EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'
from the uh-huh dept
Last week, we noted that the EU Parliament's website appeared not to be compliant with the GDPR. As we noted, this was pointed out in response to EU Commissioner Vera Jourova claiming that complying with the GDPR was so easy, that even she could do it. Now, a valid response to all of this would be to point out that the EU Parliament is different than the EU Commission or other parts of the EU government. But, now that we know the EU Parliament is not compliant, would it surprise you at all to find out that the European Commission is also not compliant with the GDPR. Apparently, while she was so busy claiming it was easy to comply with, Journova forgot to have the Commission itself comply.
Specifically, Jason Smith, at the website Indivigital, discovered that various places on the EU's websites were hosting spreadsheets with personal information on many people who had attended events, and were revealing that information without permission (the report also found various GDPR violations involving 3rd party cookies).
One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its “Scientific Colloquium Series” in November 2013.
The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.
Some of the other publicly accessible spreadsheets containing personal data include:
- A spreadsheet that contains an image with the text “Cultural Infodays 2009” and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governme...as whether they’ve confirmed they’ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
- A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled “nature of involvement” and appears to contain short descriptions on the capabilities of each individual e.g. “skills in IT and social media,” “offers help to draft documents on WB RAA,” “experienced in project management,” etc.
The latter spreadsheet appears to relate to an event titled “Balkan Connexion,” which took place between the 3rd and 4th November 2016. According to the EU’s website, the event was attended by 90 participants, including students.
Okay. Already that's bad enough, but the EU Commission has proceeded to make this much, much worse. After dumping the GDPR on everyone else, insisting that it was easy to comply with, but then failing to comply itself... what do you think the EU Commission's response to all of this is?
It's to claim the GDPR does not apply to the EU Commission. I'm not kidding:
This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.
For "legal reasons." Uh huh.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: compliance, eu, eu commission, gdpr
Reader Comments
Subscribe: RSS
View by: Time | Thread
Usually I'd side against the GDPR, but...
[ link to this | view in chronology ]
Just the facts
The public still pays for the time and effort costs of the violation and the time and effort costs of any remediation or prosecution of persons in the event.
They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.
[ link to this | view in chronology ]
Re: Just the facts
I knew you'd say that.
[ link to this | view in chronology ]
Re: Just the facts
They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.
The funny thing is what little I understand about the character leads me to believe that he would immediately turn around and shoot them, as he strikes me as someone who wouldn't care who was breaking it, just that they were.
[ link to this | view in chronology ]
Re: Re: Just the facts
Nah.
I mean, yeah, he'd totally subject them to the law's penalties (fines, imprisonment, etc.), but he wouldn't kill them unless that's what The Law stated the sentence should be.
He has a fanatical devotion to The Law; he wouldn't go beyond the sentence it prescribes.
[ link to this | view in chronology ]
Re: Re: Re: Just the facts
[ link to this | view in chronology ]
Re: Just the facts
[‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;]
Seems to suggest that the EU Commission is itself a Controller. In this way they would be publicly accountable to ensure that they followed their own guidelines.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
One set of laws for you, another for me.
[ link to this | view in chronology ]
For 'legal reasons' we've decided to ignore your stupid ass law. If you can't live by the same rules you demand others follow, you must have mistaken yourselves for members of the American Congress. Protecting yourselves in a blanket way when citizens are already claiming billions in daily damages from others violating this rule might be a sign that its a bad rule.
[ link to this | view in chronology ]
Re:
Do you have a source for that? AFAIK, citizens can't claim a single cent. We can report websites for non-compliance, but only the government can sue, and any fines will go directly to the government.
Suing private businesses for personal gain is pretty rare outside the US, as the legal frameworks tend to not support that kind of trolling.
[ link to this | view in chronology ]
Re: Re:
https://www.irishtimes.com/business/technology/max-schrems-files-first-cases-under-gdpr-against- facebook-and-google-1.3508177
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Huh, so their politicians are just like ours...
[ link to this | view in chronology ]
Not surprisng
[ link to this | view in chronology ]
This is a sign of good leadership - lol.
[ link to this | view in chronology ]
War on language, intelligence, ethics, etc., proceeding per plan
[ link to this | view in chronology ]
Re: War on language, intelligence, ethics, etc., proceeding per plan
I note also was in same minute as definite zombie "pacanukeha" account which is active again after 33 months. JUST coincidence, though, right? Couldn't both be for same purpose of inflating number of comments here, right?
[ link to this | view in chronology ]
Legal reasons
[ link to this | view in chronology ]
NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
Heh, heh. You clowns CANNOT expect these ALL to be accepted as coincidence. You give me good ongoing mystery in simply the WHY of this blatant astro-turfing.
[ link to this | view in chronology ]
Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
[ link to this | view in chronology ]
Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
Something to do with OMFG ZOMBIES and fake people and and ..... I got nuttin.
[ link to this | view in chronology ]
Now there's a list with no end...
[ link to this | view in chronology ]
Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
[ link to this | view in chronology ]
Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
[ link to this | view in chronology ]
Re:
Maybe in your rabid glee of Shiva Ayyadurai demanding the destruction of this site, it got people interested enough to come back to see what the fuss was all about.
Nice going, jackass.
[ link to this | view in chronology ]
a little erratum
[ link to this | view in chronology ]
Re: a little erratum
[ link to this | view in chronology ]
How to destroy respect for a law in a single sentence
This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.
Translation: 'We make the laws, we have no need to follow them as we are above them and unbound by them.'
It was bad enough when the EU Parliament was found to be in violation of the very law they said was 'easy' to comply with, but the gross hypocrisy this time around ramps that up to 11 and utterly destroys any high ground they may have had on the matter.
By admitting to be in violation and defending it by claiming that they are above the law they make it clear that they aren't in fact concerned with privacy of anyone but themselves, and they were merely using the issue for personal gain.
[ link to this | view in chronology ]
Translation
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]