European Commission Fined For Violating Its Own Data Protection Rules; Also Found To Have Used Privacy-Violating Ads
Love it or loathe it, there’s no denying that the EU’s General Data Protection Regulation (GDPR) is the most important piece of data protection law around. GDPR stories are often about big, bad companies failing to respect the legislation, but there’s a small but amusing group of incidents in which the EU itself has been caught violating its own privacy laws.
Shortly after the GDPR came into force on 25 May 2018, somebody noticed that the European Parliament’s Web site was not compliant. A few days later, it was discovered that the European Commission breached its own rules — they went on to claim that the GDPR didn’t actually apply to them in the same way that it did for everyone else. The European Commission did eventually bring in an equivalent set of rules for EU institutions, but conveniently ones with lower fines.
Those rules were put to the test in July 2022, when someone in Germany complained that the European Commission had infringed on his right to data protection when he visited a Web site of the Conference on the Future of Europe, managed by the Commission, in 2021 and 2022. The complainant had registered for an event using his Facebook account to sign in. Here’s why that was a problem under the GDPR (pdf), as explained by the General Court of the Court of Justice of the European Union (CJEU), the top EU court that deals with legal issues involving EU bodies:
as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must be imputed to the Commission.
At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform.
As that notes, at the time, in March 2022, there was no legal framework that protected the personal data of EU citizens when it was sent to the US. The previous frameworks — Safe Harbor and Privacy Shield — had been struck down by the CJEU in 2015 and 2020 respectively. The current EU–US Data Privacy Framework did not come into force until July 2023. As a result:
The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address. There is, moreover, a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned.
Since the conditions for establishing the European Union’s non-contractual liability are satisfied, the General Court orders the Commission to pay the individual concerned the sum of €400 claimed.
The fine of €400 (about $410) doesn’t even count as a slap on the wrist – more of a light tickle. The most interesting aspect of the whole saga — apart from the schadenfreude at seeing the European Commission fined for violating its own laws — concerns the key issue of transatlantic data transfers. Although the EU–US Data Privacy Framework is still in place, which means that transatlantic data flows are legal provided its requirements are met, there’s still the possibility that it will be overturned by the CJEU, just like its two predecessors were. The person mostly responsible for the previous frameworks being thrown out, Max Schrems, said in July 2023 that his organization, Noyb, would challenge the new framework in the courts, but nothing seems to have happened yet. However, Noyb has recently notched up a privacy win over the European Commission in a different matter, explained here on its Web site:
The EDPS (European Data Protection Supervisor) has issued a decision finding that the European Commission has illegally targeted advertising at citizens using “sensitive” personal data on their political views.
Specifically:
EU Commission tried to influence political views in the Netherlands. In the contentious fight over the heavily criticised chat control regulation (a proposed EU law that could undermine all encrypted online communication to allow authorities to read online chats), the European Commission has identified the Netherlands as a Member State that they wanted to politically influence. In an attempt to “flip” the views in the Netherlands, the Commission went to X/Twitter and made posts indirectly promoting this regulation.
Political Targeting on X/Twitter. However, the European Commission did not only post these political messages, but also targeted users who weren’t interested in keywords like: #Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni. The clear intention was to only target politically liberal or left users, but not conservative or right-wing users. Advertisers often use so-called “proxy data” (so data closely associated with political thinking) to target political views. By doing so, the European Commission has clearly triggered the processing of personal data of EU citizens to target them with ads.
Fortunately, the attempt to influence people’s views in the Netherlands failed. This abuse of microtargeted advertising for political purposes is clearly rather more serious than the sending of some personal data across the Atlantic, even if only the latter attracted a (token) fine. Noyb’s win shows how the GDPR for all its flaws can still be a useful weapon for highlighting privacy abuse by the authorities, in this case as part of an attempt to push through the extremely-contentious “chat control” legislation using dirty tricks.