EU Parliament's Own Website Violates The GDPR

from the whoopsy dept

We've been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user's private data is, that still doesn't make the GDPR any less ridiculous. Indeed, we've pointed out that the setup of the GDPR is such that it's becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren't actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.

Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own "so easy" GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament's own website appears to violate the GDPR.

It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).

This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google’s servers without consent or any other legal basis.

Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point. Over the past couple months, nearly every startup company I've spoken to has discussed the GDPR, and for nearly every single one they have no idea if they're actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.

That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament's own website couldn't figure this out is just a shining example of why the GDPR is such a problem.

Related to that, the fallout from the GDPR is already being felt -- and it's not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it's hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 May 2018 @ 10:57am

    No, Madnick, problem is GOOGLE! Is NO need for it to be everywhere!

    Storing ALL that it can, forever.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 May 2018 @ 10:59am

    "innovation" is not an end in itself. Google is innovating at SPYING, yes.

    It's monetizing the privacy of "natural" persons. Just as Nazis monetized the death of millions. Evil goals cause evil innovation.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 11:51am

      Re: "innovation" is not an end in itself. Google is innovating at SPYING, yes.

      "Nazis monetized the death of millions"

      While it's conceivable that nazi concentration camps could have been turned into profitable slaughterhouse operations converting human bodies into numerous value-added products, from leather to soap to Braunschweiger, such stories, despite being spread far and wide, were simply not true.

      https://www.ihr.org/leaflets/soap.shtml

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:51pm

      Second comment and you went full Godwin. Never go full Godwin.

      reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 29 May 2018 @ 11:06am

    Krap Legislation

    Bad rules don't fix much of anything. It's kinda strange how some are pushing this thru to "punish" Google when the opposite is true.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:33pm

      Re: Krap Legislation

      Give the GDPR a read. It wasn't written to "punish Google" even if there are camps who would try to use it for that.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:29am

    Masking one octet is a pathetic excuse for "anonymization"

    Legally, discarding the last octet might satisfy the anonymization requirement. Practically, that is generally insufficient. If the law says discarding one octet is sufficient, then that is yet another way in which the law is badly written.

    reply to this | link to this | view in chronology ]

    • icon
      Ben (profile), 30 May 2018 @ 4:32am

      Re: Masking one octet is a pathetic excuse for "anonymization"

      IP addresses have been demonstrably shown time and time again to not map to a natural person anyway, so why on earth are they even included in the GDPR definition of 'personal data'.
      Yes, it's a badly written law, written by people who don't have a technical bone in their or their staff members' bodies.
      (Mind you, of course, if we let 'technical people' write the technical legislation, we'd all be screaming about regulatory capture)

      reply to this | link to this | view in chronology ]

      • identicon
        Pete Austin, 30 May 2018 @ 5:06am

        Re: Re: Masking one octet is a pathetic excuse for "anonymization"

        It's a reasonably good law, well worth reading, but they screwed up in a few places. The IP address thing is one of them. A bigger issue is the lack of real exemptions for micro-companies.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:35am

    Not a good example

    when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about

    Google Analytics is perhaps the prototypical example of user-tracking. This is not something that just appears on a website without the owner's involvement; they made the conscious decision to track their users, and did not turn on the option to track them in a slightly less identifiable way.

    In this instance, compliance actually is easy: don't add a user-tracking service to your site.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 29 May 2018 @ 11:48am

    Sadly, as far as I could grasp there is a lot of good and some of the bad is actually goodwill gone bad. Companies abused their free reign so much that now we are swinging towards the other extreme. I do hope the GDPR is revised as soon as possible to polish what's good and rebuild what's bad but I generally think that some regulation is going to be needed. The industry can't help screwing things up.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 May 2018 @ 11:51am

    What's that saying about glass houses...?

    This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point.

