European Commission hit by EU court fine after breaking own data privacy rules

(Image credit: Shutterstock.com)

European Commission fined for breaking GDPR
EU General Court levies fine for failing to protect EU data
A German citizen was paid 400 euros

The European Commission has been forced to pay a 400 euro ($412) fine to a German citizen for breaking its own data protection regulations.

The German citizen used a “Sign in with Facebook” option on an EU conference registration page which subsequently sent information on the citizens’ IP address, web browser, and device to Meta Platforms and Amazon in the US.

The EU General Court concluded the European Commission had transferred personal data to the United States without proper safeguards, violating the EU’s stringent General Data Protection Regulation (GDPR).

You may like

"The Commission takes note of the judgment and will carefully study the Court's judgment and its implications," a Commission spokesperson said (via Reuters).

The European Union has some of the strongest privacy protections in the world, with GDPR imposing rules on any organization that collects or manages personal data of EU citizens, with the ability to fine the organization up to 4% of their annual turnover in the event that they breach the regulations.

In 2024, Meta was hit by a $263 million fine for breaching GDPR in the 2018 Facebook data breach when the data on three million EU citizens was stolen by attackers who abused a bug in the “View as” profile function to steal access tokens and take over accounts.

Meta, continuing its string of annual GDPR violations, was also hit by a record $1.3 billion fine in 2023 for transferring EU data to the US, and a $259 million fine in 2022 for failing to protect the data of more than half a billion Facebook users.

The US does not have any principal data privacy regulations, with privacy regulations varying from state to state. The EU has been debating a key piece of legislation, known as the EU Cybersecurity Certification Scheme (EUCS), since 2020.

This legislation would provide a label to cloud computing companies that follow robust cybersecurity and privacy regulations, enabling them to process EU data outside of the bloc provided they safeguard the data to the same level required inside the EU.

These are the best anonymous browsers
Take a look at our guide to the best VPN
Trump unveils $20 billion plan to build more US data centers

TOPICS

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.