EU Parliament's Own Website Violates The GDPR

from the whoopsy dept

We’ve been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user’s private data is, that still doesn’t make the GDPR any less ridiculous. Indeed, we’ve pointed out that the setup of the GDPR is such that it’s becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren’t actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.

Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own “so easy” GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament’s own website appears to violate the GDPR.

It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).

This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google?s servers without consent or any other legal basis.

Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are “easy” to comply with, they often have no idea what they’re talking about — and the GDPR is a case in point. Over the past couple months, nearly every startup company I’ve spoken to has discussed the GDPR, and for nearly every single one they have no idea if they’re actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.

That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament’s own website couldn’t figure this out is just a shining example of why the GDPR is such a problem.

Related to that, the fallout from the GDPR is already being felt — and it’s not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it’s hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EU Parliament's Own Website Violates The GDPR”

Subscribe: RSS Leave a comment
44 Comments
Anonymous Coward says:

Re: "innovation" is not an end in itself. Google is innovating at SPYING, yes.

"Nazis monetized the death of millions"

While it’s conceivable that nazi concentration camps could have been turned into profitable slaughterhouse operations converting human bodies into numerous value-added products, from leather to soap to Braunschweiger, such stories, despite being spread far and wide, were simply not true.

https://www.ihr.org/leaflets/soap.shtml

Anonymous Coward says:

Masking one octet is a pathetic excuse for "anonymization"

Legally, discarding the last octet might satisfy the anonymization requirement. Practically, that is generally insufficient. If the law says discarding one octet is sufficient, then that is yet another way in which the law is badly written.

Ben (profile) says:

Re: Masking one octet is a pathetic excuse for "anonymization"

IP addresses have been demonstrably shown time and time again to not map to a natural person anyway, so why on earth are they even included in the GDPR definition of ‘personal data’.
Yes, it’s a badly written law, written by people who don’t have a technical bone in their or their staff members’ bodies.
(Mind you, of course, if we let ‘technical people’ write the technical legislation, we’d all be screaming about regulatory capture)

Anonymous Coward says:

Not a good example

when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they’re talking about

Google Analytics is perhaps the prototypical example of user-tracking. This is not something that just appears on a website without the owner’s involvement; they made the conscious decision to track their users, and did not turn on the option to track them in a slightly less identifiable way.

In this instance, compliance actually is easy: don’t add a user-tracking service to your site.

Ninja (profile) says:

Sadly, as far as I could grasp there is a lot of good and some of the bad is actually goodwill gone bad. Companies abused their free reign so much that now we are swinging towards the other extreme. I do hope the GDPR is revised as soon as possible to polish what’s good and rebuild what’s bad but I generally think that some regulation is going to be needed. The industry can’t help screwing things up.

That One Guy (profile) says:

What's that saying about glass houses...?

This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they’re talking about — and the GDPR is a case in point.

No, I do believe they’re due for some hefty mockery here. As people have pointed out these changes have been in the pipes for two years, and yet during that time the very ones pushing it couldn’t be bothered to check if they themselves were in compliance with their own rules?

If nothing else this provides perfect cover for any companies/sites who are still working on getting ‘compliant’. If the EU Parliament couldn’t be bothered, then it’s rather hard to blame others for not getting on it ahead of time.

PaulT (profile) says:

Re: What's that saying about glass houses...?

“during that time the very ones pushing it couldn’t be bothered to check if they themselves were in compliance with their own rules?”

You make the mistake of assuming that those responsible in both areas were the same people. The people making the rules will not have been implementing them – that job will be done by people who were more than likely telling why things were a bad idea in the first place. If a hammer falls, it will be on the poor admin who was ordered to achieve what he was warned was impossible, not the politician who demanded it be done anyway.

Anonymous Coward says:

Re: Re: Re:

But to force ads, specially the horrible ones, onto your users just so you can have your little space on the internet?

I remember what it was like the first times I was online. Somewhere around 1993. I cant remember seeing a single ad and yet there were more sites to visit and spend time on than I had free. I would never have seen it all.

Hosting a site at someone elses expense was not even thought of. It was a place to share your ideas, your creations. Then the business man got a hold of it….

Anonymous Coward says:

Re: Re: Re:2 Re:

You can also show ads without tracking or annoying visitors.

"Without annoying" is difficult. But if we look back to the early days of targeted advertising, we know it can be done without tracking. There’s one piece of information that’s powerful on its own: the page on which the ad appears. Originally, Google would show an ad based on your search term. Techdirt’s recent boardgame campaign worked because it was shown to users of this site and relates to things the site talks about (FOIA, spying), so we can assume some people reading TD will be interested.

Anonymous Coward says:

Re: Re: Re: Re:

1993?

What, when there were only a few thousand actual internet users? And many of the “sites” were actually used for other things than just serving pages? And/or they were affiliated with universities.

Mosaic, the first “graphical” browser came out in 1993, and for quite awhile very few sites had actual WWW (web) server capabilities. Lynx & Gopher didn’t provide any kind of advertisement capabilities that I recall.

