In addition to being convenient and efficient, single sign-on is meant to be a more secure way to handle user logins. Instead of having to set up and record or remember separate usernames and passwords for every site, individuals can login with account credentials they already have. Large tech platforms accounts are popular options, like Google or Facebook.
But that added security and convenience can result in a privacy violation if requirements of data privacy laws like the European Union’s General Data Protection Regulation (GDPR). Where is the data that’s collected stored? And who may have access to it?
This type of issue is what happened when visitors to a website managed by the European Commission were able to login using social platform credentials, resulting in an infringement to EU citizens’ privacy rights.
We look at what happened and how, as well as how the Commission was penalized and what companies can learn to employ single sign-on compliantly.
Conference on the Future of Europe website login and the complaint
The Conference on the Future of Europe ran in 2021 and 2022, and visitors to the website could register for the various related events there. The European Commission (the Commission) managed the conference website.
One of the login options for visitors interested in registering for conference events was single sign-on using social platform login credentials. Specifically, there was a “Sign in with Facebook” link on the login web page.
However, as Meta Platforms, Facebook’s parent company, is located in the United States, if an EU resident used this login method, it created the conditions for that user’s personal data to potentially be transferred to the United States without the individual’s knowledge or consent.
Who was affected by the GDPR violation?
An individual residing in Germany logged in to the conference website and registered for the “GoGreen” event using his Facebook account credentials. According to the individual, in doing so, his personal data was collected and transferred to the US, including IP address plus browser and device information.
Amazon Web Services was the operator of the Amazon CloudFront content delivery network in use by the conference website, which is how his personal data was transferred. Amazon is also based in the United States.
The individual who made the complaint maintained that the data transfers created a risk of his data being accessed by US security and intelligence services. An additional claim was that neither the Commission nor conference organizers indicated that appropriate measures were in place to prevent or justify those data transfers if visitors used that sign-in method.
How did the European Commission violate the GDPR?
The Court of Justice of the European Union (CJEU) found that the “Sign in with Facebook” link on the conference website created conditions for transferring the complainant’s personal data to Facebook, which, as noted, is based in the US. As the European Commission managed the conference website, they were responsible for the data transfer and contravened their own rules.
At the time the transfer occurred (the conference ran in 2021 and 2022), the US was not considered adequate for ensuring data protections for the personal data of EU residents. The EU-U.S. Privacy Shield framework had been struck down in 2020 and the EU-U.S. Data Privacy Framework, which introduced a new adequacy agreement between the two regions, was not enacted until 2023.
Additionally, the Commission was found not to have demonstrated nor claimed that an appropriate safeguard for personal data transfers was in place for personal data obtained and transferred via the login using Facebook account credentials, i.e. a standard contractual clause or data protection clause. Facebook’s platform entirely governed the terms and conditions of displaying — and as a result, logging in with — the “Sign in with Facebook” link.
The CJEU found that the Commission did not comply with the requirements of EU law for data transfers to a third country by “an EU institution, body, office or agency” (Chapter 5 GDPR.)
How was the complaint resolved?
The complainant was awarded EUR 400 by the CJEU, to be paid by the European Commission, as compensation for non-material damage experienced due to the data transfers.
The complainant also sought several other methods of redress, including:
- annulment of the data transfers of his personal data
- a declaration from the Commission of unlawfully failing to define their position on a request for information
- EUR 800 as compensation for non-material damage resulting from the infringement of his right to access to information
The CJEU dismissed all three. The Court found that in one connection the data was transferred to a server in Germany, rather than to the United States, as Amazon Web Services is required to ensure that data remains in Europe in transit and at rest.
In another connection, the Court found that the complainant was responsible for the redirection of the data to US-based services via the Amazon CloudFront routing mechanism. A technical adjustment made the complainant appear to be located in the US at that time. Using a VPN can cause this result.
How can companies operating in digital spaces protect their operations?
Single sign-on options using popular tech platforms are convenient. But companies that knowingly or that may process personal data from EU residents need to be aware of how the login process works, what personal data is collected, where it may be transferred to and stored, and who may have access to it. Users whose personal data may be processed need to be informed as well and enabled to exercise their rights under relevant laws.
Facebook and Google are two such popular platforms where their account credentials are used for single sign-on, and they are both US-based companies, though they do have EU-based servers and data centers, necessitated by certain legal requirements.
If providing such login options is necessary on your website, ensure that the required agreements and/or contractual clauses to ensure adequate data protection are in place and that users are adequately informed and their privacy rights — including consent or opt-out — are maintained.
This also goes for other third-party services that process users’ personal data, which many companies use on their websites for advertising, analytics, ecommerce fulfillment, and other functions. Under the GDPR and other data privacy laws, controllers are responsible for the privacy compliance and data security of third-party processors working for them.
Obtain informed and explicit consent from website visitors and others whose personal data is collected and processed for various purposes, so that they know about the data processing and third parties that may have access to their data, and can exercise their rights and consent choices.
A consent management platform would have enabled the Commission to notify users about personal data collection and transfer and obtain their consent. Or enable them to use another login option if they declined.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