    No, I do believe they're due for some hefty mockery here. As people have pointed out these changes have been in the pipes for two years, and yet during that time the very ones pushing it couldn't be bothered to check if they themselves were in compliance with their own rules?

    If nothing else this provides perfect cover for any companies/sites who are still working on getting 'compliant'. If the EU Parliament couldn't be bothered, then it's rather hard to blame others for not getting on it ahead of time.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:30pm

      Re: What's that saying about glass houses...?

      If nothing else this provides perfect cover for any companies/sites who are still working on getting 'compliant'.

      No, it might provide some "whataboutery" but it won't shield anyone from their own compliance.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 29 May 2018 @ 1:04pm

        Re: Re: What's that saying about glass houses...?

        I didn't mean to imply it would be a good excuse, merely that it would be an easily used one.

        'They didn't care enough to check and they wrote the rules, why are you going after us for not being 100% compliant right out the gates if even they couldn't be bothered?'

        reply to this | link to this | view in chronology ]

    • icon
      wereisjessicahyde (profile), 29 May 2018 @ 1:29pm

      Re: What's that saying about glass houses...?

      "Never through garden furniture at one whilst drunk" Or maybe that's just for me.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 30 May 2018 @ 1:13am

      Re: What's that saying about glass houses...?

      "during that time the very ones pushing it couldn't be bothered to check if they themselves were in compliance with their own rules?"

      You make the mistake of assuming that those responsible in both areas were the same people. The people making the rules will not have been implementing them - that job will be done by people who were more than likely telling why things were a bad idea in the first place. If a hammer falls, it will be on the poor admin who was ordered to achieve what he was warned was impossible, not the politician who demanded it be done anyway.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:51am

    From the digiday article: “Revenues and [ad demand] volumes [are] expected to fall dramatically across the board,” said one publishing executive, under condition of anonymity.

    Is this really a bad thing? Less ads? I see that as a win. The internet was and should still be ad free!

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 29 May 2018 @ 12:21pm

      Re:

      Except that running, owning, and hosting a website is not free. I support some advertising. But the crap pile that was allowed to proliferate on the web as we see today is th3 reason I use an ad-blocker.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 12:47pm

        Re: Re:

        While they don't have "web site" hosting per se, archive.org will host files (even huge, popular ones) for free, and they don't track their users.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 1:38pm

        Re: Re:

        But to force ads, specially the horrible ones, onto your users just so you can have your little space on the internet?

        I remember what it was like the first times I was online. Somewhere around 1993. I cant remember seeing a single ad and yet there were more sites to visit and spend time on than I had free. I would never have seen it all.

        Hosting a site at someone elses expense was not even thought of. It was a place to share your ideas, your creations. Then the business man got a hold of it....

        reply to this | link to this | view in chronology ]

        • identicon
          bob, 29 May 2018 @ 5:01pm

          Re: Re: Re:

          True it got worse with time but there was always some source of money to fund the website. Could be ads, donations, Subscription, self-funded, or backed by some other entity. I'm sure there are others but you

          You can also show ads without tracking or annoying visitors.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 May 2018 @ 5:26pm

            Re: Re: Re: Re:

            You can also show ads without tracking or annoying visitors.

            "Without annoying" is difficult. But if we look back to the early days of targeted advertising, we know it can be done without tracking. There's one piece of information that's powerful on its own: the page on which the ad appears. Originally, Google would show an ad based on your search term. Techdirt's recent boardgame campaign worked because it was shown to users of this site and relates to things the site talks about (FOIA, spying), so we can assume some people reading TD will be interested.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 May 2018 @ 4:56am

          Re: Re: Re:

          1993?

          What, when there were only a few thousand actual internet users? And many of the "sites" were actually used for other things than just serving pages? And/or they were affiliated with universities.

          Mosaic, the first "graphical" browser came out in 1993, and for quite awhile very few sites had actual WWW (web) server capabilities. Lynx & Gopher didn't provide any kind of advertisement capabilities that I recall.