Once the actual Mosaic & Netscape WWW browser capability starting taking off, and people started getting on the internet, commercial investment started coming along. This investment actually helped grow the internet into the massive, ubiquitous state it maintains today. AOL, Yahoo, MSN, and others actually did have advertisements, and they were “the internet” for most people back in the mid-1990s or so. (AOL and Compuserv actually existed before the web).

Anonymous Coward says:

but, like all countries and all govts, that doesn’t matter! the only thing that matters is to make doubly sure that the ordinary citizens are stopped by any and all means necessary from being able to stand up for themselves, able to learn about what these fuckers are up to and never again able to defend themselves against the tyranny of those who are doing everything possible to enslave the human race!!

Anonymous Coward says:

I’m no expert, but it sounds like it will need to go to the European Court of Justice, where it will be confirmed to be more or less what people think it is, a nuke on the targeted ad revenue model (surveillance capitalism).

This was always going to happen. The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.

The Europeans will not back down on this. Rather than futily drawing it out for years these companies should “innovate” and move to one of their other revenue options.

It collecting personal data is essential for providing a service that people actually value then they will happily opt in to it.

Anonymous Coward says:

Re: Re: Re:

It’s just an example showing hosting does not require tracking, and people posting their own media have choices other than Youtube etc.

Their FAQ says it costs them about 2.00 USD/GB to store data forever. They’re not going to object to the EU Parliament posting laws, minutes, etc. there, with or without a donation. An individual could easily get their fans to donate enough to cover those costs, without any intrusive PBS-style fund drive.

TripMN (profile) says:

Re: Re:

Call me a little daft or even a bit uninformed, but please explain to me your statement of “The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.”

I’m just not sure what you mean because that is a very bold statement but you don’t explain it or back it up in any way.

Éibhear (profile) says:

Podcast suggestion

Hi,

Living in Europe, and having a serious amount of skepticism regarding the motives of the EU Commission and the EU Council, I’m still more of a fan of the GDPR than not.

However, I don’t know everything, and I work only tangentially with matters relating to data protection.

I would love to hear a discussion or debate on the Techdirt podcast, say, regarding the GDPR between Mike or Cathy and someone from the east of the Atlantic. My personal recommendations would be someone like Simon McGarr (@tupp_ed on Twitter) or T.J. McIntyre of Digital Rights Ireland (@tjmcintyre), both of whom were involved in the Schrems case that took down Safe Harbour.

Other people I would trust to give an informed, EU-based, perspective on GDPR would be Rowenna Fielding (@MissIG_Geek), Sarah Clarke (@trialbytruth), Pat Walshe (@PrivacyMatters) or Daragh O Brien (@CBridge_Chief).

I would expect all of these to have considered analyses on the concerns that Mike and others have with GDPR (I don’t like the RTBF portion of it, either!), and would give alternative perspectives. It would be excellent to hear it covered in one of the podcasts.

Éibhear

Pete Austin says:

It says it doesn't comply, on the legal page ¯_(ツ)_/¯

Do you mean this site?
https://europa.eu/european-union/abouteuropa/legal_notices_en

If so, it’s totally obvious that it doesn’t comply with the GDPR. It even says so in plain text…

The policy on “protection of individuals with regard to the processing of personal data by the Community institutions” is based currently on Regulation (EC) N° 45/2001 of the European Parliament and of the Council of 18 December 2000 (and not on the “GDPR” Regulation 2016/679 that repeals the Directive 95/46/EC). The new version of Regulation 45/2001 is currently being adopted. The legal notices on Europa will be updated in accordance with the new version.

Will B. says:

“Related to that, the fallout from the GDPR is already being felt — and it’s not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. “

Beg pardon? Are you claiming these sites aren’t having to comply with the GDPR? Or are you saying they aren’t being *hurt* by the GDPR?

Because the goal of this legislation is not to *hurt* these sites. If they find compliance easy, GOOD!

I think you misunderstand the goal of this legislation, if you are claiming that internet giants are complying easily *and that’s a bad thing.*

PaulT (profile) says:

Re: Re:

I think you misunderstand the point. Large companies can afford to employ someone, or even teams of people to ensure compliance. In fact, they most likely have such teams already for every part of the their global operations and this was just a bit of extra work for those already involved.

For smaller companies, they have to either go to huge expense to hire someone (be that internal staff or an external agency), remove themselves from part of their audience (which may also be expensive) or risk harmful fines for not being able to comply.

That’s not the point of the legislation, but that’s the reality of its effect. The big guys can both afford to comply and weather any damage that unintentional non-compliance can cause. Small companies may not be able to afford the legal advice to know whether they are complying, or need to in the first place.

Will B. says:

Re: Re: Re:

Still means that big companies are complying with legislation designed to protect personal privacy. I consider that a good thing; there could be more done to assist small companies with their compliance, but it sounds like the regulation is still hitting the big guys (the ones who do the lion’s share of data harvesting) in exactly the way it was intended.

The T says:

I think you don’t see fully clear in this case:

In your example case eventually the setting will be fixed, and privacy will be improved. That’s what the ruling is for.

In other cases the same will happen, and eventually page providers will ask their software providers for app software with better default settings.

Or the other way round: Privacy sharks will have to admit their unholy deeds, allowing people to switch.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...