EU Parliament's Own Website Violates The GDPR
from the whoopsy dept
We've been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user's private data is, that still doesn't make the GDPR any less ridiculous. Indeed, we've pointed out that the setup of the GDPR is such that it's becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren't actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.
Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own "so easy" GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament's own website appears to violate the GDPR.
It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).
This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google’s servers without consent or any other legal basis.
Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point. Over the past couple months, nearly every startup company I've spoken to has discussed the GDPR, and for nearly every single one they have no idea if they're actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.
That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament's own website couldn't figure this out is just a shining example of why the GDPR is such a problem.
Related to that, the fallout from the GDPR is already being felt -- and it's not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it's hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: eu, eu parliament, gdpr, regulations, tracking, vera journova
Reader Comments
Subscribe: RSS
View by: Time | Thread
No, Madnick, problem is GOOGLE! Is NO need for it to be everywhere!
[ link to this | view in chronology ]
"innovation" is not an end in itself. Google is innovating at SPYING, yes.
[ link to this | view in chronology ]
Re: "innovation" is not an end in itself. Google is innovating at SPYING, yes.
While it's conceivable that nazi concentration camps could have been turned into profitable slaughterhouse operations converting human bodies into numerous value-added products, from leather to soap to Braunschweiger, such stories, despite being spread far and wide, were simply not true.
https://www.ihr.org/leaflets/soap.shtml
[ link to this | view in chronology ]
Second comment and you went full Godwin. Never go full Godwin.
[ link to this | view in chronology ]
Krap Legislation
[ link to this | view in chronology ]
Re: Krap Legislation
[ link to this | view in chronology ]
Masking one octet is a pathetic excuse for "anonymization"
[ link to this | view in chronology ]
Re: Masking one octet is a pathetic excuse for "anonymization"
Yes, it's a badly written law, written by people who don't have a technical bone in their or their staff members' bodies.
(Mind you, of course, if we let 'technical people' write the technical legislation, we'd all be screaming about regulatory capture)
[ link to this | view in chronology ]
Re: Re: Masking one octet is a pathetic excuse for "anonymization"
[ link to this | view in chronology ]
Not a good example
Google Analytics is perhaps the prototypical example of user-tracking. This is not something that just appears on a website without the owner's involvement; they made the conscious decision to track their users, and did not turn on the option to track them in a slightly less identifiable way.
In this instance, compliance actually is easy: don't add a user-tracking service to your site.
[ link to this | view in chronology ]
Re: Not a good example
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What's that saying about glass houses...?
This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point.
No, I do believe they're due for some hefty mockery here. As people have pointed out these changes have been in the pipes for two years, and yet during that time the very ones pushing it couldn't be bothered to check if they themselves were in compliance with their own rules?
If nothing else this provides perfect cover for any companies/sites who are still working on getting 'compliant'. If the EU Parliament couldn't be bothered, then it's rather hard to blame others for not getting on it ahead of time.
[ link to this | view in chronology ]
Re: What's that saying about glass houses...?
No, it might provide some "whataboutery" but it won't shield anyone from their own compliance.
[ link to this | view in chronology ]
Re: Re: What's that saying about glass houses...?
I didn't mean to imply it would be a good excuse, merely that it would be an easily used one.
'They didn't care enough to check and they wrote the rules, why are you going after us for not being 100% compliant right out the gates if even they couldn't be bothered?'
[ link to this | view in chronology ]
Re: What's that saying about glass houses...?
[ link to this | view in chronology ]
Re: What's that saying about glass houses...?
You make the mistake of assuming that those responsible in both areas were the same people. The people making the rules will not have been implementing them - that job will be done by people who were more than likely telling why things were a bad idea in the first place. If a hammer falls, it will be on the poor admin who was ordered to achieve what he was warned was impossible, not the politician who demanded it be done anyway.
[ link to this | view in chronology ]
Is this really a bad thing? Less ads? I see that as a win. The internet was and should still be ad free!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
I remember what it was like the first times I was online. Somewhere around 1993. I cant remember seeing a single ad and yet there were more sites to visit and spend time on than I had free. I would never have seen it all.
Hosting a site at someone elses expense was not even thought of. It was a place to share your ideas, your creations. Then the business man got a hold of it....
[ link to this | view in chronology ]
Re: Re: Re:
You can also show ads without tracking or annoying visitors.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"Without annoying" is difficult. But if we look back to the early days of targeted advertising, we know it can be done without tracking. There's one piece of information that's powerful on its own: the page on which the ad appears. Originally, Google would show an ad based on your search term. Techdirt's recent boardgame campaign worked because it was shown to users of this site and relates to things the site talks about (FOIA, spying), so we can assume some people reading TD will be interested.
[ link to this | view in chronology ]
Re: Re: Re:
What, when there were only a few thousand actual internet users? And many of the "sites" were actually used for other things than just serving pages? And/or they were affiliated with universities.
