EU Commission Violates GDPR; Claims That It's Exempt From The Law For 'Legal Reasons'

from the uh-huh dept

Last week, we noted that the EU Parliament's website appeared not to be compliant with the GDPR. As we noted, this was pointed out in response to EU Commissioner Vera Jourova claiming that complying with the GDPR was so easy, that even she could do it. Now, a valid response to all of this would be to point out that the EU Parliament is different than the EU Commission or other parts of the EU government. But, now that we know the EU Parliament is not compliant, would it surprise you at all to find out that the European Commission is also not compliant with the GDPR. Apparently, while she was so busy claiming it was easy to comply with, Journova forgot to have the Commission itself comply.

Specifically, Jason Smith, at the website Indivigital, discovered that various places on the EU's websites were hosting spreadsheets with personal information on many people who had attended events, and were revealing that information without permission (the report also found various GDPR violations involving 3rd party cookies).

One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its “Scientific Colloquium Series” in November 2013.

The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.

Some of the other publicly accessible spreadsheets containing personal data include:

  • A spreadsheet that contains an image with the text “Cultural Infodays 2009” and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governme...as whether they’ve confirmed they’ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
  • A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled “nature of involvement” and appears to contain short descriptions on the capabilities of each individual e.g. “skills in IT and social media,” “offers help to draft documents on WB RAA,” “experienced in project management,” etc.

The latter spreadsheet appears to relate to an event titled “Balkan Connexion,” which took place between the 3rd and 4th November 2016. According to the EU’s website, the event was attended by 90 participants, including students.

Okay. Already that's bad enough, but the EU Commission has proceeded to make this much, much worse. After dumping the GDPR on everyone else, insisting that it was easy to comply with, but then failing to comply itself... what do you think the EU Commission's response to all of this is?

It's to claim the GDPR does not apply to the EU Commission. I'm not kidding:

This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.

However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.

For "legal reasons." Uh huh.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Gilly, 7 Jun 2018 @ 6:47am

    Usually I'd side against the GDPR, but...

    Ever heard of the man who invented the bronze bull? The story may be apocryphal, but the tale goes a Greek emperor invented a new method of torture: a hollow bronze bull, heated underneath by a fire to boil the prisoner inside. The story goes that when the emperor was overthrown, he himself was placed inside the bull he invented...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 6:52am

    Just the facts

    The State is always exempt from the law. It is the entity that enforces it, any act by the state to show contrition is only for purchasing public opinion nothing more.

    The public still pays for the time and effort costs of the violation and the time and effort costs of any remediation or prosecution of persons in the event.

    They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2018 @ 10:50am

      Re: Just the facts

      Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

      I knew you'd say that.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 7 Jun 2018 @ 1:46pm

      Re: Just the facts

      They should just put Judge Dredd up on the Mic and just scream "I AM THE LAW!!!" Bonus points if they get the silly Stallone to do is instead of the much better acted Urban version.

      The funny thing is what little I understand about the character leads me to believe that he would immediately turn around and shoot them, as he strikes me as someone who wouldn't care who was breaking it, just that they were.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Jun 2018 @ 6:34am

        Re: Re: Just the facts

        Nah.

        I mean, yeah, he'd totally subject them to the law's penalties (fines, imprisonment, etc.), but he wouldn't kill them unless that's what The Law stated the sentence should be.

        He has a fanatical devotion to The Law; he wouldn't go beyond the sentence it prescribes.

        reply to this | link to this | view in chronology ]

    • identicon
      WeeLamm, 8 Jun 2018 @ 12:09pm

      Re: Just the facts

      Article 4, Definition 7.
      [‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;]

      Seems to suggest that the EU Commission is itself a Controller. In this way they would be publicly accountable to ensure that they followed their own guidelines.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 7:33am

    Just because governments make the laws does not mean that they are bound by the laws, indeed that is one of the perks being in government, freedom from irksome laws.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 7:36am

    One set of laws for you, another for me.

    As usual.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 7 Jun 2018 @ 7:51am

    "“legal reasons”, European institutions are separate from the GDPR."

