EU Parliament's Own Website Violates The GDPR
from the whoopsy dept
We’ve been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user’s private data is, that still doesn’t make the GDPR any less ridiculous. Indeed, we’ve pointed out that the setup of the GDPR is such that it’s becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren’t actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.
Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own “so easy” GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament’s own website appears to violate the GDPR.
It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).
This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google?s servers without consent or any other legal basis.
Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are “easy” to comply with, they often have no idea what they’re talking about — and the GDPR is a case in point. Over the past couple months, nearly every startup company I’ve spoken to has discussed the GDPR, and for nearly every single one they have no idea if they’re actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.
That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament’s own website couldn’t figure this out is just a shining example of why the GDPR is such a problem.
Related to that, the fallout from the GDPR is already being felt — and it’s not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it’s hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.
Filed Under: eu, eu parliament, gdpr, regulations, tracking, vera journova
Comments on “EU Parliament's Own Website Violates The GDPR”
No, Madnick, problem is GOOGLE! Is NO need for it to be everywhere!
Storing ALL that it can, forever.
"innovation" is not an end in itself. Google is innovating at SPYING, yes.
It’s monetizing the privacy of “natural” persons. Just as Nazis monetized the death of millions. Evil goals cause evil innovation.
Re: "innovation" is not an end in itself. Google is innovating at SPYING, yes.
While it’s conceivable that nazi concentration camps could have been turned into profitable slaughterhouse operations converting human bodies into numerous value-added products, from leather to soap to Braunschweiger, such stories, despite being spread far and wide, were simply not true.
https://www.ihr.org/leaflets/soap.shtml
Re: Second comment and you went full Godwin. Never go full Godwin.
Krap Legislation
Bad rules don’t fix much of anything. It’s kinda strange how some are pushing this thru to “punish” Google when the opposite is true.
Re: Krap Legislation
Give the GDPR a read. It wasn’t written to “punish Google” even if there are camps who would try to use it for that.
Masking one octet is a pathetic excuse for "anonymization"
Legally, discarding the last octet might satisfy the anonymization requirement. Practically, that is generally insufficient. If the law says discarding one octet is sufficient, then that is yet another way in which the law is badly written.
Re: Masking one octet is a pathetic excuse for "anonymization"
IP addresses have been demonstrably shown time and time again to not map to a natural person anyway, so why on earth are they even included in the GDPR definition of ‘personal data’.
Yes, it’s a badly written law, written by people who don’t have a technical bone in their or their staff members’ bodies.
(Mind you, of course, if we let ‘technical people’ write the technical legislation, we’d all be screaming about regulatory capture)
Re: Re: Masking one octet is a pathetic excuse for "anonymization"
It’s a reasonably good law, well worth reading, but they screwed up in a few places. The IP address thing is one of them. A bigger issue is the lack of real exemptions for micro-companies.
Not a good example
Google Analytics is perhaps the prototypical example of user-tracking. This is not something that just appears on a website without the owner’s involvement; they made the conscious decision to track their users, and did not turn on the option to track them in a slightly less identifiable way.
In this instance, compliance actually is easy: don’t add a user-tracking service to your site.
Re: Not a good example
But, but, how will the GDPR know how to better market itself in the world?
Sadly, as far as I could grasp there is a lot of good and some of the bad is actually goodwill gone bad. Companies abused their free reign so much that now we are swinging towards the other extreme. I do hope the GDPR is revised as soon as possible to polish what’s good and rebuild what’s bad but I generally think that some regulation is going to be needed. The industry can’t help screwing things up.
What's that saying about glass houses...?
This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they’re talking about — and the GDPR is a case in point.
No, I do believe they’re due for some hefty mockery here. As people have pointed out these changes have been in the pipes for two years, and yet during that time the very ones pushing it couldn’t be bothered to check if they themselves were in compliance with their own rules?
If nothing else this provides perfect cover for any companies/sites who are still working on getting ‘compliant’. If the EU Parliament couldn’t be bothered, then it’s rather hard to blame others for not getting on it ahead of time.
Re: What's that saying about glass houses...?
No, it might provide some "whataboutery" but it won’t shield anyone from their own compliance.
Re: Re: What's that saying about glass houses...?
I didn’t mean to imply it would be a good excuse, merely that it would be an easily used one.
‘They didn’t care enough to check and they wrote the rules, why are you going after us for not being 100% compliant right out the gates if even they couldn’t be bothered?’
Re: What's that saying about glass houses...?
“Never through garden furniture at one whilst drunk” Or maybe that’s just for me.
