E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations.
The development marks the first time the Commission has been held liable for infringing stringent data protection laws in the region.
The court determined that a "sufficiently serious breach" was committed by transferring a German citizen's personal data, including their IP address and web browser metadata, to Meta's servers in the United States when visiting the now-inactive futureu.europa[.]eu website in March 2022.
The individual registered for one of the events on the site by using the Commission's login service, which included an option to sign in using a Facebook account.
"By means of the 'Sign in with Facebook' hyperlink displayed on the E.U. Login webpage, the Commission created the conditions for transmission of the IP address of the individual concerned to the U.S. undertaking Meta Platforms," the Court of Justice of the European Union said in a press statement.
The applicant had alleged that by transferring their information to the U.S., there arose a risk of their personal data being accessed by the U.S. security and intelligence services.
However, their accusation that the data was also transferred to Amazon CloudFront servers in the U.S. was dismissed after it was determined that the information was hosted on a server located in Munich, Germany. The website in question used Amazon's content delivery network (CDN).
"At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of E.U. citizens," the court said. "Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause."
This, the General Court said, amounted to a contravention of laws related to transfer of personal data by an E.U. institution, body, office or agency to a third country under Article 46 of Regulation 2018/1725.
As a result, the court has ordered the Commission to pay the individual €400 ($412), which they sought as compensation for the non-material damage they claimed to have sustained as a result of the data transfer.
Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
MediumRelative Path Confusion
InformationalModern Web Application
HighOut of Band XSS
InformationalCookie Slack Detector
Free online web security scanner