EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'

from the uh-huh dept

Last week, we noted that the EU Parliament's website appeared not to be compliant with the GDPR. As we noted, this was pointed out in response to EU Commissioner Vera Jourova claiming that complying with the GDPR was so easy, that even she could do it. Now, a valid response to all of this would be to point out that the EU Parliament is different than the EU Commission or other parts of the EU government. But, now that we know the EU Parliament is not compliant, would it surprise you at all to find out that the European Commission is also not compliant with the GDPR. Apparently, while she was so busy claiming it was easy to comply with, Journova forgot to have the Commission itself comply.

Specifically, Jason Smith, at the website Indivigital, discovered that various places on the EU's websites were hosting spreadsheets with personal information on many people who had attended events, and were revealing that information without permission (the report also found various GDPR violations involving 3rd party cookies).

One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its “Scientific Colloquium Series” in November 2013.

The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.

Some of the other publicly accessible spreadsheets containing personal data include:

  • A spreadsheet that contains an image with the text “Cultural Infodays 2009” and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governme...as whether they’ve confirmed they’ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
  • A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled “nature of involvement” and appears to contain short descriptions on the capabilities of each individual e.g. “skills in IT and social media,” “offers help to draft documents on WB RAA,” “experienced in project management,” etc.

The latter spreadsheet appears to relate to an event titled “Balkan Connexion,” which took place between the 3rd and 4th November 2016. According to the EU’s website, the event was attended by 90 participants, including students.

Okay. Already that's bad enough, but the EU Commission has proceeded to make this much, much worse. After dumping the GDPR on everyone else, insisting that it was easy to comply with, but then failing to comply itself... what do you think the EU Commission's response to all of this is?

It's to claim the GDPR does not apply to the EU Commission. I'm not kidding:

This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.

However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.

For "legal reasons." Uh huh.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: compliance, eu, eu commission, gdpr


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Gilly, 7 Jun 2018 @ 6:47am

    Usually I'd side against the GDPR, but...

    Ever heard of the man who invented the bronze bull? The story may be apocryphal, but the tale goes a Greek emperor invented a new method of torture: a hollow bronze bull, heated underneath by a fire to boil the prisoner inside. The story goes that when the emperor was overthrown, he himself was placed inside the bull he invented...

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Jun 2018 @ 6:52am

    Just the facts

    The State is always exempt from the law. It is the entity that enforces it, any act by the state to show contrition is only for purchasing public opinion nothing more.

    The public still pays for the time and effort costs of the violation and the time and effort costs of any remediation or prosecution of persons in the event.

    They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 7 Jun 2018 @ 7:33am

    Just because governments make the laws does not mean that they are bound by the laws, indeed that is one of the perks being in government, freedom from irksome laws.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 7 Jun 2018 @ 7:36am

    One set of laws for you, another for me.

    As usual.

    link to this | view in thread ]

  5. icon
    That Anonymous Coward (profile), 7 Jun 2018 @ 7:51am

    "“legal reasons”, European institutions are separate from the GDPR."

    For 'legal reasons' we've decided to ignore your stupid ass law. If you can't live by the same rules you demand others follow, you must have mistaken yourselves for members of the American Congress. Protecting yourselves in a blanket way when citizens are already claiming billions in daily damages from others violating this rule might be a sign that its a bad rule.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 7 Jun 2018 @ 8:34am

    the EU Commission, from what i understand, is supposed to maintain a balance between industries, corporations, companies and the people, with rights being established for the good of all. however, from what i have read, it is the biggest part of the EU that does nothing for anyone EXCEPT the industries, corporations, and companies! it is the most corrupt section of the EU and does the same as Hollywood, the MPAA, the RIAA and the rest of the entertainment industries as well as others and wants to take over everything while giving nothing, nothing, that is, except massive fines and prison sentences to ordinary people for doing the most basic of human actions, sharing!!

    link to this | view in thread ]

  7. identicon
    stine, 7 Jun 2018 @ 8:35am

    Huh, so their politicians are just like ours...

    Our legislators regulary exempt themselves from the legislation that they foist on the rest of us. I'm not really surprised by this. Disappointed, but not surprised.

    link to this | view in thread ]

  8. icon
    Paul (profile), 7 Jun 2018 @ 8:37am

    Not surprisng

    "Regulation for thee, not for me" is the motto of all politicians. Can't let the serfs be entitled to the same benefits as their lords. Otherwise they might start to believe they're equal.

    link to this | view in thread ]

  9. identicon
    ryuugami, 7 Jun 2018 @ 8:37am

    Re:

    when citizens are already claiming billions in daily damages

    Do you have a source for that? AFAIK, citizens can't claim a single cent. We can report websites for non-compliance, but only the government can sue, and any fines will go directly to the government.

    Suing private businesses for personal gain is pretty rare outside the US, as the legal frameworks tend to not support that kind of trolling.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 7 Jun 2018 @ 8:55am

    Do as I say, not as I do.

    This is a sign of good leadership - lol.

    link to this | view in thread ]

  11. identicon
    Cicero Blackstone, 7 Jun 2018 @ 9:28am

    War on language, intelligence, ethics, etc., proceeding per plan

    See subject heading.

    link to this | view in thread ]

  12. icon
    pacanukeha (profile), 7 Jun 2018 @ 9:28am

    Legal reasons

    are the best reasons

    link to this | view in thread ]

  13. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 7 Jun 2018 @ 10:05am

    NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

    FOUR WHOLE COMMENTS TOTAL!

