European union flag against parliament in Brussels, Belgium
gettyThe EU General Court has ruled against the European Commission for failing to comply with its own GDPR data protection regulations.
It's ordered the Commission to pay €400 in damages to a German man, Thomas Bindl, whose privacy was breached while he was registering for an event forming part of the Conference on the Future of Europe in 2022. To do this, he used the Commission’s EU Login authentication service, choosing the option of signing in using his Facebook account.
However, said Bindl, during his visits to the website his personal data, including his IP address, along with information about his browser and terminal, were transferred via a content delivery network, Amazon CloudFront, managed by Amazon Web Services. The data ended up on servers operated by Facebook’s parent company Meta Platforms, he claimed.
This, he said, meant there was a risk that his data could potentially be accessed by the US security and intelligence services.
Bindl also called for the transfers of his personal data to be annulled, for a declaration that the Commission broke the rules by failing to define its position on a request for information, and for another €800 in compensation for the non-material damage he claimed to have sustained as a result of the infringement of his right of access to information.
Not all his complaints were upheld. The court concluded that, in fact, no data had been transferred outside the EU—the Commission's contractual arrangements with Luxembourg-based AWS EMEA didn't allow it.
However, it found that Bindl's concerns hadn't properly been addressed when he first raised the issue, and that the displaying of the Sign in with Facebook hyperlink was entirely governed by the general terms and conditions of the Facebook platform.
At the time, the Commission hadn't recognized that the U.S. ensured an adequate level of protection for the personal data of EU citizens. And this meant the Commission didn't fully comply with the GDPR rules for the transfer of personal data to a third country.
"The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address," the court said in a statement.
"There is, moreover, a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned."
While the ruling may seem entertaining, it could set a precedent for a flood of small GDPR claims, according to Joe Jones, director of research and insights at the International Association of Privacy Professionals.
"The amount awarded may seem modest, but multiply that by thousands, if not millions, and welcome to a future where data protection class actions brought by the likes of [privacy campaign group] noyb.eu, for example, could ratchet up the consequences for non-compliance," he said.
"The EU-U.S. Data Privacy Framework comes out of the ruling unscathed, given the changed fact patterns, but the ruling on damages is a huge development."

1 year ago
52













English (US)