Back in 2018, European internet authorities passed one of the toughest pieces of privacy legislation in the world to date. Four years later, they’re being sued for violating the very same laws.
The suit is being spearheaded by an unnamed German citizen who alleges that one of the European Commission’s own sites is regularly transferring visitors’ data onto servers based in the U.S. These kinds of international data shenanigans have been verboten under GDPR since 2020, thanks to tweaks that got made specifically targeting data transfers between European and American tech operators like Facebook or Google.
The complaint that was posted on Tuesday by Europäische Gesellschaft für Datenschutz—the German organization supporting the plaintiff in the suit—specifically calls out the website for the Conference of the Future of Europe, an event spearheaded by the Commission to engage citizens across the bloc in policy proposals. Datenschutz says that registering for this Conference means violating GDPR. The website for the event is hosted by Amazon Web Services, meaning every registration sends personal data, like the IP address from a registrant’s computer, back to Amazon servers based in the States, according to the suit.
On top of that, the complaint notes that the Conference’s website lets registrants log in with their Facebook account, potentially exposing Europeans on yet another front. That company’s in the middle of a separate thorny legal battle in Ireland over accusations that it, too, was illegally catapulting E.U. residents’ data overseas.
At the time, E.U. officials noted that U.S. intelligence operatives and law enforcement officials could tap these companies for easy access to just about anyone’s data—and that includes data from European residents. With no real way to protect Europeans from having American cops snooping on their citizens, the legal basis for cross-border data transfers between the two regions crumbled.
American and European authorities have been left scrambling to come up with a new, safer way to transfer Europeans’ data across the pond, but until then, that practice is more or less illegal. According to the lawsuit, the European Commission didn’t get the memo.
The anonymous German plaintiff behind this case asked the Commission (twice!) about how the portal was handling his personal data, and, according to the suit, it offered one half-answer. The second inquiry wasn’t answered at all, another alleged GDPR violation.