E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

EU Commission Fined for Data Privacy Breach Involving Meta

On January 8, 2025, the EU General Court issued a significant ruling that highlights a breach of the European Union's General Data Protection Regulation (GDPR) by the European Commission itself. Here are the key points from the recent developments:

Background of the Case

A German citizen filed a complaint against the European Commission for infringing his right to the protection of his personal data. The complaint arose from the citizen's use of the "Sign in with Facebook" option to register for a conference on the EU's "Conference on the Future of Europe" website. This action resulted in the transfer of his IP address and other personal data to Meta Platforms, which is based in the United States23.

Violation of GDPR

The EU General Court found that the European Commission failed to comply with Article 45 of the GDPR, which requires that data transferred to a third country (in this case, the United States) must ensure "an adequate level of protection for personal data." At the time of the data transfer, there was no Commission decision indicating that the United States provided an adequate level of protection for EU citizens' personal data. Additionally, the Commission did not implement any appropriate safeguards such as standard data protection clauses or contractual clauses25.

Court Ruling

The General Court ruled that the European Commission committed a sufficiently serious breach of a rule of law intended to confer rights on individuals. The court ordered the Commission to pay €400 in damages to the individual for the non-material damage suffered, which included uncertainty regarding the processing of his personal data23.

Implications

This ruling underscores the strict enforcement of GDPR regulations and the importance of ensuring that personal data transfers to third countries meet the required standards of protection. The European Commission has stated that it will carefully study the court's judgment and its implications1.

Reaction

A European Commission spokesperson acknowledged the judgment and indicated that the Commission will review the ruling and its implications. This case sets a precedent for other institutions and organizations to ensure compliance with GDPR when transferring personal data to third countries15.

In summary, the EU General Court's ruling highlights the European Commission's failure to adhere to its own data protection regulations, resulting in a fine and emphasizing the need for strict compliance with GDPR guidelines in data transfers to third countries. Here are the sources for further reading:

• [EU fines EU for breaching EU data protection law]1
• [The General Court orders the Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website]2
• [Issued General Court ruling requiring European Commission to pay damages for alleged personal data transfers to third countries]3
• [European Commission Violated Its Own Privacy Rules, Court Finds]5