This week the European General Court ordered the European Commission pay €400 damages to a European individual who had visited one of their websites, resulting in their personal data, i.e. their IP address, being sent to a US website server. The US is deemed a "third-country" wthin the meaning of Article 46 of the GDPR, so it is unlawful to transfer personal data,e.g. an individual's device IP address, to it, without complying with the provisions of Article 49.
This is important because it signals an acceptable value for the non-material damages suffered. The top 71 German websites all have estimated daily web unique visitors greater than 1MM, and almost all contain third-party content hosted by US companies. What's more, hardly any of the sites comply with the ePrivacy and GDPR valid user consent requirements.
Under a 2020 European Union Directive - 2020/1828 - EN - EUR-Lex a European version of a "Class Action" called a "collective redress action" can be used to protect the interests of large numbers of iconsumers. Individuals can obtain non-material damages when their rights are ignored, such as when their personal data is unlawfully processed. Though these "Redress" actions must be brought on a non-profit basis, civil society organisations approved for this, such as NOYB, could obtain costs, and be funded by arms-length third-parties. In the UK the 2015 Consumer Rights Act allows businesses to develop redress schemes on a voluntary basis for some competition law infringements, and similar changes are being discussed for data protection infringements,
If we conservatively assume an average of 10MM unique visitors to those sites the total damages alone arising from a successful "class action" legal action could be in the many billions, and most of the top European websites could become liable.
Here is a report from our site scanner of the top German websites:
Most of them contain third-party content causing their vistitors' IP address to be sent to the US.
