The European General Court on Wednesday fined the European Commission, the European Union’s main executive body responsible for proposing and enforcing laws for member states, for breaching the bloc’s own data privacy rules.
The event marked the first time the Commission had been prosecuted for breaching the region’s strict data protection laws.
Court is determined that a “sufficiently serious breach” was committed by transmitting a German citizen’s personal data, including his IP address and web browser metadata, to a Meta server in the United States while visiting the now-defunct website futureu.europa(.)eu in March 2022. .
A person registered for an event on the website using the Commission’s login service, which included the option to log in with a Facebook account.
“With the ‘Login via Facebook’ hyperlink displayed on the EU Login web page, the Commission created the conditions for the transfer of the IP address of the person concerned to the American company Meta Platforms,” the Court of Justice of the European Union said. said in a statement to the press.
The applicant claimed that in connection with the transfer of their information to the United States, there was a risk that their personal data would be accessed by the security and intelligence services of the United States.
However, their allegation that the data was also transferred to Amazon’s CloudFront servers in the US was dismissed after it was found that the information was hosted on a server located in Munich, Germany. The website in question used Amazon’s Content Delivery Network (CDN).
“At the time of this transfer, March 30, 2022, there was no decision by the Commission that the United States has ensured an adequate level of protection for the personal data of EU citizens,” the court said. “Furthermore, the Commission has not demonstrated or argued that there was an adequate protection, in particular a standard data protection clause or a contractual clause.”
According to the General Court, this was a breach of laws relating to the transfer of personal data by an EU institution, body, office or agency to a third country under Article 46 Regulation 2018/1725.
As a result, the court ordered the commission to pay the man 400 euros ($412), which they demanded as compensation for the non-pecuniary damage they claimed to have suffered as a result of the data transfer.
