/>iFollowing a German case brought against the EU Commission, the EU General Court found that the Commission had made an improper transfer of personal information to the US. The plaintiff, a German citizen, alleged (among other things) that his information was sent through the EU Commission’s website to the US through an automated social media login option when he registered for a Commission event. He further alleged that this violated the government-agency equivalent of GDPR (EUDPR), as it occurred during a period in time when the Privacy Shield had been found inadequate, and the replacement program was not yet in place.
The court noted that the Commission, in making the transfer, relied only on website terms for the US data recipient. It did not enter into a contract that included standard contractual clauses or otherwise have “appropriate safeguard[s].” The court ordered the Commission to pay the individual €400.
Putting It Into Practice: This case -brought against the EU entity that oversees GDPR compliance- is a reminder of EU concerns with data transfers to the US. As we await further developments with the Data Privacy Framework under the new administration, companies may want to re-examine the mechanisms (including standard contractual clauses + additional safeguards) EU-US data transfers.
