The General Court of the Court of Justice of the European Union has directed the European Commission to compensate an individual who alleged his personal data was wrongfully transferred to the US after visiting an EU-hosted website.
That came despite the EU claiming to have in place strong privacy and security regulations under the General Data Protection Regulation (GDPR), providing comprehensive protection for the personal data of individuals in Europe.
On January 8, the Court found the commission responsible for improperly transferring a citizen’s IP address to Facebook when he registered for the event via a “Sign in with Facebook” option.
This transfer violated EU data protection rules, as the US lacked adequate safeguards at the time, and the commission provided no legal basis for the transfer.
A Germany-based citizen had complained that the European Commission violated his personal data protection rights during his visits to the Conference on the Future of Europe website in 2021 and 2022, a website hosted by the EC.
The man registered for the ‘GoGreen’ event on the website via the EC’s EU login service, opting to sign in with his Facebook account.
He claimed that during his visits to the website, his personal data, including his IP address and browser details, were transferred to US companies Amazon Web Services and Meta Platforms, Inc., operators of Amazon CloudFront and Facebook, respectively.
The individual argued that the US lacked adequate data protection and that these transfers exposed his data to potential access by US security agencies without sufficient safeguards from the commission.
He wanted €400 in compensation for emotional harm caused by his personal data being transferred to the US, €800 for denied access to information and acknowledgment that the commission failed to act appropriately.
He also demanded the annulment of the data transfer.
The court concluded that the breach caused the citizen emotional distress due to uncertainty about how his data was used.
It said that there was “a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned.”
As a result, the commission was ordered to pay €400 in damages.
While siding with the man on the wrongful transfer of personal data, the General Court dismissed several other claims, including an annulment request and compensation for lack of access to information, finding no harm occurred.
It also ruled that data sent through Amazon CloudFront was handled correctly, as one transfer stayed within Europe and another was redirected to the US due to the individual’s own settings.
EC spokesperson Thomas Regnier told Brussels Signal: “The Commission takes note of the judgment and will carefully study the Court’s judgment and its implications.”
Uber collected sensitive information from European drivers over a two-year period and stored it on servers in the US without using proper transfers tools, thus violating the European Union’s General Data Protection Regulation (GDPR).https://t.co/ZAdhr0jD45
— Brussels Signal (@brusselssignal) August 27, 2024
The commission has used the regulations to impose hefty penalties previously, with fines totalling more than €4.2 billion to date.
Meta, parent company of Facebook and Instagram, has received the largest GDPR fine to date, €1.2 billion in 2023. That was for transferring European users’ data to the US without adequate safeguards.
Amazon was fined €746 million in 2021 by Luxembourg’s data protection authority for advertising-related GDPR violations.
LinkedIn was hit with a bill for €310 million in 2024 from the Irish Data Protection Commission for unlawful data processing and lack of transparency.
In the same year, Uber was fined €290 million by the Dutch Data Protection Authority for transferring sensitive data of European taxi drivers.
Instagram was penalised to the tune of €405 million in 2022 for mishandling children’s data, while TikTok received a €345 million penalty for GDPR violations.
The European Commission has lost a case before the European Data Protection Supervisor, which ruled the EC had “illegally targeted advertisements at citizens using sensitive personal data related to their political views”. https://t.co/ONLOlPxD95
— Brussels Signal (@brusselssignal) December 16, 2024
