The European General Court has imposed a historic fine on the European Commission for breaching EU data protection regulations. This marks the first instance where the Commission faces penalties for violating the region’s privacy laws.
The case emerged when a German citizen’s personal data, including IP address and browser metadata, was transferred to Meta’s U.S. servers through the futureu.europa.eu website in March 2022. The incident occurred when the user attempted to register for an event using the Commission’s login service, which offered Facebook authentication.
The Court determined that the Commission created conditions for unauthorized data transmission through the ‘Sign in with Facebook’ feature. At the time of the transfer, no adequate data protection agreement existed between the EU and the United States, nor did the Commission implement appropriate safeguards or contractual clauses.
While claims regarding data transfer to Amazon CloudFront servers were dismissed, as the information was hosted in Munich, Germany, the Court found the Commission in violation of Article 46 of Regulation 2018/1725, concerning personal data transfers to third countries.
The Commission has been ordered to pay €400 ($412) in compensation to the affected individual. This ruling comes before the implementation of the new EU-U.S. Data Privacy Framework in July 2023, which now provides a legal mechanism for transatlantic data transfers.