I. Introduction
The Turkish Personal Data Protection Authority published the Guidelines on International Transfers of Personal Data at the beginning of January. Following this publication, international data transfers have become a major issue in the fields of law and cybersecurity in the country. In this article, we will analyze the judgment of the General Court of the Court of Justice of the European Union (“General Court”) in Bindl v Commission[1], which was announced last month, regarding data transfer to third countries.
II. Allegations and Claims of the Applicant
In 2021 and 2022, Bindl, a natural person of German nationality, visited the website of the Conference on the Future of Europe, which is associated with the European Commission (“Commission”), on several occasions. In particular, he visited the website by using the “Sign in with Facebook” option via the Commission’s EU login authentication service (EU Login, formerly ECAS) to register for the “GoGreen” event. The applicant alleged that his personal data, including his IP address and browser and terminal information, was transferred to the United States (U.S.) when he used the website.
The applicant first claimed that his personal data was transferred to Amazon Web Services, the operator of Amazon CloudFront, the content delivery network used on the website in question.
His second claim was that when he registered for the GoGreen event using his Facebook account, his data was transferred to Meta Platforms, Inc.
According to the applicant’s allegations, the U.S. did not have an adequate level of data protection, and these data transfers even posed a risk that his personal data could be accessed by U.S. security and intelligence services. The Commission did not present appropriate safeguards[1] to justify these transfers.
The applicant requested that the Commission pay him €400 in compensation for non-material damage sustained as a result of those transfers.
Secondly, the applicant requested from the Court to annul the transfer of his personal data, declare that the Commission unlawfully failed to define its position on the information request, and order the Commission to pay him €800 compensation for non-material damage sustained as a result of an infringement of his right of access to information.
III. Observations and Judgment of the Court of Justice of the European Union
The General Court rejected the second group of claims[1] and the claim concerning Amazon CloudFront[2].
The situation is different for the applicant’s registration for the event GoGreen via EU Login with the option “Sign in with Facebook “. The General Court concluded that the transfer of the applicant’s IP address to Meta Platforms, an undertaking established in the U.S., must be attributed to the Commission. At the date of the transfer (30 March 2022), there was no Commission decision recognizing that the U.S. ensured an adequate level of data protection.
According to the General Court’s judgment, the Commission also did not claim and prove that an appropriate safeguard was in place, such as a standard clause on data protection or a contractual clause[1]. In this case, the display of the hyperlink “Sign in with Facebook” on the relevant page was entirely subject to the general terms and conditions of the Facebook platform. Therefore, the Commission did not comply with the conditions laid down by EU law for the transfer of personal data by an EU institution, body, office or agency to a third country.
As a result, the General Court concluded that the Commission committed a sufficiently serious infringement of a rule of law conferring rights on individuals. Thus, the Court ruled that the applicant suffered non-material damage as a result of the uncertainty in relation to the processing of his personal data, in particular his IP address. The Court also held that there was a sufficiently direct causal link between the infringement by the Commission and the non-material damage suffered by the applicant. As a result of these observations, the General Court ordered the Commission to pay the applicant the €400 non-material damage claimed by him, as the conditions for the European Union’s non-contractual liability were satisfied.[2]
IV. General Situation between the EU and the U.S.
The turning point regarding data transfers from the EU to the U.S. was the Grand Chamber’s Schrems II decision of 16 July 2020[1]. In that decision, the General Court invalidated the “Privacy Shield“[2] framework regulating the transfer of data between the EU and the U.S. on the basis that the U.S. could not protect the data at the level required by Europe. This decision meant that there was no valid adequacy decision regulating data transfers with the U.S. Since no adequacy decision was taken subsequently (until July 2023), companies and organizations wishing to transfer data to the U.S. were required to take additional security measures. On 4 June 2021, the Commission published the EU Standard Contractual Clauses[3] (SCC). Thus, the former standard contractual clauses were invalidated for data transfers to third countries as of 27 December 2022. The transfer referred to in the Bindl judgment occurred when there was no agreement or adequacy decision between the EU and the U.S. A new transatlantic framework started to be negotiated in 2022, and an adequacy decision was made for the EU-U.S. Data Privacy Framework on 10 July 2023.[4]
V. Analysis and Conclusion
In conclusion, secure data transfer to third countries requires first checking whether those countries fulfill the data security criteria and are covered by an adequacy decision. In countries for which there is no adequacy decision, it is important to use legal instruments, such as standard contractual clauses adopted by the Commission, contractual clauses subject to the approval of the European Data Protection Supervisor, and binding company rules notified to the data protection authority of the relevant country, and to take additional safeguards (technical measures such as encryption, anonymization of data). At this point, we need to underline that Türkiye is included in countries lacking an adequacy decision.
Although the amount of compensation awarded at the end is not very high, the decision is important in that it highlights the necessity for not only private companies but also state institutions to act within the framework of appropriate safeguards for personal data protection. The decision is also useful to emphasize the care that the administration should pay to personal data protection legislation, the necessity of protecting the rights of individuals against the administration through effective judicial mechanisms and the importance of courts’ compensation decisions in this respect. Still, the decision is interesting to some extent. By opening a Facebook account and using the “Sign in with Facebook” option on any website, the applicant is already exposed to data transfers based on the general terms and conditions of the Facebook platform. Therefore, the data transfer to Meta Platforms, which he claims to have caused non-material damage (and the risk that his data can be accessed by U.S. security and intelligence forces if his allegations reflect the truth) already happens even if he never gets access to a website of the Commission due to being a user of this platform by his own choice.
Turkish law also provides for compensation of damages if personal data is not protected as per Law No. 6698 on the Protection of Personal Data and other general provisions. Accordingly, given the close relationship between the protection of personal data and the protection of personal rights, it is possible to claim non-material damages when there is a causal link. However, such claims are not common currently, especially in administrative proceedings, and do not resonate with the public. This may be related to the long duration of judicial proceedings and the low amount of non-material damages that can be obtained at the end of the process.
İdil Aşkın, Associate
