Why is the EU Commission on trial for violating (its) data protection rules? by Giulia Alfieri

A German citizen has sued the EU Commission. The accusation is that he violated the General Data Protection Regulation (GDPR) through one of his sites that uses Amazon Web Services. All the details

Can the European Commission itself violate data protection rules? According to a German citizen, represented by the association Europäische Gesellschaft für Datenschutz (EuGD), yes. THE EU SITE INVOLVED The plaintiff sued the institution for assigning the hosting of its Conference of the Future of Europe website to Amazon Web Services (AWS). Conference of the Future of Europe is a platform that wants to give a voice to European citizens through a broad public consultation so that they can express their expectations of the European Union on democracy, energy and digital transition. THE ACCUSATION The accusation concerns the fact that the site is hosted by AWS therefore, at the time of registration, personal data, such as the IP address, is transferred to the United States – thus violating, according to the plaintiff, the General Data Protection Regulation (GDPR). A regulation, writes Siècle Digital, "which however is defended tooth and nail by the European Commission". Since the EU Commission is the operator of the website, the plaintiff asked for information on how to process personal data and having not obtained exhaustive feedback also accused the institution of not disclosing "sufficient information" about its data processing practices. In addition, the complaint that the EuGD has submitted to the European Data Protection Supervisor (EDPS), the competent authority for the application of data protection rules by the EU institutions, is also added in parallel. However, reports Euractiv, this has suspended the investigation because a lawsuit is ongoing. THE SHADOW OF FACEBOOK In addition, Conference of the Future of Europe also allows users to log in through their Facebook account, already "contested for the illegal transfer of personal data to the United States, and a complaint in this regard is currently being examined by the Irish Commissioner for Data Protection", writes Euractiv. WHEN THE JUDGMENT After submitting the appeal to the EU Court, the case will be examined and the decision is expected within 12-18 months. WHAT THE LEGISLATION PROVIDES International transfers of data overseas, Explains Euractiv, were declared illegal by the Court of Justice of the EU two years ago in the historic Schrems II ruling, thus defining the interpretation of the GDPR. The AMERICAN jurisdiction, the article reads, "was deemed inadequate with regard to data protection, as the US secret services could access the personal data of EU residents disproportionately and without any judicial remedy". A NEW PRIVACY SHIELD ON THE HORIZON In March 2022, adds Siècle Digital, US President Joe Biden "took a step towards the EU in an attempt to resolve this long-standing dispute between the two continents". The goal of a new agreement – to replace the Privacy Shield – will be to prevent US authorities from accessing european citizens' data, even if hosted by a US cloud provider such as AWS. FORECASTS ON THE OUTCOME OF THE CASE The GDPR does not apply directly to the EU institutions, which are bound by a similar regulation but, according to Euractiv, it is expected that with this complaint the effect of the Schrems II judgment will also be extended to them. THE OPINION OF THE EuGD "The lawsuit against the European Commission is a signal for data protection in Europe," said Thomas Bindl, founder of EuGD . Although a Court ruling will not provide direct guidelines for jurisprudence in Germany, Spain or other countries, we consider it very important. It would be a clear signal that everyone must comply with data protection requirements." For Bindl, in fact, "if a restaurant or a bakery has to find a way to comply with the ban on data transfer to the United States, the European Commission must do it too, because there can be no double standards".