Mosaic, the first "graphical" browser came out in 1993, and for quite awhile very few sites had actual WWW (web) server capabilities. Lynx & Gopher didn't provide any kind of advertisement capabilities that I recall.
Once the actual Mosaic & Netscape WWW browser capability starting taking off, and people started getting on the internet, commercial investment started coming along. This investment actually helped grow the internet into the massive, ubiquitous state it maintains today. AOL, Yahoo, MSN, and others actually did have advertisements, and they were "the internet" for most people back in the mid-1990s or so. (AOL and Compuserv actually existed before the web).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This was always going to happen. The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.
The Europeans will not back down on this. Rather than futily drawing it out for years these companies should "innovate" and move to one of their other revenue options.
It collecting personal data is essential for providing a service that people actually value then they will happily opt in to it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
It's just an example showing hosting does not require tracking, and people posting their own media have choices other than Youtube etc.
Their FAQ says it costs them about 2.00 USD/GB to store data forever. They're not going to object to the EU Parliament posting laws, minutes, etc. there, with or without a donation. An individual could easily get their fans to donate enough to cover those costs, without any intrusive PBS-style fund drive.
[ link to this | view in chronology ]
Re: Re: Re:
without any intrusive PBS-style fund drive.
Not sure about this one. Wikipedia, at least, appears to require this kind of fundraising, and it is funded largely by individuals, in contrast to archive.org which is mostly funded by much larger institutions.
[ link to this | view in chronology ]
Re:
I'm just not sure what you mean because that is a very bold statement but you don't explain it or back it up in any way.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NOPE
[ link to this | view in chronology ]
The problem, then, is not so much the EU Website
[ link to this | view in chronology ]
Podcast suggestion
Living in Europe, and having a serious amount of skepticism regarding the motives of the EU Commission and the EU Council, I'm still more of a fan of the GDPR than not.
However, I don't know everything, and I work only tangentially with matters relating to data protection.
I would love to hear a discussion or debate on the Techdirt podcast, say, regarding the GDPR between Mike or Cathy and someone from the east of the Atlantic. My personal recommendations would be someone like Simon McGarr (@tupp_ed on Twitter) or T.J. McIntyre of Digital Rights Ireland (@tjmcintyre), both of whom were involved in the Schrems case that took down Safe Harbour.
Other people I would trust to give an informed, EU-based, perspective on GDPR would be Rowenna Fielding (@MissIG_Geek), Sarah Clarke (@trialbytruth), Pat Walshe (@PrivacyMatters) or Daragh O Brien (@CBridge_Chief).
I would expect all of these to have considered analyses on the concerns that Mike and others have with GDPR (I don't like the RTBF portion of it, either!), and would give alternative perspectives. It would be excellent to hear it covered in one of the podcasts.
Éibhear
[ link to this | view in chronology ]
It says it doesn't comply, on the legal page ¯\_(ツ)_/¯
https://europa.eu/european-union/abouteuropa/legal_notices_en
If so, it's totally obvious that it doesn't comply with the GDPR. It even says so in plain text...
The policy on "protection of individuals with regard to the processing of personal data by the Community institutions" is based currently on Regulation (EC) N° 45/2001 of the European Parliament and of the Council of 18 December 2000 (and not on the "GDPR" Regulation 2016/679 that repeals the Directive 95/46/EC). The new version of Regulation 45/2001 is currently being adopted. The legal notices on Europa will be updated in accordance with the new version.
[ link to this | view in chronology ]
"Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it."
See? Even Vera can do it.
She didn't say she does do it, just that she could do it.
[ link to this | view in chronology ]
Beg pardon? Are you claiming these sites aren't having to comply with the GDPR? Or are you saying they aren't being *hurt* by the GDPR?
Because the goal of this legislation is not to *hurt* these sites. If they find compliance easy, GOOD!
I think you misunderstand the goal of this legislation, if you are claiming that internet giants are complying easily *and that's a bad thing.*
[ link to this | view in chronology ]
Re:
For smaller companies, they have to either go to huge expense to hire someone (be that internal staff or an external agency), remove themselves from part of their audience (which may also be expensive) or risk harmful fines for not being able to comply.
That's not the point of the legislation, but that's the reality of its effect. The big guys can both afford to comply *and* weather any damage that unintentional non-compliance can cause. Small companies may not be able to afford the legal advice to know whether they are complying, or need to in the first place.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
In your example case eventually the setting will be fixed, and privacy will be improved. That's what the ruling is for.
In other cases the same will happen, and eventually page providers will ask their software providers for app software with better default settings.
Or the other way round: Privacy sharks will have to admit their unholy deeds, allowing people to switch.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
My please peace fact false flryt taxie s cars ride gono’s bill James ride bus ten pm Cox Johnston ham saids right noting flryt car taxie shopping ride some come home ten pm lighter prigram pligram program rhd Patterson fact Tatia Rocchio presnident trump Donald’s fact false Trudeau center bill taxes
[ link to this | view in chronology ]