The government body of the European Union, the European Commission, is facing a lawsuit over an alleged data breach related to transferring personal data from Europe to the U.S.
The lawsuit—now admitted by the General Court of the European Union (EGC)—alleges the use of Amazon Web Services, the use of Facebook login on a Commission website, and an incomplete and omitted disclosure to the EU citizens.
“It seems quite unfair that businesses in the EU have to work with Schrems II and figure out how to be compliant, while the European Commission doesn’t apply the rules on their own websites,” Thomas Bindl, founder of Europäische Gesellschaft für Datenschutz (EuGD) and the person behind the lawsuit told Adweek.
Europe is setting global privacy standards with tightening regulations, some applicable to both EU and non-EU countries. The strict law goes to show how even government sites are not immune and risk illegal data transfers.
The lawsuit alleges the website Conference of the Future of Europe committed a data breach when registering people for an event on the website, using the website hosting service Amazon Web Services, which automatically transferred personal information such as the IP address to the U.S.
This would be a violation of the landmark Schrems II ruling verdict issued in July 2020 that prevents businesses from carrying out basic data transfers to non-EU countries.
Furthermore, the EU Commission’s website allegedly let users log in through their Facebook accounts, hence violating Schrems II again.
Although both Facebook and Amazon are not part of the lawsuit, Bindl assumes that the EU commission will include documents from Amazon in its response.
“We expect a statement of defense by end of September and a court hearing next spring,” said Bindl.
Outside this case, Facebook has been challenged for illegally transferring personal data to the U.S. and is currently being looked into by the Irish Data Protection Commissioner.
Spirit Legal, a Germany-based law firm, supports EuGD in the lawsuit.
“We see in many similar proceedings in Germany that courts still have considerable difficulties in correctly applying and enforcing the provisions of the GDPR, which is why such lawsuits sometimes get stuck in the first instance for several years,” Tilman Herbrich, a lawyer at Spirit Legal, who prepared and filed the lawsuit, said in a statement.
This is not in line with the legislator’s intention, which calls for an effective judicial remedy, he added.
