- This impressive air purifier was able to clean my musty-grassy basement, and it's on sale
- Nintendo Switch 2 at CES 2025: Everything we know
- The best graphing calculators of 2025
- How to encrypt any email - in Outlook, Gmail, and other popular services
- The Best of CES 2025 awards are in, as selected by ZDNET and the rest of CNET Group
EU Commission Liable for Breaching EU’s Own Data Protection Rules
The EU Commission has been found liable for breaching the EU’s own data protection rules in a landmark ruling that could open the door to class action lawsuits in the region.
In a civil litigation action brought by an EU citizen living in Germany, the General Court of the EU found that the Commission infringed the individual’s right to the protection of their personal data by transferring their details to recipients in the US.
At the time of the data transfer it could not be ensured that the US had an adequate level of protection for the personal data of EU citizens.
This was the result of a Court of Justice of the European Union (CJEU) ruling in the ‘Schrems II’ case in 2020, which invalidated the Privacy Shield data transfer scheme over concerns that EU citizens’ data could be accessed by US security and intelligence agencies.
At the time of the data transfer relating to the citizen, on March 30, 2022, personal data transfers between the EU and US were unlawful in the absence of appropriate safeguards, such as a standard data protection clause.
The Commission failed to demonstrate there was any such safeguards in place, the court found.
“The Commission did not, therefore, comply with the conditions set by EU law for the transfer by an EU institution, body, office or agency of personal data to a third country,” the General Court noted in its ruling.
In 2023, the EU adopted a new personal data transfer mechanism with the US, enabling the free flow of personal data between the two regions without additional safeguards.
What the Case Was About
The case goes back to 2021 and 2022, when the citizen living in Germany visited the website of the Conference on the Future of Europe, which is managed by the Commission.
Specifically, he had registered for the ‘GoGreen’ event through that website using the Commission’s EU Login authentication service, having selected the option of signing in using his Facebook account.
He claimed that during his visits to that website, his personal data, including his IP address and information about his browser and terminal, were transferred to the US undertaking Amazon Web Services (AWS) in its capacity as operator of the content delivery network Amazon CloudFront. The network was used by the Commission website.
In addition, when he registered for the ‘GoGreen’ event using his Facebook account, his personal data were transferred to the US undertaking Meta Platforms, Inc.
The CJEU found the Commission not liable for the transfer of data to the US undertaking AWS, as the contract between the Commission and AWS determined that the cloud platform was required to ensure that data remained, at rest and in transit, in Europe.
However, the Commission was liable for the data transferred to Meta from the individuals’ registration for the ‘GoGreen’ event. This is because, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook.
“That transfer must be imputed to the Commission,” the court stated.
The court paid €400 ($412) in compensation to the claimant for non-material damage suffered as a result of the transfer of his IP address to the US.
“The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals,” the ruling stated.
However, the court dismissed the claimant’s application to annul the transfer of his personal data, as well as his claim for €800 ($824) in compensation for the non-material damage which he claimed to have sustained as a result of the infringement of his right of access to information.
Ruling Could Lead to “Flood of Complaints”
Despite the small sum of compensation involved in this case, the ruling is expected to be highly consequential, being the first award of damages for unlawful data transfers.
Joe Jones, Research & Insights Director at the International Association of Privacy Professionals (IAPP), described the ruling as a “dam-bursting moment that will catalyze a flood of complaints.”
Jones said he expects to see a number of US-style class action complaints relating to personal data transfers now take place in the EU, reshaping the data protection landscape.
“Having been buffeted and bruised by the blows of regulatory enforcement, organizations will be bracing harder than ever for a new era under the General Data Protection Regulation (GDPR): litigation,” he said.
Responding to the ruling on X (formerly Twitter), privacy campaigner Max Schrems, who brought the Schrems II case that deemed the EU-US Privacy Shield arrangement unlawful, noted it sets an EU benchmark for non-material damages.
