The EU fined itself for breaching its own data privacy law

The European Union investigated itself and found … wrongdoing! For the first time, the EU has been found to have violated its privacy rules set by the General Data Protection Regulation (GDPR) and will have to pay a fine, for a judgment of the General Court of the EU.

The victim of the EU’s blatant disregard for the law was a German citizen who used the “Sign up with Facebook” option when registering for a conference through a European Commission webpage. When the user clicked that button, data about their device, browser and IP address was transferred through a content delivery network managed by Amazon Web Services and eventually found its way to the servers operated by from the Facebook company Meta Platforms in the United States. The court ruled that the data transfer was made without adequate safeguards, which amounts to a violation of GDPR rules, and the EU was ordered to pay a fine of €400 (about $412) directly to the person who brought the case.

GDPR, the reason that every website now asks if you want to accept cookieshas been a thorn in the side of tech companies since it first took effect in 2018. The set of strict data privacy rules designed to regulate the amount of personal data that companies can collect from users and give to individuals more control of how their information. is accessed and used has been the impetus for a number of major penalties paid by Big Tech companies-especially Meta.

Only last year, Meta had slapped with a $1.3 billion fine for not having sufficient protection of European users’ data from American intelligence agencies when they transferred the data to American servers. Previously, Meta was hit with a $417 million fine under the GDPR rules for the violation of the privacy of minor users on Instagram and $232 million for not transparently disclosing how WhatsApp handles data. While Meta isn’t alone in getting these wrist slaps a little pricey (Amazon bought a Penalty of $887 million in 2021, for example), it is fitting that it was a Facebook login option that got the EU into hot water with itself.

GDPR has been a bit of a mixed bag since its implementation. It has undoubtedly grabbed some headlines with major fines aimed at Silicon Valley giants. But enforcement can take forever, even the EU’s first self-imposed fine for violating a person’s privacy took more than two years to process. More than three in four data protection authorities have complained of a lack of budget and personnel to address violations, and there is much evidence to suggest that the byzantine list of laws has in reality not much is done to curb the invasive practices of surveillance capitalism. The EU has some work to do. Maybe you can start to follow their rules.