EU ironically violates its own GDPR law, awards €400 in damages to German citizen

The EU General Court ruled that the European Commission unlawfully transferred personal data to the US without adequate safeguards.

As the document reveals, the court awards €400 in damages to a German citizen in this landmark case. The user had registered for the EU’s “GoGreen” event in 2022 using the “Sign in with Facebook” feature, leading to the transfer of their IP address to Meta Platforms, Facebook’s parent company.

“He (the individual) maintains that those transfers gave rise to a risk of his data being accessed by the US security and intelligence services. The Commission had not indicated any of the appropriate safeguards that might justify those transfers,” says the EU’s Court.

“The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address,” it adds further.

It was the first time that non-material damages were granted for data transfer violations under the EU’s stringent General Data Protection Regulation (GDPR).

The GDPR, implemented in 2018, gives users more control over their personal data and what Big Tech can store.

So far, many tech giants have been at the end of the stick from the EU. In 2023, Meta faced a €1.2 billion fine from Ireland’s regulators for violating GDPR by transferring user data from the EU to the US without adequate safeguards.

Then, in 2024, Uber was slapped with a €290 million fine from a Dutch regulator following complaints from 170 French drivers that the company mishandled their sensitive data, including account details, identity documents, and medical records.