A PYMNTS Company

First-of-Its-Kind Ruling: EU Court Ruling Holds European Commission Accountable for GDPR Violation

 |  January 8, 2025

In a landmark ruling, the EU General Court has ordered the European Commission (EC) to pay damages to a German citizen for violating the bloc’s stringent GDPR data protection rules. According to Reuters, the case marks the first time the Commission has been held financially accountable for breaching its own data privacy regulations.

The court found that the European Commission unlawfully transferred the individual’s personal data to the United States without appropriate safeguards. Specifically, the breach occurred when the citizen used the “Sign in with Facebook” feature on the EU login portal to register for a conference. This action led to the transfer of the user’s IP address to Meta Platforms, the parent company of Facebook, in the U.S.

Per Reuters, the court ruled that the EC’s transfer violated Europe’s General Data Protection Regulation (GDPR), which sets strict guidelines on how personal data must be handled by both companies and public institutions. The GDPR is often hailed as one of the toughest privacy laws globally, holding organizations to high standards of accountability when processing personal data.

The court awarded the German citizen €400 ($412) in damages for the data breach. Although the financial penalty appears modest, the decision sets a significant precedent by demonstrating that EU institutions themselves are not above the regulations they enforce.

A spokesperson for the European Commission stated that the institution “takes note of the judgment” and will “carefully study the Court’s judgment and its implications.”

The ruling comes as several major tech companies, including Meta, Klarna, and LinkedIn, continue to face hefty fines for GDPR violations. The decision highlights the ongoing importance of data protection compliance for both private companies and public bodies in the EU.

According to Reuters, the case underscores the increasing scrutiny on data transfers between Europe and the U.S., particularly in light of ongoing debates over data privacy and security. The EU and U.S. have long been at odds over differing standards for data protection, with the EU’s GDPR setting a much higher bar for privacy safeguards.

Source: Reuters