The European Union has conducted its own investigation and found… an actual offense! For the first time in its history, the EU has been found guilty of violating its own privacy rules set out in the General Data Protection Regulation (GDPR) and will have to pay a fine, according to a ruling by the EU General Court.
The victim of the EU’s blatant disregard for the law was a German citizen who used the “Sign in with Facebook” option when registering for a conference on the European Commission’s website. When the user clicked on this button, data about his device, browser, and IP address were transmitted through a content delivery network operated by Amazon Web Services and eventually reached the servers of Facebook’s parent company, Meta Platforms, in the United States. The court ruled that this data transfer took place without adequate safeguards, which is a violation of the GDPR rules, and ordered the EU to pay a fine of 400 euros (about 412 USD) directly to the person who filed the lawsuit.
The GDPR, which makes every website now ask you if you want to accept cookies, has been a thorn in the side of tech companies since it first came into effect in 2018. A set of strict data privacy rules designed to regulate the amount of personal data companies can collect from users and give people more control over how their information is obtained and used, it has led to a number of large fines paid by tech companies, including Meta.
Last year alone, Meta was fined $1.3 billion for failing to ensure that European users’ data was adequately protected from U.S. intelligence agencies when it was transferred to servers in the United States. Previously, Meta was fined $417 million under the GDPR for violating the privacy of underage users on Instagram and $232 million for failing to disclose how it handles data on WhatsApp. While Meta is not the only one to receive these costly slaps on the wrist (Amazon received a $887 million fine in 2021, for example), it is fitting that the Facebook login option has caused the EU to conflict with itself.
Since its introduction, the GDPR has been somewhat controversial. It has undoubtedly made some headlines due to the large fines imposed on Silicon Valley giants. But enforcement can take forever – even the first self-imposed fine by the EU for a single individual’s privacy violation took more than two years to complete. More than three out of four data protection authorities complain of a lack of budget and staff to track breaches, and there is ample evidence that the Byzantine list of laws hasn’t really done much to curb the invasive practices of surveillance capitalism. The EU has work to do. Perhaps it can start by enforcing its own rules.
