bindl Case: What It Means for Privacy Law

At first glance, the headline looks like a typo: The EU rules against the EU…for breaching EU data protection law?  

But you read it right. On January 8, the EU General Court ordered the European Commission to pay damages to an individual—Thomas Bindl—for transferring their data to the U.S. without adequate protections. (Bindl is the founder of EUGD.org, a German-based litigation funding firm focused on EU data protection claims.) 

During the transition between the EU-U.S. Privacy Shield and the EU-U.S. Data Privacy Framework, Bindl used a Facebook login function to access a Commission-managed website, which collected his IP address, as well as browser and terminal information. The Court found the Commission “committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals.”   

What Is the Impact of the Bindl Ruling on Organizations?  

The award to Bindl is small—400 Euros—but the case could have big ramifications for European privacy litigation. Here are three things we think are significant about the finding. 

1. It Could Open the Door for Class Action Suits in the EU 

Though the sum itself isn’t a game changer, it sets a precedent for future privacy litigation that could result in more class-action lawsuits. We’ve seen a decision that looks to measure potential risk and harm with the ability to pursue actions for large-scale collective redress. Max Schrems’ privacy advocacy group NOYB can now bring collective redress actions in Austria and Ireland. Depending on the suit, €400 to multiple plaintiffs could quickly add up to millions.  

2. Public Sector Organizations and Charities Aren’t Exempt from Regulatory Consequences 

If the European Commission can be on the wrong side of a ruling in EU Court, so can any public sector or nonprofit organization. This ruling should be a wake-up call to organizations that consider their risk of violation to be low. And, with a public sector organization being challenged, it shows that multi-claimant actions can be set against a larger group of stakeholders.  

3. Data Flows and Transfers Matter 

Max Schrems and the EU courts have spoken: Cross-border data transfers must be taken seriously. Businesses ignore them at their peril. No one wants to shut off the Internet – but transferring data from the EU to the U.S. requires adequate transfer measures, even when using common social login features. If you are unsure whether your data collection points are adequately protected, take time to review the EU-U.S. Data Privacy Framework and double check everything. 

What Does the Bindl Ruling Mean for Privacy Pros? 

Proactively reviewing the data you collect and giving visibility to it can help you develop a more strategic compliance plan. With that information, it is easier to identify who you share data with and give organizations the insights to notify individuals—who can then manage their choices by providing consent (if required) and manage choices to opt out. This also allows organizations to effectively manage data transfers by ensuring that there are lawful mechanisms in place with more thoughtful analysis in their transfer impact assessments. 

Robust cookie consent, unified consent, subject rights management, data discovery and tracking, and assessment tools—ideally with automation, dashboards, and risk flagging built in—can make it easier for you to manage consent, eliminate errors, and take a proactive approach to data protection. 

Want to Learn More? 

To see how these solutions can help you comply with the GDPR and other EU regulations, request a meeting with Osano today.