The European General Court has imposed a fine on the European Commission for breaching the European Union's stringent data privacy regulations. This marks the first instance where the Commission has been held accountable for violating data protection laws in the region.
The court ruled that the Commission committed a "sufficiently serious breach" by transferring a German citizen's personal information, including IP address and browser metadata, to Meta's servers in the United States. This occurred when the individual visited the now-defunct futureu.europa[.]eu website in March 2022.
The individual had signed up for an event on the site using the Commission's login service, which offered the option to sign in via Facebook. The court found that by incorporating the "Sign in with Facebook" link on the E.U. Login page, the Commission facilitated the transfer of the user's IP address to Meta Platforms in the U.S.
The complainant argued that this data transfer posed a risk of their personal information being accessed by U.S. security and intelligence agencies. However, the claim that the data was transferred to Amazon CloudFront servers in the U.S. was rejected. It was determined that the data was hosted on a server located in Munich, Germany, with Amazon's content delivery network (CDN) involved.
At the time of the transfer on March 30, 2022, the court stated that no decision had been made by the Commission to confirm that the U.S. provided adequate protection for E.U. citizens' data. Furthermore, the Commission failed to provide proof or indicate that appropriate safeguards, such as standard data protection clauses, were in place.
This breach was deemed a violation of Article 46 of Regulation 2018/1725, which governs the transfer of personal data from E.U. institutions to third countries. As a result, the court ordered the Commission to compensate the affected individual €400 ($412) for the non-material damage caused by the unauthorized data transfer.
In response to growing concerns over data privacy, the European Union introduced the E.U.-U.S. Data Privacy Framework in July 2023, following the invalidation of the Privacy Shield. This new framework aims to facilitate transatlantic data transfers while ensuring stronger protection for personal data.