EU Commission fined for transfer of personal data to US without adequate protection

Recently the European Commission was found to be in breach of the EU’s General Data Protection Regulation (GDPR) by unlawfully transferring an individual’s personal data to the US.

• The individual’s data was transferred in 2022 when he selected an option to sign in with Facebook to register for a conference on the Commission’s website.
• Clicking this link led to personal data (including the individual’s IP address) being sent to Meta Platforms, Inc in the US.
• The GDPR requires personal data to be safeguarded when it is transferred outside the EU. If data is transferred to a jurisdiction which the Commission has not designated as placing an adequate level of protection on personal data, then the data must be appropriately safeguarded.
• At the time of transfer, the US had not been designated as such by the Commission, and the Commission did not demonstrate that it safeguarded the data to account for this. The sign in with Facebook hyperlink was purely governed by Facebook’s terms and conditions.
• The individual brought a claim against the Commission, arguing that without adequate safeguards, his personal data could have been accessed by US security and intelligence services after it had been transferred.
• The court found that the Commission had committed a sufficiently serious breach of the GDPR, and awarded the claimant €400 for the position of some uncertainty that he felt over the processing of his personal data.

The EU’s data protection regime is among the most stringent and comprehensive in the world and ensuring appropriate safeguards when transferring personal data outside of the region remains essential. The judgment also demonstrates the risks involved with including links to third party websites situated outside of the EU.

If you require further advice on your data protection obligations, then please contact our data protection and IT team.

Sources

• Court judgment CURIA - documents
• Court press release The General Court orders the Commission to pay damages to a visitor to its "Conference on the Future of Europe" website as a result of the transfer of personal data to the United States
• Articles reporting on judgment:
  • In a first, EU Court fines EU for breaching own data protection law - Reuters
  • Court orders European Commission to pay fine for violating EU’s own data privacy rules - The Record from Recorded Future News
  • E.U. Commission fined for transferring user data to Meta in violation of privacy laws
  • EU faces €400 fine for breaching its own GDPR rules