E.U. Commission Penalized for Sharing User Data with Meta Against Privacy Regulations

On Wednesday, the European General Court imposed a fine on the European Commission, the key executive body of the European Union responsible for law enforcement and proposal, for breaching its own stringent data privacy regulations. This ruling represents a significant first, holding the Commission accountable for violating established data protection laws within the region.

The court discovered that a “sufficiently serious breach” had occurred when personal data, including the IP address and web browser metadata of a German citizen, was transferred to Meta’s servers in the United States while accessing the now-defunct futureu.europa.eu website in March 2022. The user had registered for an event via the Commission’s login service, which provided an option to utilize a Facebook account.

The Court of Justice of the European Union highlighted that by including a “Sign in with Facebook” link on the E.U. Login page, the Commission allowed the individual’s IP address to be sent to Meta Platforms in the U.S. The applicant raised concerns that the transfer of their personal information could put them at risk of being surveilled by U.S. security and intelligence agencies.

However, the court dismissed the claim regarding data being sent to Amazon CloudFront servers in the U.S., noting that the data in question was actually hosted on a server in Munich, Germany, despite the website using Amazon’s content delivery network (CDN).

At the time of the data transfer on March 30, 2022, there was no Commission decision confirming that the U.S. provided an adequate level of personal data protection for E.U. citizens. Additionally, the Commission neither demonstrated nor asserted that appropriate safeguards, such as standard data protection or contractual clauses, were in place. The court ruled that this violation contravened Article 46 of Regulation 2018/1725 concerning the transference of personal data by an E.U. institution to a third country.

Consequently, the General Court has mandated the Commission to compensate the individual €400 ($412) for non-material damages they claimed resulted from the data transfer. This ruling underscores the increasing scrutiny over data handling practices, especially as regulations around data privacy tighten globally.

In July 2023, the E.U. established a new personal data transfer mechanism with the U.S., known as the E.U.-U.S. Data Privacy Framework, aimed at facilitating the secure transatlantic flow of personal data while addressing the invalidation of the previous Privacy Shield agreement.

This case emphasizes the crucial nature of data privacy compliance and highlights potential vulnerabilities organizations may encounter while transferring personal data across borders. Business owners should remain vigilant and consider the implications of their data transfer practices under evolving regulatory landscapes to mitigate risks effectively. Understanding strategies related to the MITRE ATT&CK framework, such as initial access and data exfiltration, can further aid in anticipating and addressing potential cybersecurity threats.