EU fines itself for breaching its own data privacy law

The European Union is investigating itself and has found… actual violations! For the first time, the EU has been found to have breached its own privacy rules set out by the General Data Protection Regulation (GDPR) and will have to pay a fine of decision by the General Court of the EU.

The victim of the EU’s flagrant disregard for the law was a German citizen who used the “Log in with Facebook” option when registering for a conference through the European Commission’s webpage. When a user clicks this button, data about their device, browser and IP address is transferred through a content delivery network operated by Amazon Web Services and eventually finds its way to servers operated by Facebook’s parent company Meta Platforms in the United States states. The court found that this data transfer was carried out without adequate safeguards, which was a violation of GDPR rules, and the EU was ordered to pay a fine of 400 euros (about $412) directly to the person who brought the case.

GDPR, the reason every website now asks if you want to accept cookieshas been a thorn in the side of tech companies since it first came into force in 2018. The set of strict data privacy rules designed to regulate the amount of personal data companies can collect from consumers and give people more control over how their information is accessed and used has been the impetus for a number of large fines paid by large tech companies – especially Meta.

Just last year Meta got fined $1.3 billion for failing to adequately protect European users’ data from US intelligence agencies when transferring the data to US servers. Meta was previously hit with a $417 million fine under the GDPR rules for violating the privacy of minor users on Instagram and 232 million dollars for failing to transparently disclose how it handles WhatsApp data. Although Meta isn’t alone in getting these slightly expensive slaps on the wrist (Amazon got a $887 million fine in 2021, for example), it’s fitting that it was a Facebook login option that got the EU into hot water with it.

GDPR has been a bit of a mixed bag since its introduction. It certainly grabbed some headlines with big fines targeting the Silicon Valley giants. But enforcement can take forever – even the EU’s first self-imposed fine for breaching a person’s privacy took more than two years to process. More than three out of four data protection authorities have he complained of the lack of budget and staff to track violations, and there is much evidence to suggest that the byzantine list of laws is not much has actually been done to curb the invasive practices of surveillance capitalism. The EU has work to do. Maybe it can start by following its own rules.