EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'
from the uh-huh dept
Last week, we noted that the EU Parliament’s website appeared not to be compliant with the GDPR. As we noted, this was pointed out in response to EU Commissioner Vera Jourova claiming that complying with the GDPR was so easy, that even she could do it. Now, a valid response to all of this would be to point out that the EU Parliament is different than the EU Commission or other parts of the EU government. But, now that we know the EU Parliament is not compliant, would it surprise you at all to find out that the European Commission is also not compliant with the GDPR. Apparently, while she was so busy claiming it was easy to comply with, Journova forgot to have the Commission itself comply.
Specifically, Jason Smith, at the website Indivigital, discovered that various places on the EU’s websites were hosting spreadsheets with personal information on many people who had attended events, and were revealing that information without permission (the report also found various GDPR violations involving 3rd party cookies).
One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its ?Scientific Colloquium Series? in November 2013.
The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.
Some of the other publicly accessible spreadsheets containing personal data include:
- A spreadsheet that contains an image with the text ?Cultural Infodays 2009? and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governme…as whether they?ve confirmed they?ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
- A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled ?nature of involvement? and appears to contain short descriptions on the capabilities of each individual e.g. ?skills in IT and social media,? ?offers help to draft documents on WB RAA,? ?experienced in project management,? etc.
The latter spreadsheet appears to relate to an event titled ?Balkan Connexion,? which took place between the 3rd and 4th November 2016. According to the EU?s website, the event was attended by 90 participants, including students.
Okay. Already that’s bad enough, but the EU Commission has proceeded to make this much, much worse. After dumping the GDPR on everyone else, insisting that it was easy to comply with, but then failing to comply itself… what do you think the EU Commission’s response to all of this is?
It’s to claim the GDPR does not apply to the EU Commission. I’m not kidding:
This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
However, a spokesman the commission said, based on ?legal reasons?, European institutions are separate from the GDPR.
For “legal reasons.” Uh huh.
Filed Under: compliance, eu, eu commission, gdpr
Comments on “EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'”
Usually I'd side against the GDPR, but...
Ever heard of the man who invented the bronze bull? The story may be apocryphal, but the tale goes a Greek emperor invented a new method of torture: a hollow bronze bull, heated underneath by a fire to boil the prisoner inside. The story goes that when the emperor was overthrown, he himself was placed inside the bull he invented…
Just the facts
The State is always exempt from the law. It is the entity that enforces it, any act by the state to show contrition is only for purchasing public opinion nothing more.
The public still pays for the time and effort costs of the violation and the time and effort costs of any remediation or prosecution of persons in the event.
They should just put Judge Dredd up on the Mic and just scream “I AM THE LAW!!!” Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.
Re: Just the facts
I knew you’d say that.
Re: Just the facts
They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.
The funny thing is what little I understand about the character leads me to believe that he would immediately turn around and shoot them, as he strikes me as someone who wouldn’t care who was breaking it, just that they were.
Re: Re: Just the facts
Nah.
I mean, yeah, he’d totally subject them to the law’s penalties (fines, imprisonment, etc.), but he wouldn’t kill them unless that’s what The Law stated the sentence should be.
He has a fanatical devotion to The Law; he wouldn’t go beyond the sentence it prescribes.
Re: Re: Re: Just the facts
Fair enough, my statement was a bit hyperbolic in general, even if the general idea was sound.
Re: Just the facts
Article 4, Definition 7.
[‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;]
Seems to suggest that the EU Commission is itself a Controller. In this way they would be publicly accountable to ensure that they followed their own guidelines.
Just because governments make the laws does not mean that they are bound by the laws, indeed that is one of the perks being in government, freedom from irksome laws.
One set of laws for you, another for me.
As usual.
““legal reasons”, European institutions are separate from the GDPR.”
For ‘legal reasons’ we’ve decided to ignore your stupid ass law. If you can’t live by the same rules you demand others follow, you must have mistaken yourselves for members of the American Congress. Protecting yourselves in a blanket way when citizens are already claiming billions in daily damages from others violating this rule might be a sign that its a bad rule.
