A German activist is set to receive €400 ($412) after calling out the European Commission for failing to adhere to its own data protection regulation and allowing personal data to be transferred to Meta’s servers in the U.S.
The European General Court said on Wednesday, Jan. 8, that it had fined the European Commission for a “serious breach,” marking the Commission’s first-ever General Data Protection Regulation (GDPR) fine.
In March 2022, Thomas Bindl, a Munich resident, registered for an EU-hosted conference using his Facebook (now Meta) account, an option offered by the conference.
Bindl’s IP address, which was classified as private data under European law, was sent to Meta’s servers in the U.S.
Bindl argued that sending his IP address to Facebook deprived him of control over his personal data and violated his rights under the EU’s GDPR.
The European Commission’s lawyers argued that Bindl had the option to register using the EU Login system, thereby avoiding Facebook entirely.
However, the justices concluded that by offering Facebook as a login option, the Commission facilitated the transmission of Bindl’s data and failed to protect his privacy.
“By means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for transmission of the IP address of the individual concerned to the U.S. undertaking Meta Platforms,” the Court of Justice of the European Union said .
However, the Court of Justice of the European Union (CJEU) did dismiss Bindl’s separate claim regarding the EU’s use of Amazon Web Services (AWS).
Bindl, the founder of the European Society for Data Protection, argued that his data and “opinions of the future of Europe” were transmitted to a U.S. company.
However, the court noted that the specific AWS server involved was located in Munich, ensuring compliance with European data protection laws.
Over the past decade, the EU and the U.S. have attempted to create agreements allowing data to flow between them while respecting the EU’s stringent privacy protections.
However, the CJEU has invalidated these agreements—first the Safe Harbor Framework in 2015 and then the EU-U.S. Privacy Shield in 2020.
The court found that U.S. surveillance laws failed to adequately protect European citizens’ data, as required by the region’s GDPR policy.
Without regulatory clarity, organizations looking to balance operational needs and data protection compliance have faced increased risks of fines and disruptions.
Major companies such as Meta and Klarna have suffered hefty fines from the EU for non-compliance with GDPR, which is considered to be the world’s most strict privacy law.
The juxtaposition between Europe’s strong privacy protections with America’s flexibility continues to create friction in international trade and cross-border development.