No damage
for data transfer
to the USA.
No damage
for data transfer
to the USA.
from
Is the fear of the US authorities enough to receive money under data protection law? And how precisely must requests against international data flows be formulated? The Regional Court of Munich I dealt with these questions in a decision that shows how high the hurdles are for claims for damages and injunctions under the General Data Protection Regulation.
What is it all about?
A private individual claimed damages, injunctive relief, information and a declaration of future liability for damages from Facebook. The background to this was the transfer of
She claimed that US authorities could potentially access her data, which had caused her psychological and physical discomfort. Facebook defended itself by referring to the standard contractual clauses in force at the time, additional protective measures and – for later periods – the application of the EU-U.S. Data Privacy Framework. It also referred to its self-service portal, which allows data subjects to view their stored data.
Background
Since the “Schrems II” ruling by the European Court of Justice in July 2020, lawyers, supervisory authorities and companies alike have been concerned with international data transfers. While the ECJ declared the Privacy Shield invalid, the standard contractual clauses remained as the central legal basis – but only if they are flanked by additional technical and organizational measures. In 2023, the European Commission created a new adequacy decision with the EU-U.S. Data Privacy Framework. Since then, companies have been able to rely on this system when transferring personal data to the USA. Nevertheless, there is still a great deal of uncertainty, especially when data subjects want to claim damages without being able to prove a specific misuse of data. This is precisely where the judgment of Munich Regional Court I comes in.
Decision shortly
The Munich I Regional Court dismissed the action with Judgment of 27.08.2025 – Ref. 33 O 635/25 completely. Neither injunctive relief nor requests for information or declaratory relief were successful, and a claim for damages was also denied.
In the opinion of the court, the applications lacked the necessary specificity in some cases and in some cases the need for legal protection. In addition, the court did not see any compensable immaterial damage, as the mere fear of possible access by US authorities does not constitute a sufficient impairment within the meaning of data protection law.
The mere storage location of the data does not in itself constitute compensable damage.
The court made it clear that injunction requests must be formulated precisely. It is not sufficient to simply demand the cessation of any data transfer to the USA without specifying exactly which data is affected and which recipients are meant. A court should not first have to clarify what is actually prohibited in enforcement proceedings.
The request for information also failed, as the company had already provided comprehensive information and made a digital portal available for inspection. According to the judges, there is no need for legal protection in such cases because
According to the court, the decisive factor for the rejection of damages was that mere fears or anxieties about possible access by US security authorities are not sufficient to prove immaterial damage. Such damage requires a concrete impairment, for example in the form of an actual disclosure of data or an individually noticeable disadvantage. The physical complaints described were also unable to establish the necessary connection. The court also stated that users of global communication services consciously accept the international structure of such systems. Therefore, anyone who voluntarily uses a platform whose functionality is based on global data processing cannot later invoke the same mechanism to claim damages.
What does this mean in practice?
The ruling confirms the importance of careful documentation for international platform operators and providers of software-as-a-service solutions. Transfer impact assessments, clean contracts and, where applicable, certifications in accordance with the Data Privacy Framework form the foundation of legally compliant practice.
Transparent communication with users is equally important: those who disclose why certain data flows are technically necessary and what protective measures are in place minimize the risk of legal disputes. The court rates the use of self-service tools, which enable data subjects to retrieve their data independently, particularly positively and can lead to a lack of need for legal protection on the part of plaintiffs.
For companies that use US-related services themselves, the verdict shows: caution yes, panic no. It is worth documenting and regularly reviewing the transfer mechanisms of the tools used. Those who can prove that standard contractual clauses are used and additional technical safeguards are implemented are currently still on a solid footing. The new adequacy decision also offers certainty. It is the concrete guarantees and measures that are decisive, not the headline.
For claimants, on the other hand, the decision makes it clear that claims for damages under the GDPR only have a chance of success if they have substance. Anyone who is unable to demonstrate individual impairments or concrete consequences will regularly fail. The mere fear that someone somewhere in a data center in California could theoretically be reading data is simply not enough.
Classification and outlook
The ruling by the Regional Court of Munich I is one of a series of recent decisions by German courts that set the threshold for non-material claims for damages high. At the same time, it underlines the importance of pragmatic solutions in international data traffic. While political debates on the next US agreement are ongoing, case law is increasingly focusing on realism and proportionality. The court shows understanding for the fact that globally active services rely on global infrastructures and that users are aware of this fact. What is new is the clarity with which the court highlights the discrepancy between theoretical data protection fears and the practical use of global platforms.
Conclusion
Mere concern does not mean harm. Anyone who uses international services inevitably accepts that data is technically processed across borders. It is crucial for companies to document this fact properly, communicate it transparently and make the rights of data subjects practicable. This can avoid many disputes and some lawsuits are declared inadmissible at the outset.
We are happy to
advise you about
Data protection!
