Search Articles
(CN) — The EU’s second highest court on Wednesday ordered Brussels to pay a German citizen 400 euros in damages after the European Commission allowed his IP address to be shared with Facebook’s operations in the United States when he registered for the ‘Conference on the Future of Europe.’
The General Court found that the EU’s executive body had not complied with data privacy laws when it allowed participants to use their Facebook accounts to register for the conference without safeguarding their personal information.
Thomas Bindl used the ‘Sign in with Facebook’ link to sign up for an environmental event at the 2022 conference, organized by the commission. Later he discovered his information had been shared with tech giants Microsoft and Amazon without sufficient safeguards.
In 2023, the EU reached an agreement with the United States to ensure personal data transferred to the U.S. would be given the same level of protection as it was guaranteed within the bloc.
But when the privacy activist signed up for the “GoGreen” event in 2022, there was no agreement and the EU had a legal obligation to protect his data. His information was shared with Facebook’s parent company, Meta, inside the U.S.
“The Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals,” the Luxembourg-based court wrote.
The General Data Protection Regulation came into effect in 2018 and forbids the transfer of personal data outside the European Union. It also requires any organization that collects data to adhere to the regulation’s strict data privacy rules.
In a landmark 2015 ruling, the highest EU court found that U.S. data protection was inadequate, gutting the U.S.-EU data-sharing pact, in the wake of the NSA spying scandal uncovered by whistleblower Edward Snowden.
The decision, now known as Schrems I after the Austrian privacy activist Max Schrems who brought the complaint, forced tech companies like Facebook to switch to standard contractual clauses (SCC), which allow users to give permission to transfer their data outside of the EU.
“In the present case, the Commission has not demonstrated, or even claimed, that there is an appropriate safeguard, such as a standard data protection clause or a contractual clause,” the five judge panel wrote.
“We are currently reviewing the verdict and will then provide an initial assessment,” Bindl said in a statement posted to social media. His organization, Europäische Gesellschaft für Datenschutz, has brought a number of privacy complaints against tech companies, including Amazon.
Bindl requested 400 euros ($411) for non-material damages for the data privacy breach, which the court awarded.
The court dismissed another part of the complaint over the EU’s failure to respond to his requests for information in a timely manner.
Both parties have two months to appeal the decision.
Follow @mollyquellSubscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.