Europe Court Fines European Commission for Violating Privacy Policy

In a landmark ruling, the General Court of the European Union has ordered the European Commission to pay €400 in damages to a German citizen for unlawfully transferring his personal data, including his IP address, to the United States.

The case stems from the citizen’s use of the Commission’s EU Login webpage, specifically the “Sign in with Facebook” feature, while visiting the website of the “Conference on the Future of Europe.”

The German citizen, who had registered for an event titled “GoGreen” on the website in 2021-2022, claimed breaches of his data protection rights under EU law.

He alleged that his personal data, such as his IP address and browser details, were transmitted to U.S.-based entities, including Amazon Web Services and Meta Platforms (Facebook’s parent company).

He argued that these transfers exposed his data to potential surveillance by U.S. intelligence services, as the United States lacked an “adequate level of protection” for EU citizens’ data at the time.

The citizen sought damages of €400 and €800 for non-material harm and the Commission’s alleged refusal to provide information, respectively.

Key Findings of the General Court

1. No Evidence of Harm in Amazon CloudFront Transfers:

The court found that during one of the connections to the website, the citizen’s data was transferred to a server in Munich, Germany, rather than the United States.

Under the contract between the Commission and Amazon Web Services (AWS), any data handled via Amazon CloudFront was required to remain within Europe at all times.

In another instance, the court determined that the data was routed to U.S. servers not due to Commission actions but because of a technical adjustment by the individual himself that made it appear as though he was located in the U.S.

As a result, the court dismissed the claim regarding data transfers involving Amazon CloudFront.

2. Breach Through Facebook Login Integration

The court did, however, confirm that the Commission was at fault for the transfer of the citizen’s IP address and other personal data to Meta Platforms when he signed in via the “Sign in with Facebook” option on the EU Login portal.

At the time of the transfer, on March 30, 2022, the U.S. did not meet EU standards for data protection, and the Commission failed to provide appropriate safeguards, such as standard contractual clauses, to justify the transfer.

The transfer was governed solely by Facebook’s general terms and conditions, a move that violated EU data protection law.

The court held the Commission responsible for creating the technical conditions that led to the data breach.

As a result, the court concluded that the breach caused uncertainty for the citizen regarding the processing of his personal data, amounting to non-material damage.

Court’s Decision

The General Court dismissed several of the citizen’s other claims, including his request to annul the data transfers to the U.S. and his demand for €800 in damages for alleged violations of his right to access information.

The court determined that the Commission’s actions did not result in the type of harm necessary to justify additional compensation.

For the data transfer caused by the Facebook login feature, the court ruled that the Commission committed a “sufficiently serious breach” of EU data protection law.

It ordered the Commission to pay the citizen €400 in damages for non-material harm, citing a clear connection between the breach and the individual’s distress over the mishandling of his personal data.

This ruling underscores the obligations of EU institutions, bodies, and agencies to comply with stringent EU data protection laws, particularly in cross-border data transfers.

The case reaffirms the legal consequences for failing to ensure proper safeguards for personal data, especially when integrating third-party platforms such as Facebook.

The decision also highlights the ongoing challenges of data transfers between EU entities and the United States in the absence of an adequacy agreement or binding legal safeguards.

For EU citizens, the ruling represents a significant precedent in asserting their rights to data protection and holding institutions accountable for non-compliance.

Also Read: