The Changing Landscape of European Privacy Enforcement

The European Union’s agenda, like the old Soviet Union’s economic planning, operates in five-year increments. During European Commission President Ursula von der Leyen’s first five-year term from 2019 to 2024, implementing the European Union’s 2018 General Data Protection Regulation (GDPR) was an initial digital policy priority. Safeguarding transatlantic data transfers became another, after 2020, when the Court of Justice of the European Union (CJEU) struck down a transatlantic agreement for personal data transfer (the Privacy Shield). By 2023, a successor (the EU-U.S. Data Privacy Framework) was in place. 

As risk to transatlantic data transfers thereafter receded, U.S. digital policymakers shifted their attention to three major new EU digital legislative initiatives—the 2022 Digital Services Act (DSA) and Digital Markets Act (DMA), and the 2024 Artificial Intelligence Act (AIA). Von der Leyen’s just-begun second term, which started at the end of 2024, will emphasize implementation of these new landmark laws, as her mission letter to Henna Virkkunen, the responsible commissioner, emphasized. Several ongoing DMA investigations are scrutinizing advertising-related practices of U.S. technology giants.

Privacy litigation involving data transfers to the United States has not gone away, however, and indeed seems destined to expand. One privacy activist’s challenge to the DPF is due to be taken up by an EU court soon, and rumors of a second case are becoming more concrete. In addition, European privacy nongovernmental organizations are poised to take advantage of new procedural possibilities for class-action-style litigation and for enhanced damages recovery, as detailed in the sections below. Europe’s changing privacy enforcement landscape could thus emerge as a significant policy issue during Trump’s and von der Leyen’s second terms. 

Legal Challenge(s) to the EU-U.S. Data Privacy Framework

One consistent facet of European privacy enforcement in recent years has been challenges by privacy advocates to EU agreements with the U.S. government enabling transfers—in the commercial context—of personal data to the United States. 

The latest judicial challenge landed in 2023, shortly after the EU-U.S. Data Privacy Framework took effect. French parliamentarian Philippe Latombe filed a legal challenge to the DPF before the European General Court, the lower chamber at the CJEU. Under Article 263 of the Treaty on the Functioning of the European Union, an individual may ask the General Court to annul an EU regulatory act—in this case the European Commission’s adequacy decision for the DPF—if it is “of direct concern” to him or her. The court quickly denied Latombe’s preliminary request to suspend application of the DPF, and it remains in force during the pendency of the litigation.

A hearing and ruling in the Latombe case is expected to take place in the next few months. Some commentators believe his petition will fail for jurisdictional reasons. CJEU case law sets a high standard for standing in annulment actions, requiring an individual to be “directly and individually concerned” by the measure. It is not enough, in other words, if the individual simply has concerns about, and is adversely affected by, the measure. The General Court recently gave a mixed signal in the Latombe case, however, by reportedly asking lawyers in the case to brief the merits as well as the jurisdictional dimension—suggesting that it may not regard the standing issue as decisive. 

Separately, the European privacy advocacy organization None of Your Business (NOYB)— headed by well-known Austrian privacy activist Max Schrems—issued a statement soon after the DPF took effect, suggesting that it expected the question of the new framework’s validity to be back before the CJEU “in a matter of months.” Schrems and his organization were the protagonists in earlier successful efforts to bring down the 2009 Safe Harbor and 2015 Privacy Shield transatlantic data transfer agreements.

Since issuing that statement, NOYB has not taken definitive steps to bring suit—but the litigation climate for a challenge has notably improved of late. Austria has just implemented a 2020 EU directive on Representative Actions for the Collective Interests of Consumers (Representative Actions Directive) enabling authorized consumer protection organizations to file suits for collective redress—a European counterpart to U.S.-style class-action lawsuits (discussed further below). Austrian authorities have approved NOYB’s eligibility to bring such actions, and Ireland (where several major U.S. cloud providers are located) has done so as well. These steps were publicly hailed by Schrems’s organization.

Schrems’s public statements and NOYB’s website indicate that he has already developed arguments he plans to raise against the DPF and suggest that he is in the process of finalizing a complaint and choosing a defendant. The defendant could once again be a U.S. cloud services giant or instead a European company that transfers data to the United States. If NOYB sues in an EU member state court to block the DPF, the national court would likely forward the questions of European law to the CJEU. Referral could happen relatively quickly, though proceedings at the CJEU typically take as much as two years to resolve. Preliminary reference proceedings do not face the same standing hurdle in Luxembourg as annulment actions.

The Prospect of Privacy Class-Action Litigation in Europe

Article 82 of the GDPR provides that “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation[.]” Non-material damage encompasses non-economic loss, such as pain and suffering, inconvenience, and anxiety. Jurisprudence applying this provision has developed slowly in EU and member state courts.

