EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'
from the uh-huh dept
Last week, we noted that the EU Parliament’s website appeared not to be compliant with the GDPR. As we noted, this was pointed out in response to EU Commissioner Vera Jourova claiming that complying with the GDPR was so easy, that even she could do it. Now, a valid response to all of this would be to point out that the EU Parliament is different than the EU Commission or other parts of the EU government. But, now that we know the EU Parliament is not compliant, would it surprise you at all to find out that the European Commission is also not compliant with the GDPR. Apparently, while she was so busy claiming it was easy to comply with, Journova forgot to have the Commission itself comply.
Specifically, Jason Smith, at the website Indivigital, discovered that various places on the EU’s websites were hosting spreadsheets with personal information on many people who had attended events, and were revealing that information without permission (the report also found various GDPR violations involving 3rd party cookies).
One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its ?Scientific Colloquium Series? in November 2013.
The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.
Some of the other publicly accessible spreadsheets containing personal data include:
- A spreadsheet that contains an image with the text ?Cultural Infodays 2009? and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governme…as whether they?ve confirmed they?ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
- A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled ?nature of involvement? and appears to contain short descriptions on the capabilities of each individual e.g. ?skills in IT and social media,? ?offers help to draft documents on WB RAA,? ?experienced in project management,? etc.
The latter spreadsheet appears to relate to an event titled ?Balkan Connexion,? which took place between the 3rd and 4th November 2016. According to the EU?s website, the event was attended by 90 participants, including students.
Okay. Already that’s bad enough, but the EU Commission has proceeded to make this much, much worse. After dumping the GDPR on everyone else, insisting that it was easy to comply with, but then failing to comply itself… what do you think the EU Commission’s response to all of this is?
It’s to claim the GDPR does not apply to the EU Commission. I’m not kidding:
This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
However, a spokesman the commission said, based on ?legal reasons?, European institutions are separate from the GDPR.
For “legal reasons.” Uh huh.