The recent ruling by the EU’s General Court against the European Commission sheds light on the significance of adhering to strict data protection rules when transferring personal data outside the EU. The Commission was fined €400 for allowing the transfer of a visitor’s IP address to the US without the required safeguards, highlighting systemic issues with how data transfers are handled, even by EU institutions.
Why They Got Fined
The fine arose from two instances of improper data handling:
- Facebook Login: The EU Login page offered a "Sign in with Facebook" option. By simply displaying this feature, the Commission facilitated the transfer of the user’s IP address to Meta, a US-based company. This transmission occurred without implementing any safeguards like Standard Contractual Clauses (SCCs) or obtaining explicit consent.
- AWS Hosting: The website’s data was hosted on AWS servers in the EU. Although data was not actively transferred to the US, the theoretical possibility of US intelligence accessing this data under US law was flagged. However, the court did not consider this an actual violation in this instance.
At the core of the issue with Meta was the lack of any legal basis for the transfer under Chapter V of the EU GDPR equivalent for EU institutions. There was no adequate mechanism in place (such as the Data Privacy Framework, which was adopted later), nor were SCCs utilized to ensure compliance. Most critically, the Commission failed to obtain explicit consent from users, which would have served as a sufficient legal foundation.
What They Failed to Do
The ruling emphasizes several key failings:
- No Explicit Consent: The Commission did not inform users about how their data would be used or shared with third parties like Meta. Had users been clearly informed and given explicit consent, the Commission could have avoided liability.
- No Safeguards: The lack of SCCs or an adequacy decision meant there were no legal safeguards in place to justify the transfer of personal data.
- Transparency Issues: Users were not adequately informed about the data processing practices tied to the Facebook Login option.
Why This Ruling Matters
This case highlights that it doesn’t matter who the processor is, be it Facebook, Google Tag Manager (GTM), or any other third-party tool. If an organization transfers personal data, such as an IP address, to a non-EU country without safeguards or informed consent, it risks fines under GDPR.
The Risks of Google Tag Manager
Google Tag Manager is used by over 50% of the largest websites, from business websites to e-commerce platforms. It often serves as a gateway for loading third-party scripts and pixels, tools frequently used for analytics, marketing, and personalization.
However, if GTM is used to transfer personal data (e.g., IP addresses) to the United States or other non-EU countries, it places organizations in the same risk category as the Commission in this case. Without obtaining explicit, informed consent from users and ensuring legal safeguards like SCCs, organizations using GTM face potential fines. This is because GTM facilitates the sharing of data with entities like Google, which may process that data in jurisdictions lacking GDPR-equivalent protections.
The Takeaway
The General Court’s decision serves as a wake-up call for organizations across industries. Whether you’re an EU institution or a private company, compliance requires more than just technical solutions—it demands transparency, informed consent, and robust safeguards for international data transfers.
For businesses relying on tools like Facebook Login or Google Tag Manager, this ruling underscores the need to:
- Clearly inform users about data processing and transfer practices.
- Obtain explicit consent for sharing data with third parties.
- Implement safeguards like SCCs or ensure adequacy decisions are in place.
Without these measures, organizations risk fines, reputational damage, and consumer distrust. This ruling not only impacts industry practices but also reinforces consumer protection by preventing unauthorized data collection and abusive sharing with Big Tech.
Ronni K. Gothard Christiansen Creator, AesirX.io
Sources
Google Tag Manager: Privacy Leaks and Potential Legal Violations
Analysis of "Google Tag Manager: Privacy Leaks and Potential Legal Violations"
Concerned about your website’s compliance?
Does your site collect data or share it with third parties before obtaining valid user consent? The AesirX Privacy Scanner is a free privacy tool that identifies potential GDPR and ePrivacy Directive violations, enabling you to address them proactively.
