Blog

EU Fines EU?!: Alleged Unlawful Data-Transfer Dust-Up

Written by Liisa M. Thomas
February 3, 2025
Estimated Read Time: 2 mins
As seen in

Following a German case brought against the EU Commission, the EU General Court found that the Commission had made an improper transfer of personal information to the US. The plaintiff, a German citizen, alleged (among other things) that his information was sent through the EU Commission’s website to the US through an automated social media login option when he registered for a Commission event. He further alleged that this violated the government-agency equivalent of GDPR (EUDPR), as it occurred during a period in time when the Privacy Shield had been found inadequate, and the replacement program was not yet in place.

The court noted that the Commission, in making the transfer, relied only on website terms for the US data recipient. It did not enter into a contract that included standard contractual clauses or otherwise have “appropriate safeguard[s].” The court ordered the Commission to pay the individual €400.

Putting It Into Practice: This case -brought against the EU entity that oversees GDPR compliance- is a reminder of EU concerns with data transfers to the US. As we await further developments with the Data Privacy Framework under the new administration, companies may want to re-examine the mechanisms (including standard contractual clauses + additional safeguards) EU-US data transfers.

Disclaimer: This alert is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship. Please contact your Sheppard attorney contact for additional information.

Loading component...

Loading component...

Loading component...