On July 8, 2024, the Regional Court of Traunstein published its decision No. 9 O 173/24, dismissing a lawsuit against a social media platform over alleged unlawful data transfers to the US.

Background to the decision

The Court outlined that the data subject filed a lawsuit against a social media network platform for, among other things, transferring personal data to the US without obtaining prior consent. The data subject also claimed that the US does not guarantee a level of protection corresponding to the General Data Protection Regulation (GDPR).

Findings of the Court

The Court found that in view of the extensive data protection requirements that are legally imposed on operators of social networks, among others, in conjunction with the complexity of the services regularly provided by these networks, long and confusing privacy policies do not usually lead to a violation of Articles 13 and 14 of the GDPR.

Regarding data transfers, the Court found that a global US-based social network must inevitably exchange data internationally to be able to maintain the worldwide network. The data transfer is, therefore, fundamentally necessary to fulfill the contract under Article 6(1)(b) of the GDPR.

The Court further explained that the transfer is lawful, considering that as of July 10, 2023, it is based on the adequacy decision under Article 45(3) of the GDPR. Previously, the transfer was based, according to the Court, on the Standard Contractual Clauses (SCCs) under Articles 46(1) and 46(2)(c) of the GDPR. In particular, the Court rejected the data subject's claim that the US legal remedy mechanism is based on a government regulation, not a formal law, and cannot provide an equivalent level of protection.

Moreover, the Court held that the data transfer is permissible under Article 49(1)(b) of the GDPR.

Lastly, the Court decided that the user of a globally operated social network cannot require that the controller store and process all data from the network in Europe. The users are not compelled to use such platforms and must accept the platform operator's business decision to process the relevant data outside of Europe.

Outcomes

The Court dismissed the data subject's complaint.

You can read the judgment, only available in German, here.