The Bindl judgment is significant.
Some positives for controllers/processors: (i) hypothetical, unproven data transfers are not transfers (“the mere risk of access to personal data by a third country cannot amount to a transfer of data” – para. 135);(ii) repeating the principle (for EU Institutions’ non-contractual liability, but similar ones exist in most countries) that no causal link between loss & misconduct “is demonstrated when the loss invoked is the direct consequence of the applicant’s own decision or free choice” (para. 149)
Some things I’m not too keen on in the judgment:
(i) The General Court concludes that IP addresses are personal data a bit too quickly.
Yes, they *can* be personal data, but the “identified or identifiable” requirement of the (EUI) GDPR isn’t really explained by the General Court.
The conclusion makes sense in the context of an identification process, but you first need identification before the IP address can be assumed to be personal data. So is it really a personal data transfer if it happens *before* identification? I cannot see this point being addressed based on a first reading of the judgment, but happy for anyone to correct me
(ii) While the point of “if it’s my fault, I can’t claim there is a causal link with between the controller’s misconduct and my loss” is examined in detail in one part of the judgment (on the use of CDNs) and concludes that the applicant’s behaviour is the actual cause, the General Court seems not to examine that in detail in the section about the use of the Facebook Login function.
I can guess what might be the legal reasoning behind that, but that reasoning is missing, so there is a lack of clarity in that respect.
And then a side note: when the SRB judgment was adopted (saying that “personal data” is a relative concept – i.e. what is personal data from controller A’s perspective might not be from entity B’s perspective), I recall some commentators claiming it didn’t matter, it was just the General Court. Now that the Bindl judgment is here, I do not see many saying the same. Double standards?
Every judgment by every judge is important. While they may not all be the CJEU, they all contribute to the body of law that is data protection law, and we have to learn from them all – even the legal positions some don’t agree with and that they might wish to challenge.
In case you haven’t read it yet, here’s the link: https://lnkd.in/eJ6KR9kc
,Edit: see also below re para. 197 (“put the applicant in a position of some uncertainty as regards the processing of his personal data” being deemed sufficient to qualify as a demonstration of actual loss), which I didn’t refer to above because it follows from the rest of the reasoning but with which I disagree fundamentally (otherwise, is any uncertainty a loss?).