The Landgericht Bonn Judgment: Harmonizing Data Privacy Rules

by

Justyna Sarkowicz

CyJurII Theorist

on 12 December 2025

Citation Number: file reference 13 O 156/24, on 3 June 2025.

1. Thesis

The judgment of the Landgericht Bonn of June 3, 2025, represents an important step towards the effective harmonization of personal data protection standards in cyberspace. The court correctly concluded that the transfer of user data of global digital platforms to the United States– in light of the European Commission's decision of July 10, 2023, on the adequacy of data protection under the "EU-US Data Privacy Framework" – does not violate the provisions of the GDPR. At the same time, it addressed the conflict of norms between European Union and US law in a pragmatic and proportionate manner, recognizing the dimension of the "necessary compromise of cyberspace" – a space where data knows no borders, and digital jurisdictions coexist rather than compete absolutely.

2. Facts and background of the dispute

The plaintiff, a user of a global social media platform based in the US, filed a lawsuit against the operator seeking:

1. a prohibition on the transfer of his personal data to the US,

2. compensation for alleged unlawful data processing outside the EU,

3. information about possible access by US intelligence services to his data under Section 702 of the Foreign Intelligence Surveillance Act (FISA).

The operator defended itself by arguing that the data transfer was carried out in accordance with Articles 45 and 49 of the GDPR, i.e., based on the European Commission's adequacy decision of July 10, 2023 (EU-US Data Privacy Framework), and that the refusal to disclose information about access by US intelligence services was based on mandatory US law.

The court in Bonn dismissed the plaintiff's claims, finding that:

• after July 10, 2023, data transfer to the US is based on Article 45(1) of the GDPR;

• before that date – was permissible as necessary for the performance of the contract (Article 49(1)(b) of the GDPR);

 • the request for information about the activities of US services cannot be fulfilled due to a conflict of obligations under US and EU law.

3. Applied regulations in the context of cyberspace

The court correctly identified the issue of cyber jurisdiction as a real point of contact between law and technology. In cyberspace, personal data is not subject to physical national borders, leading to a conflict between legal orders: the EU privacy protection system based on the fundamental rights approach and the US national security model, which assumes broad access for intelligence services to data processed by technology companies. 

The LG Bonn ruling is part of a new trend in European case law, which is beginning to adopt a more realistic approach to global digital platforms. Full data sovereignty cannot be expected in a world where cloud infrastructure is distributed and information processing occurs transnationally. In this sense, the Bonn court found that cyberspace is a space of shared responsibility, not complete independence of legal orders. Consequently, the operator's invocation of the adequacy decision and the obligations arising from US law was deemed justified in light of the principle of proportionality (Article 5(1)(a) of the GDPR).

The most interesting element of the court's reasoning is its reference to the so-called "irreconcilable conflict of obligations" (unauflösbarer Normenkonflikt). Indeed, in cyberspace, a situation often arises in which a digital entrepreneur – operating globally – is simultaneously subject to conflicting regulations from different countries. One example is Section 702 of the FISA, which imposes on American companies the obligation to cooperate with intelligence agencies. In the case of a digital service provider with users in the EU, this obligation is contrary to the principles of the GDPR, in particular Articles 5 and 6 (principles of lawfulness and data minimization).

The court, finding the refusal to provide information under Article 702 of the FISA permissible, 15 GDPR, invoked the concept of "übergesetzlicher Notstand"—a state of necessity that transcends the law, assuming that a business entity cannot be forced to violate foreign law if it has done everything possible to minimize the risk of violating EU law.

This ruling deserves approval, as it recognizes the real nature of cyberspace—not as an abstract field of application of the GDPR, but as a complex legal ecosystem in which jurisdictional boundaries are fluid and multi-layered. The Bonn court emphasized that in the digital economy, users of global services must expect that the processing of their data will be cross-border. However, this does not mean the abolition of data protection—on the contrary, this protection is taking on a new form, based on the cooperation of supervisory authorities and international mechanisms (such as the Data Privacy Framework).

The LG Bonn judgment reflects a new concept of digital sovereignty—not as being confined within borders, but as the ability of states and the EU to control data flows while respecting fundamental rights. In cyberspace, data protection is not about the physical location of data, but about ensuring that entities processing it anywhere adhere to comparable standards of protection.

4. Conclusions

The judgment under review sets a new direction in thinking about personal data protection in cyberspace. The shift from a formalistic interpretation of the GDPR to the concept of shared responsibility demonstrates the maturity of the European judiciary in the face of global technological challenges. The LG Bonn aptly recognized that cyberspace requires a dynamic and pragmatic approach to the application of law, in which the concept of "infringement" must be considered in the context of real infrastructural and geopolitical constraints. Therefore, this ruling deserves full approval – not only from a data protection perspective, but also as an example of a modern, cyberjuridical interpretation of European Union law.