A new feature of the European privacy landscape is the prospect of class-action-like proceedings to recover damages authorized under the GDPR. The Representative Actions Directive establishes a common framework across the 27 member states for qualified organizations to vindicate consumer interests, including privacy. It multiplies the potential scope of damages by allowing many individuals’ interests to be consolidated in a single action. Since directives must first be transformed by individual member states into national legislation before becoming legally effective, the process across the EU for bringing this one into effect has been typically slow and lengthy. The Representative Actions Directive now has been largely implemented, however, and will begin having an impact on consumer litigation. 

Some European countries such as the United Kingdom and the Netherlands already had national collective redress procedures. Law firms in those countries have experience in bringing such cases involving privacy injuries and in some instances rely on third parties to underwrite litigation costs. Other European countries, however, such as Germany, historically resisted consumer collective redress, so agreeing to the EU directive was a notable shift in their views. (Indeed, the German government long complained to the U.S. government about the burden of U.S. class-action litigation for German companies operating in the United States.) Now the stage is set for collective redress for privacy harms to have an impact across EU member states generally.

A New Horizon for Damages Awards

Beyond these challenges, a Jan. 8 judgment from the EU General Court is an important advance in GDPR damages jurisprudence. If the ruling stands on appeal, it would offer privacy advocates significant financial incentives for collective redress litigation. 

The case involves a European Commission website designed to engage the European public in an initiative called the Conference on the Future of Europe. In March 2022, the site advertised an upcoming public forum on environmental policy. Interested individuals could register for the event through a Facebook hyperlink. Thomas Bindl, a German who heads the European Society for Data Protection (EuGD), a privacy nonprofit, did so. At that time, there was no EU adequacy finding in place for data transfers to the United States, nor had the commission arranged with Facebook to utilize privacy-protecting standard contract clauses (SCCs) for registration data processed by the company. Bindl sued the European Commission, alleging that transfer to Facebook of the IP address associated with his registration, absent these safeguards, was a breach of EU data protection law, causing him injury. 

The General Court agreed that the absence of transfer protections constituted a serious breach of EU data protection law and that Bindl had suffered non-material damage simply by being put “in a position of some uncertainty” regarding Facebook’s processing of his IP address. The tribunal awarded Bindl damages in the amount of 400 euros—a quantum for which it offered no explanation.

Observers have been quick to assess the judgment. As Theodore Christakis pointed out, the General Court did not find that Facebook had actually transferred the IP addresses of European registrants to the United States; it simply relied on the fact that Facebook is established in this country as a presumptive basis for assuming that such transfers had occurred.

Nor did the court articulate what the risk of unprotected transfers of this data to the United States would be. Christakis asked the lurking question: “How likely would U.S. intelligence agencies be to request under the Foreign Intelligence Surveillance Act Section 702 an IP address in a case involving registrations for an event on European environmental policy?” Even Bindl himself, in an interview after the judgment, confessed that “I didn’t have sleepless nights” over the whereabouts of his IP address, thereby casting some doubt on the finding of harm. Rather, he appears to view data transfer to the United States as intrinsically harmful, stating, “Why the Future of Europe website must also be consistently accessible from the USA remains unclear to me and does not seem absolutely necessary.” Both Bindl and the European Commission likely will appeal legal aspects of the judgment to the CJEU.

The ruling matters because, for the first time, an EU court has articulated a standard for non-material privacy harm and placed a monetary value on it. (U.K. courts, by contrast, do not view simple loss of control of data as a basis for recovery absent proof of damages or distress.) While the actual award in the Bindl case is financially insignificant, it sets a benchmark that could be applied in future collective redress litigation, where awards could be multiplied exponentially. As Christakis noted, “By embracing an audacious approach in recognizing ‘intrinsic harm,’ the court effectively paves the way for activists and law firms to pursue large-scale collective redress actions on behalf of thousands or millions of individuals under similar circumstances.” 

Data Transfers Back on the Transatlantic Agenda

Legal challenges in the EU’s courts to transatlantic data transfer agreements have become old news, but they never go away. The latest challenge is expected to be decided in 2025 and could well be joined in Luxembourg by another from long-standing U.S. nemesis Max Schrems and his NOYB organization.

In addition, the new legal foundation for collective actions across the EU, and the General Court’s fixing of a low threshold for non-material privacy harm—taken together—could have big policy consequences. Personal data transfers from Europe to the United States for commercial purposes, already an attractive target for European privacy advocates, have just become even more inviting. Privacy activists like Schrems’s NOYB and Bindl’s EuGD may well take advantage to expand the range of challenges to transfers involving U.S. cloud service providers.

Moreover, although the Bindl case doesn’t directly implicate the validity of the DPF, the CJEU could take the initiative to decide the two matters together, similar to what it did in its 2020 judgment jointly considering separate challenges to the Privacy Shield and to standard contract clauses.

If transatlantic data transfer conflicts intensify in this way, the Trump administration will have to decide whether to engage on behalf of U.S. champions—adding to the list of challenges that will define digital policy in Washington and Brussels in the years to come.