          Once the actual Mosaic & Netscape WWW browser capability starting taking off, and people started getting on the internet, commercial investment started coming along. This investment actually helped grow the internet into the massive, ubiquitous state it maintains today. AOL, Yahoo, MSN, and others actually did have advertisements, and they were "the internet" for most people back in the mid-1990s or so. (AOL and Compuserv actually existed before the web).

          reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 29 May 2018 @ 1:35pm

      Re:

      I am surprised we haven't heard more from the online news organizations in the EU. Or are they expecting Google to make up for additional loss of ad revenue?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:52am

    but, like all countries and all govts, that doesn't matter! the only thing that matters is to make doubly sure that the ordinary citizens are stopped by any and all means necessary from being able to stand up for themselves, able to learn about what these fuckers are up to and never again able to defend themselves against the tyranny of those who are doing everything possible to enslave the human race!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 1:19pm

    I'm no expert, but it sounds like it will need to go to the European Court of Justice, where it will be confirmed to be more or less what people think it is, a nuke on the targeted ad revenue model (surveillance capitalism).

    This was always going to happen. The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.

    The Europeans will not back down on this. Rather than futily drawing it out for years these companies should "innovate" and move to one of their other revenue options.

    It collecting personal data is essential for providing a service that people actually value then they will happily opt in to it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 1:32pm

      Re:

      archive.org is "free" in that it is supported by donations. Are you proposing that all commercial content providers follow the same model?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 1:51pm

        Re: Re:

        Sorry, replied to the wrong post.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 2:40pm

        Re: Re:

        It's just an example showing hosting does not require tracking, and people posting their own media have choices other than Youtube etc.

        Their FAQ says it costs them about 2.00 USD/GB to store data forever. They're not going to object to the EU Parliament posting laws, minutes, etc. there, with or without a donation. An individual could easily get their fans to donate enough to cover those costs, without any intrusive PBS-style fund drive.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2018 @ 7:44pm

          Re: Re: Re:

          without any intrusive PBS-style fund drive.

          Not sure about this one. Wikipedia, at least, appears to require this kind of fundraising, and it is funded largely by individuals, in contrast to archive.org which is mostly funded by much larger institutions.

          reply to this | link to this | view in chronology ]

    • icon
      TripMN (profile), 29 May 2018 @ 6:27pm

      Re:

      Call me a little daft or even a bit uninformed, but please explain to me your statement of "The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles."

      I'm just not sure what you mean because that is a very bold statement but you don't explain it or back it up in any way.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 1:30pm

    ...So, does that mean that the EU lost 4% of its Gross Revenue in fines to itself?

    reply to this | link to this | view in chronology ]

  • identicon
    Max, 29 May 2018 @ 2:59pm

    NOPE

    Is it perfect? Hell no. But I'll take it ANY TIME over the traditional alternative of "hahaha, let me mop the floor with you precious 'personal data', snowflake..."

    reply to this | link to this | view in chronology ]

  • identicon
    tracyanne, 30 May 2018 @ 1:36am

    The problem, then, is not so much the EU Website

    as the EU website using a 3rd party for it's analytics.

    reply to this | link to this | view in chronology ]

  • identicon
    Éibhear, 30 May 2018 @ 4:17am

    Podcast suggestion

    Hi,

    Living in Europe, and having a serious amount of skepticism regarding the motives of the EU Commission and the EU Council, I'm still more of a fan of the GDPR than not.

    However, I don't know everything, and I work only tangentially with matters relating to data protection.

    I would love to hear a discussion or debate on the Techdirt podcast, say, regarding the GDPR between Mike or Cathy and someone from the east of the Atlantic. My personal recommendations would be someone like Simon McGarr (@tupp_ed on Twitter) or T.J. McIntyre of Digital Rights Ireland (@tjmcintyre), both of whom were involved in the Schrems case that took down Safe Harbour.