Re: What's that saying about glass houses...?
“during that time the very ones pushing it couldn’t be bothered to check if they themselves were in compliance with their own rules?”
You make the mistake of assuming that those responsible in both areas were the same people. The people making the rules will not have been implementing them – that job will be done by people who were more than likely telling why things were a bad idea in the first place. If a hammer falls, it will be on the poor admin who was ordered to achieve what he was warned was impossible, not the politician who demanded it be done anyway.
From the digiday article: “Revenues and [ad demand] volumes [are] expected to fall dramatically across the board,” said one publishing executive, under condition of anonymity.
Is this really a bad thing? Less ads? I see that as a win. The internet was and should still be ad free!
Re: Re:
Except that running, owning, and hosting a website is not free. I support some advertising. But the crap pile that was allowed to proliferate on the web as we see today is th3 reason I use an ad-blocker.
Re: Re: Re:
While they don’t have “web site” hosting per se, archive.org will host files (even huge, popular ones) for free, and they don’t track their users.
Re: Re: Re:
But to force ads, specially the horrible ones, onto your users just so you can have your little space on the internet?
I remember what it was like the first times I was online. Somewhere around 1993. I cant remember seeing a single ad and yet there were more sites to visit and spend time on than I had free. I would never have seen it all.
Hosting a site at someone elses expense was not even thought of. It was a place to share your ideas, your creations. Then the business man got a hold of it….
Re: Re: Re: Re:
True it got worse with time but there was always some source of money to fund the website. Could be ads, donations, Subscription, self-funded, or backed by some other entity. I’m sure there are others but you
You can also show ads without tracking or annoying visitors.
Re: Re: Re:2 Re:
"Without annoying" is difficult. But if we look back to the early days of targeted advertising, we know it can be done without tracking. There’s one piece of information that’s powerful on its own: the page on which the ad appears. Originally, Google would show an ad based on your search term. Techdirt’s recent boardgame campaign worked because it was shown to users of this site and relates to things the site talks about (FOIA, spying), so we can assume some people reading TD will be interested.
Re: Re: Re: Re:
1993?
What, when there were only a few thousand actual internet users? And many of the “sites” were actually used for other things than just serving pages? And/or they were affiliated with universities.
Mosaic, the first “graphical” browser came out in 1993, and for quite awhile very few sites had actual WWW (web) server capabilities. Lynx & Gopher didn’t provide any kind of advertisement capabilities that I recall.
Once the actual Mosaic & Netscape WWW browser capability starting taking off, and people started getting on the internet, commercial investment started coming along. This investment actually helped grow the internet into the massive, ubiquitous state it maintains today. AOL, Yahoo, MSN, and others actually did have advertisements, and they were “the internet” for most people back in the mid-1990s or so. (AOL and Compuserv actually existed before the web).
Re: Re:
I am surprised we haven’t heard more from the online news organizations in the EU. Or are they expecting Google to make up for additional loss of ad revenue?
but, like all countries and all govts, that doesn’t matter! the only thing that matters is to make doubly sure that the ordinary citizens are stopped by any and all means necessary from being able to stand up for themselves, able to learn about what these fuckers are up to and never again able to defend themselves against the tyranny of those who are doing everything possible to enslave the human race!!
I’m no expert, but it sounds like it will need to go to the European Court of Justice, where it will be confirmed to be more or less what people think it is, a nuke on the targeted ad revenue model (surveillance capitalism).
This was always going to happen. The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.
The Europeans will not back down on this. Rather than futily drawing it out for years these companies should “innovate” and move to one of their other revenue options.
It collecting personal data is essential for providing a service that people actually value then they will happily opt in to it.
Re: Re:
archive.org is “free” in that it is supported by donations. Are you proposing that all commercial content providers follow the same model?
Re: Re: Re:
Sorry, replied to the wrong post.
Re: Re: Re:
It’s just an example showing hosting does not require tracking, and people posting their own media have choices other than Youtube etc.
Their FAQ says it costs them about 2.00 USD/GB to store data forever. They’re not going to object to the EU Parliament posting laws, minutes, etc. there, with or without a donation. An individual could easily get their fans to donate enough to cover those costs, without any intrusive PBS-style fund drive.
Re: Re: Re: Re:
without any intrusive PBS-style fund drive.
Not sure about this one. Wikipedia, at least, appears to require this kind of fundraising, and it is funded largely by individuals, in contrast to archive.org which is mostly funded by much larger institutions.
