Ironically, the EU Commission, which is responsible for compliance with the General Data Protection Regulation for data transfers to third countries, has suffered a defeat before the European Court of Justice: A German legal tech entrepreneur sued the EU Commission. Had filed – and now won – two court instances in Luxembourg on two important points in the first.
Advertisement
E-Patient File: Letter to Health Ministry highlights implementation shortcomings
money for the plaintiff
This is a decision with implications for website operators: the judges of the Sixth Chamber of the Court of Justice are directly responsible for legal disputes with the Commission as an administrative unit: the EU Commission is responsible for ensuring that when a website “https: //futureu .europa .eu” Personal data were transferred to the United States, even though there was no legal basis for it. In the period between the decision of the European Court of Justice on Privacy Shield and the subsequent new adequacy decision of the EU Commission under the name Transatlantic Data Privacy Framework. The plaintiffs argued that such a decision or some other legal basis for data transfer that complied with data protection law would be a prerequisite for lawful data transfers – and lower court judges have now followed suit.
In their decision, the judges explained in detail the personal data processing operations. For example, in the case of AmazonCloudFront data transfers, the contract between the EU Commission and AWS as website operator stipulated that the data had to remain in the EU. In another process, the data subject himself initiated the processing in the United States – possibly using a VPN.
Compensation for “Sign in with Facebook”
The judges judged the case of the “Sign in with Facebook” button differently: Due to its integration, data processing was attributed to the website operator. And since there was no agreement between the EU Commission and META that could stipulate otherwise, the EU Commission must be assessed as the body responsible for data protection in all cases. “In the present case, the Commission has not demonstrated, or even claimed, that there is no appropriate standard data protection clause or contractual clause, such as Article 48(2) and (3) of Regulation 2018/ 1725 (…) “The display of the ‘Sign in with Facebook’ hyperlink on the ‘EU Login’ website is shown subject to Facebook’s terms of use,” states paragraph 191. of judgmentIntegration was a “sufficiently serious breach”.
Because of this breach, his claim for non-material damage also has a “substantial direct causal link”: the EU Commission’s behavior “has put the plaintiff in a situation in which he is not sure how the personal data relating to him “Action will be taken specifically against his IP address.” Judges in Luxembourg considered 400 euros a fair amount in this case.
Integration should be regulated and with clearly responsible individuals
For website operators, the following follows from the decision: When integrating third-party services, they must ensure that data protection legislation is followed – otherwise they themselves may be liable for damages. This is particularly important in light of the emerging disputes between the future US government under Donald Trump and the support of US technology companies like Meta: whether either the European Court of Justice should declare the currently existing adequacy decision invalid or Donald Trump should Retain its predecessor Assurances If the improved data protection were reversed, it would fundamentally call into question the legal basis and use of US services – and a situation now deemed unacceptable by the European Court of Justice would become the norm.
While US data transfers will still be at a somewhat legally protected level for at least a few weeks, this does not apply to the use of services from other countries without an adequacy decision. For example, there is no such thing for the People’s Republic of China or the Russian Federation. For example, irregular integration of elements or use of software through which data is transferred to these countries may also give rise to liability for damages.
(mho)
Organized crime: BGH accepts “Anom” chats as evidence
