General Data Protection Regulation (GDPR)
,
Standards, Regulations & Compliance
Transfer of German Man’s IP Address Wins Him 400 Euros
European privacy regulation – bane of American technology companies and a favorite cudgel of activists – came to haunt no less an organization than the European Commission, which must pay 400 euros to an aggrieved German national.
See Also: How Enterprise Browsers Enhance Security and Efficiency
That’s per the Court of Justice of the European Union, which on Wednesday ordered the commission to open its pocketbook for Munich resident Thomas Bindl, who became peeved that Silicon Valley-based Facebook obtained his IP address. Bindl in March 2022 registered for a commission-hosted conference on the future of Europe using his Facebook account, selecting a login option offered by conference organizers.
At the time, Europe lacked a legal framework authorizing commercial data flows to the United States. Such frameworks, meant to guarantee European privacy rights even while data is stored outside the trade bloc, have sputtered out twice over the past decade in the face of opposition from privacy activists who convinced the Court of Justice of the European Union that they weren’t strict enough. The latest version is the EU-U.S. Trans-Atlantic Data Privacy Framework – and it already faces legal challenges. A top European official in 2022 gave it a “7 or 8 out of 10 chance” of surviving (see: EU-US Data Privacy Framework in Activist’s Crosshairs).
Turmoil has resulted in periods of commercial data flow legal interregnums, including in March 2022, following a July 2020 ruling by the CJEU invaliding EU-U.S. Privacy Shield, the second attempt at creating a lasting legal basis for trans-Atlantic commercial data flows. Bindl was likely more aware than the average European of the Privacy Shield’s fall, since he’s founder of the “European Society for Data Protection,” a service that refers victims of GDPR violations to attorneys in return for a chunk of the settlement.
The CJEU acknowledged in its judgment that Bindl could have chosen another way to register for the conference besides using his Facebook account, an argument made by European Commission attorneys. Trade bloc residents can create an “EU Login” account for accessing services and not depend on a third party, such as Facebook. If anybody initiated a transfer of data to Facebook, the commission argued, it was Bindl. The German man said Facebook received his IP address, which under European law is considered private data.
“The applicant claims to have lost control of his personal data that were transmitted to Facebook and to have been deprived of his rights and freedoms,” justices wrote.
As for the commission’s contention that Bindl could have eschewed Facebook, justices wrote that “the commission created the conditions for the applicant’s IP address to be transmitted to Facebook.”
The commission did not immediately respond to a comment request. Information Security Media Group could not immediately reach Bindl.
Bindl also claimed to have lost his rights and freedoms due to the commission’s use of Amazon Web Services as a content delivery network to host the website, but justices turned him down. Although Amazon Web Services is an American company, the Amazon server that received Bindl’s personal data – including his “opinions of the future of Europe” – was located in Munich.