Re: Re:
Do you have a source for that? AFAIK, citizens can’t claim a single cent. We can report websites for non-compliance, but only the government can sue, and any fines will go directly to the government.
Suing private businesses for personal gain is pretty rare outside the US, as the legal frameworks tend to not support that kind of trolling.
Re: Re: Re:
Your google-fu is WEAK, old man!
https://www.irishtimes.com/business/technology/max-schrems-files-first-cases-under-gdpr-against-facebook-and-google-1.3508177
Re: Re: Re: Re:
Not a well-written story… you need to scroll about halfway to see that this isn’t a lawsuit, but a series of complaints to European data protection authorities. IOW, “report websites for non-compliance, but only the government can sue”.
Re: Re:
Read this in Samuel L Jackson’s voice.
the EU Commission, from what i understand, is supposed to maintain a balance between industries, corporations, companies and the people, with rights being established for the good of all. however, from what i have read, it is the biggest part of the EU that does nothing for anyone EXCEPT the industries, corporations, and companies! it is the most corrupt section of the EU and does the same as Hollywood, the MPAA, the RIAA and the rest of the entertainment industries as well as others and wants to take over everything while giving nothing, nothing, that is, except massive fines and prison sentences to ordinary people for doing the most basic of human actions, sharing!!
Huh, so their politicians are just like ours...
Our legislators regulary exempt themselves from the legislation that they foist on the rest of us. I’m not really surprised by this. Disappointed, but not surprised.
Not surprisng
“Regulation for thee, not for me” is the motto of all politicians. Can’t let the serfs be entitled to the same benefits as their lords. Otherwise they might start to believe they’re equal.
Do as I say, not as I do.
This is a sign of good leadership – lol.
War on language, intelligence, ethics, etc., proceeding per plan
See subject heading.
Re: War on language, intelligence, ethics, etc., proceeding per plan
“Cicero Blackstone”! Oh, yeah, THAT’S a believable name to type in for a one-time use.
I note also was in same minute as definite zombie “pacanukeha” account which is active again after 33 months. JUST coincidence, though, right? Couldn’t both be for same purpose of inflating number of comments here, right?
Legal reasons
are the best reasons
Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
FOUR WHOLE COMMENTS TOTAL!
Heh, heh. You clowns CANNOT expect these ALL to be accepted as coincidence. You give me good ongoing mystery in simply the WHY of this blatant astro-turfing.
Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
What’s your problem?
Re: Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
He is Schilling for the latest Hollywood blockbuster any way he can.
Something to do with OMFG ZOMBIES and fake people and and ….. I got nuttin.
Re: Re: Re:
Now there’s a list with no end…
Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
Your conspiracy, as always, is complete nonsense.
Re: Re: NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!
i signed in to say, you’re a douche.
Re: Re: Re:
Here’s a thought, blue.
Maybe in your rabid glee of Shiva Ayyadurai demanding the destruction of this site, it got people interested enough to come back to see what the fuss was all about.
Nice going, jackass.
a little erratum
the commissioner’s name is Věra Jourová, without “n”
Re: a little erratum
This is TechDirt. Spelling errors in articles and sometimes even headlines is like a little mini-game built into the site. See if you can spot them all!
How to destroy respect for a law in a single sentence
This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.
Translation: ‘We make the laws, we have no need to follow them as we are above them and unbound by them.’
It was bad enough when the EU Parliament was found to be in violation of the very law they said was ‘easy’ to comply with, but the gross hypocrisy this time around ramps that up to 11 and utterly destroys any high ground they may have had on the matter.
By admitting to be in violation and defending it by claiming that they are above the law they make it clear that they aren’t in fact concerned with privacy of anyone but themselves, and they were merely using the issue for personal gain.
Translation
Translation: we’re only interested in enforcing this against big American tech companies like Google, Facebook, Microsoft, Apple, and Amazon. “European Institutions” need not worry at all.
Positive this isn’t a translation error of the “legal obligation” which is a “lawful basis” for under the GDPR?
“Do as I say, not as I do.”