In a first, EU Court fines EU for breaching own data protection law

www.reuters.com /world/europe/first-eu-court-fines-eu-breaching-own-data-protection-law-2025-01-08/

15 comments

If I get this correctly, this outcome will speed-up and strengthen privacy protection .
Am not sure how to read what happened though; whether the EU gave Meta the info, or that the data was handed automatically to Meta because the citizen enrolled via Facebook. Either way.the EU should have safeguarded the citizen's privacy, it seems.

That's what the Rule of Law looks like 🤷‍♀️

Question: What happens when the EU fines itself? Like who pays money to who?
- The EU pays damages to some German guy, since their government site transferred his data to Facebook without permission.

TLDR: On the web-pages of the European Commission, you could sign up for an event. There existed the option to sign up with Facebook. On one occasion, this lead to a connection with servers in the US. That is interpreted as a transfer of personal data. Since this is a transfer of personal data outside the EU, beyond the reach of the GDPR, which requires special handling. (I'm not sure why this request was routed via the US.)
This is probably surprising to many. There is a myth out there that it is enough not to collect personal data. But you also are responsible if data is collected by other parties to which you link on a site. This is a potential problem for Lemmy instances. Of course, instances also share data via federation, which should not be done without a contract, especially outside the EU.

Press release from the court with link to full judgement: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf
- Tnx , I found it helpful:
  tl;dr : The EU must safeguard under all circumstances the privacy of EU citizens and should do so actively.
  " However, as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must be imputed to the Commission.
  At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. 5 The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform. The Commission did not, therefore, comply with the conditions set by EU law for the transfer by an EU institution,body, office or agency of personal data to a third country.
  
  That's not how I would sum it up. You understand that lemmy is also in violation, yes?

Makes me wonder where the fines go to 🤔

15 comments