European Commission sued for violating EU’s data protection rules

A picture of the entrance of the headquarter of the European Commission in Brussels, Belgium. [Alexandros Michailidis/Shutterstock]

This story was updated to clarify the data protection rules applying to the European Commission.

The European Commission is to face a lawsuit over allegations it is violating its own data protection rules when transferring citizens’ personal data from one of its websites to the United States.

International data transfers across the pond were ruled illegal by the EU Court of Justice two years ago in the landmark Schrems II ruling, thus defining the interpretation of the EU’s General Data Protection Regulation.

The American jurisdiction was deemed to have inadequate data protection, as US intelligence services could access the personal data of EU residents disproportionally and with no judicial remedy.

The GDPR does not directly apply to the EU institutions, which are bound by a similar regulation, but the lawsuit is expected to extend the effect of the Schrems II ruling to them as well.

The suit was initiated by a German citizen who not only states the EU executive is illegally transferring data but claims it fails to disclose sufficient information on its data processing practices.

“The lawsuit against the European Commission is a signal for data protection in Europe,” says Thomas Bindl, founder of Europäische Gesellschaft für Datenschutz, the organisation supporting the plaintiff in the case.

“Even if a ruling by the General Court would not provide any direct guidelines for the jurisprudence in Germany, Spain or other countries, we see great significance in it. It would be a clear sign that everyone must adhere to the data protection requirements,” he added.

The litigation regards the website of the Conference of the Future of Europe, a conference meant to engage EU citizens in deciding the future of the bloc and its member states.

Amazon Web Services host the website, hence when registering for the event, personal data such as the IP address is transferred to the United States.

Moreover, the Commission’s website also allows users to log in via their Facebook accounts. The US-based social media has also been challenged for illegally transferring personal data to the US, and a complaint in this regard is currently being looked into by the Irish Data Protection Commissioner.

As the European Commission is the website’s operator, the plaintiff asked for information on how personal data is processed in two inquiries. According to the lawsuit, one of the inquiries was answered incompletely, and the other was not answered at all, violating the information rights under the data protection law.

Bindl told EURACTIV that if a restaurant or a bakery has to figure out a way to comply with the ban on data transfers to the United States, so does the European Commission, as there cannot be double standards.

EuGD initiated the lawsuit in parallel with filing a complaint before the European Data Protection Supervisor, the authority that has jurisdiction over the application of the data protection rules by EU institutions. However, the EDPS has put investigations on hold because a lawsuit is pending.

The European Data Protection Supervisor and the European Commission did not immediately respond to a request for comment.

The EU court’s verdict is expected to take between 12 and 18 months.

[Edited by Alice Taylor]

Subscribe to our newsletters

Subscribe