European Commission Fined by EU Court for Breaching Own Regulations, Sending Data to Meta

• A European court ordered the European Commission to compensate a German citizen financially.
• The General Court found that the Commission did not follow its one set of data privacy regulations.
• The entity's website transferred user data to Meta via the API login the user chose. 

The European Commission (EC) was fined for privacy violations after a German citizen who takes an interest in matters of IT and the protection of personal data raised a dispute. A European court ruled that the EC failed to comply with its own regulations. 

Thomas Bindi, the applicant seeking redressal in the case, accused the EC of infringing his right to protect his private data. 

Bindi felt compelled to take matters into his own hands when he could not find a satisfactory response from the data protection officer of the Commission over email, the Court document read. Following the court’s judgment, the EC was ordered to pay Bindi a sum of €400 (around $410).

The incident dates back to 2021 and 2022 when Bindi tried to access the website of the Conference on the Future of Europe. The website was managed by the EC, a report by the Court of Justice of the European Union said. 

Bindi was looking to register for the ‘GoGreen’ event through the website using the option to sign in using Facebook. Upon doing so, his details were exposed to entities in the United States. He further added that his personal information, namely IP address, browser, and terminal data, were processed by Amazon Web Services. 

Amazon worked as the operator of the content delivery network Amazon CloudFront. The individual alleges his information was sent to US-based Meta Platforms, Inc. during his session.

Addressing Bindi’s complaints, the Court said, ”The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform.”

During the transfer of information on 30 March 2022, the Court found that there was no certainty whether the United States had a proper mechanism protecting the personal data of EU citizens, nor were there enough checks or contractual clauses in place by the Commission for the same.