Re: Re:
Call me a little daft or even a bit uninformed, but please explain to me your statement of “The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.”
I’m just not sure what you mean because that is a very bold statement but you don’t explain it or back it up in any way.
…So, does that mean that the EU lost 4% of its Gross Revenue in fines to itself?
NOPE
Is it perfect? Hell no. But I’ll take it ANY TIME over the traditional alternative of “hahaha, let me mop the floor with you precious ‘personal data’, snowflake…”
The problem, then, is not so much the EU Website
as the EU website using a 3rd party for it’s analytics.
Podcast suggestion
Hi,
Living in Europe, and having a serious amount of skepticism regarding the motives of the EU Commission and the EU Council, I’m still more of a fan of the GDPR than not.
However, I don’t know everything, and I work only tangentially with matters relating to data protection.
I would love to hear a discussion or debate on the Techdirt podcast, say, regarding the GDPR between Mike or Cathy and someone from the east of the Atlantic. My personal recommendations would be someone like Simon McGarr (@tupp_ed on Twitter) or T.J. McIntyre of Digital Rights Ireland (@tjmcintyre), both of whom were involved in the Schrems case that took down Safe Harbour.
Other people I would trust to give an informed, EU-based, perspective on GDPR would be Rowenna Fielding (@MissIG_Geek), Sarah Clarke (@trialbytruth), Pat Walshe (@PrivacyMatters) or Daragh O Brien (@CBridge_Chief).
I would expect all of these to have considered analyses on the concerns that Mike and others have with GDPR (I don’t like the RTBF portion of it, either!), and would give alternative perspectives. It would be excellent to hear it covered in one of the podcasts.
Éibhear
It says it doesn't comply, on the legal page ¯_(ツ)_/¯
Do you mean this site?
https://europa.eu/european-union/abouteuropa/legal_notices_en
If so, it’s totally obvious that it doesn’t comply with the GDPR. It even says so in plain text…
The policy on “protection of individuals with regard to the processing of personal data by the Community institutions” is based currently on Regulation (EC) N° 45/2001 of the European Parliament and of the Council of 18 December 2000 (and not on the “GDPR” Regulation 2016/679 that repeals the Directive 95/46/EC). The new version of Regulation 45/2001 is currently being adopted. The legal notices on Europa will be updated in accordance with the new version.
Why is this so difficult for Techdirt to understand. Complying with GDPR isn’t all that hard.
“Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.”
See? Even Vera can do it.
She didn’t say she does do it, just that she could do it.
“Related to that, the fallout from the GDPR is already being felt — and it’s not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. “
Beg pardon? Are you claiming these sites aren’t having to comply with the GDPR? Or are you saying they aren’t being *hurt* by the GDPR?
Because the goal of this legislation is not to *hurt* these sites. If they find compliance easy, GOOD!
I think you misunderstand the goal of this legislation, if you are claiming that internet giants are complying easily *and that’s a bad thing.*
Re: Re:
I think you misunderstand the point. Large companies can afford to employ someone, or even teams of people to ensure compliance. In fact, they most likely have such teams already for every part of the their global operations and this was just a bit of extra work for those already involved.
For smaller companies, they have to either go to huge expense to hire someone (be that internal staff or an external agency), remove themselves from part of their audience (which may also be expensive) or risk harmful fines for not being able to comply.
That’s not the point of the legislation, but that’s the reality of its effect. The big guys can both afford to comply and weather any damage that unintentional non-compliance can cause. Small companies may not be able to afford the legal advice to know whether they are complying, or need to in the first place.
Re: Re: Re:
Still means that big companies are complying with legislation designed to protect personal privacy. I consider that a good thing; there could be more done to assist small companies with their compliance, but it sounds like the regulation is still hitting the big guys (the ones who do the lion’s share of data harvesting) in exactly the way it was intended.
I think you don’t see fully clear in this case:
In your example case eventually the setting will be fixed, and privacy will be improved. That’s what the ruling is for.
In other cases the same will happen, and eventually page providers will ask their software providers for app software with better default settings.
Or the other way round: Privacy sharks will have to admit their unholy deeds, allowing people to switch.
Re: Re:
… maybe I should have refreshed the page, before adding my comment, the comment looks a bit duplicated now …
My please peace fact false flryt taxie s cars ride gono’s bill James ride bus ten pm Cox Johnston ham saids right noting flryt car taxie shopping ride some come home ten pm lighter prigram pligram program rhd Patterson fact Tatia Rocchio presnident trump Donald’s fact false Trudeau center bill taxes