    For 'legal reasons' we've decided to ignore your stupid ass law. If you can't live by the same rules you demand others follow, you must have mistaken yourselves for members of the American Congress. Protecting yourselves in a blanket way when citizens are already claiming billions in daily damages from others violating this rule might be a sign that its a bad rule.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 8:34am

    the EU Commission, from what i understand, is supposed to maintain a balance between industries, corporations, companies and the people, with rights being established for the good of all. however, from what i have read, it is the biggest part of the EU that does nothing for anyone EXCEPT the industries, corporations, and companies! it is the most corrupt section of the EU and does the same as Hollywood, the MPAA, the RIAA and the rest of the entertainment industries as well as others and wants to take over everything while giving nothing, nothing, that is, except massive fines and prison sentences to ordinary people for doing the most basic of human actions, sharing!!

    reply to this | link to this | view in chronology ]

  • identicon
    stine, 7 Jun 2018 @ 8:35am

    Huh, so their politicians are just like ours...

    Our legislators regulary exempt themselves from the legislation that they foist on the rest of us. I'm not really surprised by this. Disappointed, but not surprised.

    reply to this | link to this | view in chronology ]

  • identicon
    Paul, 7 Jun 2018 @ 8:37am

    Not surprisng

    "Regulation for thee, not for me" is the motto of all politicians. Can't let the serfs be entitled to the same benefits as their lords. Otherwise they might start to believe they're equal.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 8:55am

    Do as I say, not as I do.

    This is a sign of good leadership - lol.

    reply to this | link to this | view in chronology ]

  • identicon
    Cicero Blackstone, 7 Jun 2018 @ 9:28am

    War on language, intelligence, ethics, etc., proceeding per plan

    See subject heading.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 7 Jun 2018 @ 10:09am

      Re: War on language, intelligence, ethics, etc., proceeding per plan

      "Cicero Blackstone"! Oh, yeah, THAT'S a believable name to type in for a one-time use.

      I note also was in same minute as definite zombie "pacanukeha" account which is active again after 33 months. JUST coincidence, though, right? Couldn't both be for same purpose of inflating number of comments here, right?

      reply to this | link to this | view in chronology ]

  • icon
    pacanukeha (profile), 7 Jun 2018 @ 9:28am

    Legal reasons

    are the best reasons

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 7 Jun 2018 @ 10:05am

      NEW WAVE OF ZOMBIES! "pacanukeha" POPS UP after 33 month gap!

      FOUR WHOLE COMMENTS TOTAL!

      Heh, heh. You clowns CANNOT expect these ALL to be accepted as coincidence. You give me good ongoing mystery in simply the WHY of this blatant astro-turfing.

      reply to this | link to this | view in chronology ]

  • identicon
    Namram, 7 Jun 2018 @ 12:44pm

    a little erratum

    the commissioner's name is Věra Jourová, without "n"

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2018 @ 2:33pm

      Re: a little erratum

      This is TechDirt. Spelling errors in articles and sometimes even headlines is like a little mini-game built into the site. See if you can spot them all!

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 7 Jun 2018 @ 1:53pm

    How to destroy respect for a law in a single sentence

    This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.

    However, a spokesman the commission said, based on “legal reasons”, European institutions are separate from the GDPR.

    Translation: 'We make the laws, we have no need to follow them as we are above them and unbound by them.'

    It was bad enough when the EU Parliament was found to be in violation of the very law they said was 'easy' to comply with, but the gross hypocrisy this time around ramps that up to 11 and utterly destroys any high ground they may have had on the matter.

    By admitting to be in violation and defending it by claiming that they are above the law they make it clear that they aren't in fact concerned with privacy of anyone but themselves, and they were merely using the issue for personal gain.

    reply to this | link to this | view in chronology ]

  • identicon
    Joel Coehoorn, 7 Jun 2018 @ 2:31pm

    Translation

    Translation: we're only interested in enforcing this against big American tech companies like Google, Facebook, Microsoft, Apple, and Amazon. "European Institutions" need not worry at all.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2018 @ 10:36pm

    Positive this isn't a translation error of the "legal obligation" which is a "lawful basis" for under the GDPR?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2018 @ 7:29pm

    "Do as I say, not as I do."

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.