    Other people I would trust to give an informed, EU-based, perspective on GDPR would be Rowenna Fielding (@MissIG_Geek), Sarah Clarke (@trialbytruth), Pat Walshe (@PrivacyMatters) or Daragh O Brien (@CBridge_Chief).

    I would expect all of these to have considered analyses on the concerns that Mike and others have with GDPR (I don't like the RTBF portion of it, either!), and would give alternative perspectives. It would be excellent to hear it covered in one of the podcasts.

    Éibhear

    reply to this | link to this | view in chronology ]

  • identicon
    Pete Austin, 30 May 2018 @ 5:00am

    It says it doesn't comply, on the legal page ¯\_(ツ)_/¯

    Do you mean this site?
    https://europa.eu/european-union/abouteuropa/legal_notices_en

    If so, it's totally obvious that it doesn't comply with the GDPR. It even says so in plain text...

    The policy on "protection of individuals with regard to the processing of personal data by the Community institutions" is based currently on Regulation (EC) N° 45/2001 of the European Parliament and of the Council of 18 December 2000 (and not on the "GDPR" Regulation 2016/679 that repeals the Directive 95/46/EC). The new version of Regulation 45/2001 is currently being adopted. The legal notices on Europa will be updated in accordance with the new version.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 May 2018 @ 10:54am

    Why is this so difficult for Techdirt to understand. Complying with GDPR isn't all that hard.

    "Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it."

    See? Even Vera can do it.

    She didn't say she does do it, just that she could do it.

    reply to this | link to this | view in chronology ]

  • identicon
    Will B., 30 May 2018 @ 1:51pm

    "Related to that, the fallout from the GDPR is already being felt -- and it's not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. "

    Beg pardon? Are you claiming these sites aren't having to comply with the GDPR? Or are you saying they aren't being *hurt* by the GDPR?

    Because the goal of this legislation is not to *hurt* these sites. If they find compliance easy, GOOD!

    I think you misunderstand the goal of this legislation, if you are claiming that internet giants are complying easily *and that's a bad thing.*

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 31 May 2018 @ 1:31am

      Re:

      I think you misunderstand the point. Large companies can afford to employ someone, or even teams of people to ensure compliance. In fact, they most likely have such teams already for every part of the their global operations and this was just a bit of extra work for those already involved.

      For smaller companies, they have to either go to huge expense to hire someone (be that internal staff or an external agency), remove themselves from part of their audience (which may also be expensive) or risk harmful fines for not being able to comply.

      That's not the point of the legislation, but that's the reality of its effect. The big guys can both afford to comply *and* weather any damage that unintentional non-compliance can cause. Small companies may not be able to afford the legal advice to know whether they are complying, or need to in the first place.

      reply to this | link to this | view in chronology ]

      • identicon
        Will B., 2 Jun 2018 @ 5:53pm

        Re: Re:

        Still means that big companies are complying with legislation designed to protect personal privacy. I consider that a good thing; there could be more done to assist small companies with their compliance, but it sounds like the regulation is still hitting the big guys (the ones who do the lion's share of data harvesting) in exactly the way it was intended.

        reply to this | link to this | view in chronology ]

  • identicon
    The T, 30 May 2018 @ 2:04pm

    I think you don't see fully clear in this case:

    In your example case eventually the setting will be fixed, and privacy will be improved. That's what the ruling is for.

    In other cases the same will happen, and eventually page providers will ask their software providers for app software with better default settings.

    Or the other way round: Privacy sharks will have to admit their unholy deeds, allowing people to switch.

    reply to this | link to this | view in chronology ]

  • identicon
    Tatiana rocchio, 31 May 2018 @ 6:32pm

    My please peace fact false flryt taxie s cars ride gono’s bill James ride bus ten pm Cox Johnston ham saids right noting flryt car taxie shopping ride some come home ten pm lighter prigram pligram program rhd Patterson fact Tatia Rocchio presnident trump Donald’s fact false Trudeau center bill taxes

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.