This incident marks the first time the EU has been fined under its own GDPR laws. Credit: Tapati Rinchumrus/Shutterstock.

The European Union (EU) has fined itself €400 ($412) for violating its own data protection regulations by transferring data to the US.

The EU General Court ruled that the European Commission failed to ensure adequate data protection when Munich resident Thomas Bindl registered for an EU conference using his Facebook account in 2022, leading to data transfer concerns.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

The “Conference on the Future of Europe” website allowed sign-ups via Facebook, which Bindl claimed resulted in his internet address and browser details being transferred to the US.

The incident marks the first time the EU has been fined under its own GDPR laws, which require equivalent data protection safeguards in jurisdictions outside the bloc.

At the time, the US had not been assigned the status of having equivalent safeguards, where Facebook’s parent company Meta stores much of its data.

Bindl argued that this transfer risked his data being accessed by US security and intelligence services.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

He sought €400 for “non-material damage” and an additional €800 for the Commission’s failure to respond to his data transfer inquiry.

The court rejected Bindl’s second request and a claim regarding data transfer to Amazon’s US servers, confirming the data was stored in Munich.

“The General Court finds that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals,” the court stated.

The GDPR is one of the world’s strictest data protection regimes, leading to significant fines for technology companies.

Meta was fined €1.2bn in 2023 for transferring users’ data to the US without adequate safeguards.

Additionally, the European data watchdog previously reprimanded the EU for not ensuring data protection in a contract with Microsoft.