On Wednesday, the European General Court fined the European Commission for violating the European Union’s data privacy regulations. This ruling marks the first time the Commission has been held accountable for breaching the stringent data protection laws enforced in the region. The court found that the Commission was responsible for transferring personal data of a German citizen, including their IP address and web browser metadata, to Meta’s servers in the United States. This transfer took place when the individual visited the now-defunct futureu.europa.eu website in March 2022, registering for an event and using the Commission’s login service, which included a “Sign in with Facebook” option.
The data transfer occurred when the individual opted to use their Facebook login credentials, which triggered the transmission of their IP address to Meta’s servers. The European Court of Justice determined that this action created the conditions for the transfer of personal information to the U.S. without proper authorization or safeguards. The applicant argued that the transfer of their data to the U.S. posed a risk of surveillance by U.S. security and intelligence services. However, their claim that the data was also sent to Amazon CloudFront servers was dismissed after it was confirmed that the data was hosted on servers located in Munich, Germany.
The court ruled that the Commission’s actions violated the provisions under Article 46 of Regulation 2018/1725, which governs the transfer of personal data by EU institutions to third countries. The Commission failed to demonstrate that the data transfer complied with required safeguards such as standard data protection clauses or other contractual protections. At the time of the transfer in March 2022, there was no ruling from the Commission confirming that the United States ensured an adequate level of protection for EU citizens’ personal data, a critical factor for cross-border data transfers.
As a result of the violation, the European General Court ordered the Commission to compensate the individual with €400 ($412) for non-material damage caused by the improper transfer of their personal data. This ruling highlights the importance of strict adherence to data privacy laws and the potential consequences for institutions failing to protect citizens’ personal information in accordance with EU regulations.
