[German]Big slap on the wrist for the EU Commission from the European Court of Justice. In proceedings before the ECJ, the Commission was ordered to pay damages to a German activist because the EU Commission had given data to Meta and thus transferred it to the USA.
Advertising
I came across the EU judgment T-354/22 issued on January 8, 2025 via the following BlueSky post, among others.
The judges from the European Court of Justice ruled that the EU Commission must pay damages to a German citizen (plaintiff) because it did not comply with data protection regulations (GDPR). The background was that the plaintiff from Germany, who is interested in IT and data protection, visited EU Commission websites in 2021 and then in March 2022 and logged in to a conference page of the EU Commission via his Facebook account or the "Log in with Facebook" option. The plaintiff discovered that data was allegedly transferred to Meta USA and Amazon Web Services (AWS).
The plaintiff then asked the Commission's Data Protection Officer for GDPR information regarding the data transmitted during the website visits. Secondly, the citizen asked to be informed which personal data concerning him had been processed or stored and which, if any, had been transferred to third parties. Thirdly, he asked to be informed of the legal basis for this transfer and any guarantees for the transfer of data to third countries without an adequate level of protection.
On December 3, 2021, the later plaintiff received information from the Commission's data protection officer. He could view the data collected via a link. In addition, the later claimant was informed that the personal data concerning him had not been transferred to recipients outside the European Union and would only be stored and processed on the website of the Conference on the Future of Europe.
Advertising
After several inquiries from the data subject were not answered comprehensively, the data subject brought an action against the EU Commission on June 9, 2022, as can be read in the text of the judgment. In the action, he requested,
- annul the transfers of personal data concerning him to third countries without an adequate level of protection that took place on March 30 and June 8, 2022.
- He also applied for a declaration that the Commission had unlawfully failed to take a position on his request for information of April 1, 2022.
- And he requested that the EU Commission be ordered to pay him 1,200 euros plus interest.
The damages should amount to 800 euros as compensation for the damage caused by the violation of his right to information and 400 euros as compensation for the non-material damage caused by the transfer of the personal data concerning him to third countries without an adequate level of protection. Furthermore, the applicant wanted the Commission to be ordered to pay the costs of the proceedings.
The EU Commission's application resulted in the action being declared null and void and the damages being dismissed and the plaintiff being ordered to pay the costs.
In the judgment, the EU Commission's application for "nullity" was rejected and the EU Commission was ordered to pay damages of EUR 400. The ECJ considered it proven that when registering under "EU Login" on the conference page on March 30, 2022, personal data relating to the plaintiff, in particular his IP address, was transferred to servers of the social network Facebook in the United States.
With the hyperlink "Sign in with Facebook", which is displayed on the "EU Login" website, the EU Commission has created the conditions for the transmission of the plaintiff's IP address to Facebook. At the time of registration, however, there was no adequacy decision by the EU Commission for a data transfer to the USA.
This adequacy decision was overturned by the ECJ and was only later (2023) replaced by a new decision (see European Commission adopts adequacy decision for EU-U.S. Data Privacy Framework) – which is now also being challenged before the ECJ. The ECJ lists the following decisions in the judgment:
- The action is dismissed as inadmissible as regards the application for annulment [of the data transfer to the USA].
- As regards the application for a declaration that the European Commission unlawfully failed to take a position on the applicant's request for information of April 1, 2022, there is no longer any need to adjudicate on the substance of the case.
- The Commission is ordered to pay the plaintiff EUR 400 as compensation for the non-material damage suffered. Further claims for damages are rejected.
The court orders the Commission to bear its own costs and to pay half of the applicant's costs. The applicant has to bear half of his own costs. Reuters has compiled the decision made be the Judge within this article.
Advertising
