tl;dr : The EU must safeguard under all circumstances the privacy of EU citizens and should do so actively.
" However, as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must
be imputed to the Commission.
At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States
ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. 5 The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform.
The Commission did not, therefore, comply with the conditions set by EU law for the transfer by an EU institution,body, office or agency of personal data to a third country.
You understand that lemmy is also in violation, yes?
Do you mean below mentioned issue?
Lemmy@World instance servers are in the EU. I think in The Netherlands, so they must comply. On the otherhand it’s federated, so messages are copied. Lemmy isn’t as big a platform as Meta, so the rules are less strict, iirc.
As far as I understand it, with federation only your username and the content of your posts and comments is transferred to other instances, which is not personal identifiable information
Press release from the court with link to full judgement: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf
Tnx , I found it helpful:
tl;dr : The EU must safeguard under all circumstances the privacy of EU citizens and should do so actively.
" However, as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must be imputed to the Commission.
At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of EU citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. 5 The displaying of the ‘Sign in with Facebook’ hyperlink on the EU Login website was entirely governed by the general terms and conditions of the Facebook platform. The Commission did not, therefore, comply with the conditions set by EU law for the transfer by an EU institution,body, office or agency of personal data to a third country.
That’s not how I would sum it up. You understand that lemmy is also in violation, yes?
Do you mean below mentioned issue?
Lemmy@World instance servers are in the EU. I think in The Netherlands, so they must comply. On the otherhand it’s federated, so messages are copied. Lemmy isn’t as big a platform as Meta, so the rules are less strict, iirc.
Yes, personal data. That’s a problem. And when that data is copied to the US, then it’s a problem similar to what got the EC fined here.
Not quite. GDPR applies equally to everyone. There are some finer points, but that didn’t matter in this case.
True that, the "G " in GDPR (General Data Protection Regulation) means everyone must abide.
So While Lemmy doesn’t fall in DSA ( Digital Servcie Act) it still needs to comply with GDPR. For more info Similarities and Differences between the GDPR and Other European Laws
A small platform like Lemmy is exempt from much of the DSA but far from all of it.
As far as I understand it, with federation only your username and the content of your posts and comments is transferred to other instances, which is not personal identifiable information
Lemmy is too small of a fish for prosecution to make sense