The EU Fined Itself for Breaking Its Own Data Privacy Law


The European Union has investigated itself and found…actual wrongdoing! For the first time ever, the EU has been found to have violated its own privacy rules established by the General Data Protection Regulation (GDPR) and will have to pay a fine, per a ruling handed down by the EU General Court.

The victim of the EU’s brazen disregard for the law was a German citizen who used the “Sign in with Facebook” option when registering for a conference through a European Commission webpage. When the user clicked that button, data about their device, browser, and IP address were transferred through a content delivery network managed by Amazon Web Services and eventually found its way to servers operated by Facebook’s parent company Meta Platforms in the United States. The court determined this transfer of data took place without proper safeguards, which amounts to a breach of GDPR rules, and the EU was ordered to pay a fine of €400 (about $412) directly to the person who brought the case.

GDPR, the reason that every website now asks you if you’d like to accept cookies, has been a thorn in the sides of tech companies since first going into effect back in 2018. The set of stringent data privacy rules designed to regulate the amount of personal data that companies can collect from users and give individuals more control over how their information is accessed and used has been the impetus for a number of major penalties paid out by Big Tech firms—particularly Meta.

Just last year, Meta got slapped with a $1.3 billion fine for failing to sufficiently protect the data of European users from American intelligence agencies when transferring the data to US servers. Previously, Meta got hit with a $417 million fine under GDPR rules for violating the privacy of underage users on Instagram and $232 million for failing to transparently disclose how it processes WhatsApp data. While Meta isn’t alone in getting these slightly pricey wrist slaps (Amazon got itself a $887 million penalty in 2021, for example), it’s fitting that it was a Facebook login option that got the EU in hot water with itself.

GDPR has been a bit of a mixed bag since its implementation. It’s undoubtedly grabbed some headlines with major fines aimed at Silicon Valley giants. But enforcement can take forever—even the EU’s first self-imposed fine for violating one person’s privacy took over two years to process. More than three in four data protection authorities have complained of a lack of budget and personnel to track down violations, and there is plenty of evidence to suggest that the byzantine list of laws has not actually done much to curb the invasive practices of surveillance capitalism. The EU has some work to do. Maybe it can start by following its own rules.



Source link