    Heh, heh. You clowns CANNOT expect these ALL to be accepted as coincidence. You give me good ongoing mystery in simply the WHY of this blatant astro-turfing.

    link to this | view in thread ]

  14. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 7 Jun 2018 @ 10:09am

    Re: War on language, intelligence, ethics, etc., proceeding per plan

    "Cicero Blackstone"! Oh, yeah, THAT'S a believable name to type in for a one-time use.

    I note also was in same minute as definite zombie "pacanukeha" account which is active again after 33 months. JUST coincidence, though, right? Couldn't both be for same purpose of inflating number of comments here, right?

    link to this | view in thread ]

  15. identicon
    Angry Dude, 7 Jun 2018 @ 10:13am

    Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

    What's your problem?

    link to this | view in thread ]

  16. identicon
    Annonymouse, 7 Jun 2018 @ 10:22am

    Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

    He is Schilling for the latest Hollywood blockbuster any way he can.

    Something to do with OMFG ZOMBIES and fake people and and ..... I got nuttin.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 7 Jun 2018 @ 10:40am

    Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

    Your conspiracy, as always, is complete nonsense.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 7 Jun 2018 @ 10:50am

    Re: Just the facts

    Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

    I knew you'd say that.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 7 Jun 2018 @ 11:31am

    Re: Re: Re:

    Not a well-written story... you need to scroll about halfway to see that this isn't a lawsuit, but a series of complaints to European data protection authorities. IOW, "report websites for non-compliance, but only the government can sue".

    link to this | view in thread ]

  20. identicon
    Namram, 7 Jun 2018 @ 12:44pm

    a little erratum

    the commissioner's name is Věra Jourová, without "n"

    link to this | view in thread ]

  21. icon
    That One Guy (profile), 7 Jun 2018 @ 1:46pm

    Re: Just the facts

    They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

    The funny thing is what little I understand about the character leads me to believe that he would immediately turn around and shoot them, as he strikes me as someone who wouldn't care who was breaking it, just that they were.

    link to this | view in thread ]

  22. icon
    That One Guy (profile), 7 Jun 2018 @ 1:53pm

    How to destroy respect for a law in a single sentence

    This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.

    However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.

    Translation: 'We make the laws, we have no need to follow them as we are above them and unbound by them.'

    It was bad enough when the EU Parliament was found to be in violation of the very law they said was 'easy' to comply with, but the gross hypocrisy this time around ramps that up to 11 and utterly destroys any high ground they may have had on the matter.

    By admitting to be in violation and defending it by claiming that they are above the law they make it clear that they aren't in fact concerned with privacy of anyone but themselves, and they were merely using the issue for personal gain.

    link to this | view in thread ]

  23. icon
    That One Guy (profile), 7 Jun 2018 @ 1:53pm

    Now there's a list with no end...

    link to this | view in thread ]

  24. icon
    bongo houzi (profile), 7 Jun 2018 @ 2:01pm

    Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

    i signed in to say, you're a douche.

    link to this | view in thread ]

  25. identicon
    Joel Coehoorn, 7 Jun 2018 @ 2:31pm

    Translation

    Translation: we're only interested in enforcing this against big American tech companies like Google, Facebook, Microsoft, Apple, and Amazon. "European Institutions" need not worry at all.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 7 Jun 2018 @ 2:33pm

    Re: a little erratum

    This is TechDirt. Spelling errors in articles and sometimes even headlines is like a little mini-game built into the site. See if you can spot them all!

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 7 Jun 2018 @ 2:34pm

    Re:

    Read this in Samuel L Jackson's voice.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 7 Jun 2018 @ 6:02pm

    Re:

    Here's a thought, blue.

    Maybe in your rabid glee of Shiva Ayyadurai demanding the destruction of this site, it got people interested enough to come back to see what the fuss was all about.

    Nice going, jackass.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 7 Jun 2018 @ 10:36pm

    Positive this isn't a translation error of the "legal obligation" which is a "lawful basis" for under the GDPR?

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 8 Jun 2018 @ 6:34am

    Re: Re: Just the facts

    Nah.

    I mean, yeah, he'd totally subject them to the law's penalties (fines, imprisonment, etc.), but he wouldn't kill them unless that's what The Law stated the sentence should be.

    He has a fanatical devotion to The Law; he wouldn't go beyond the sentence it prescribes.

    link to this | view in thread ]

  31. identicon
    WeeLamm, 8 Jun 2018 @ 12:09pm

    Re: Just the facts

    Article 4, Definition 7.
    [‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;]

    Seems to suggest that the EU Commission is itself a Controller. In this way they would be publicly accountable to ensure that they followed their own guidelines.

    link to this | view in thread ]

  32. icon
    That One Guy (profile), 8 Jun 2018 @ 1:22pm

    Re: Re: Re: Just the facts

    Fair enough, my statement was a bit hyperbolic in general, even if the general idea was sound.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 13 Jun 2018 @ 7:29pm

    "Do as I say, not as I do."

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.