In a landmark decision, the General Court of the European Union ordered the European Commission to pay €400 in damages to a German citizen. The case centered on the transfer of personal data, including the individual’s IP address, to the United States via the “Sign in with Facebook” option on the EU Login service.
What Happened?
The citizen had registered for an event through the Commission’s website and used the Facebook login option. This led to their personal data being transferred to Meta Platforms (Facebook) in the U.S. without proper safeguards in place. At the time, the U.S. wasn’t recognized as providing an adequate level of data protection under EU law.
The Court found that the Commission had breached EU data protection rules by enabling the transfer without taking the necessary precautions, leaving the individual uncertain about how their data was being handled.
Why This Matters for Businesses
This ruling is a wake-up call for any organization processing data of EU citizens:
- Check Your Login Options: If you offer third-party login methods, make sure they comply with GDPR rules.
- Be Careful with Data Transfers: Moving personal data outside the EU requires strict safeguards. Without them, you could face penalties or lawsuits.
- Protect User Trust: Even minor breaches, like transferring an IP address without consent, can lead to legal and reputational damage.
This case highlights how serious the EU is about data privacy. If your business handles EU citizen data, now’s the time to ensure your processes are fully compliant.