Court orders European Commission to pay fine for violating EU’s own data privacy rules

For the first time, the European General Court on Wednesday fined the European Commission for violating the EU’s own data privacy rules.

The court said that when the commission transferred a German citizen’s personal data to the U.S. without appropriate protections it violated data processing rules set by the bloc.

The relatively small fine — €400 or about $412 — will be paid directly to the German citizen who brought the case.

The court concluded that the action constituted a “sufficiently serious breach” of the rules, warranting the financial penalty.

The incident that spurred the case occurred when the German citizen signed up for a conference by the commission via a Facebook sign-in option on the event’s website in 2022. The commission is the executive arm of the EU.

The German alleged that his digital privacy rights were infringed upon because data about his device, browser and IP address were sent to Amazon, the website host and Meta, Facebook’s parent company. 

The court’s decision was first reported by Reuters, which described the ruling as the first of its kind.

The European Commission did not respond to a request for comment.

Correction: A previous version of this story stated that the European Commission’s actions violated the General Data Protection Regulation.