A week after the EU’s new General Data Protection Regulation (GDPR) went into force, the European Commission seems to have dumped over a million visitors’ personal data on Google – without being compliant with GDPR.
First Published 15th June 2018
General Data Protection Regulations for the General Data Protection Regulators.
4 min read | Reflare Research Team
A week after the EU’s new General Data Protection Regulation (GDPR) went into force, several news outlets reported that the European Commission had had a data breach and that it was not itself compliant with GDPR. In this briefing, we will take a look at these claims and at the difficulty of drafting legislation covering private and public bodies simultaneously.
What happened?
All reports about a European Commission (EC) data breach published shortly after the GDPR went into force appear to trace back to an article by a UK company called Indivigital Ltd which appears to be the source of the research.
The article outlines several practices on a number of websites operated by the EC that would be either a violation or at least a point of concern under GDPR. This includes the insufficient implementation of cookie consent pop-ups as well as the use of third-party tracking and third-party scripts.
The article goes on to describe a number of spreadsheets that the company found on EC servers through searches on Google. While the spreadsheets contain email addresses, names and physical addresses, they state that most of them appear to belong to publicly listed government agencies or employees. While the publishing of such information without ironclad proof of consent to publish is certainly a violation of GDPR, we nonetheless consider calling the discovery a “breach” an overstatement.
During the media coverage of this incident, however, a more interesting and counter-intuitive factoid came to common attention: The European Commission itself is not subject to GDPR.
Why isn’t the EC subject to GDPR?
The simple answer is that the GDPR explicitly only applies to companies and other legal entities established within the EU or selling to customers in the EU. Just like individuals (outside of work roles) are not bound by GDPR, neither are governments.
According to statements made to the Daily Telegraph, a regulation equivalent to the GDPR to be used by the EC and governments themselves is being prepared and is set to launch in fall 2018.
The reasons for this split are manyfold but broadly fall into two categories.
The first one is authority. Under GDPR, the countries themselves enforce the rules on entities within their jurisdiction. However, no member country of the EU has jurisdiction over the European Council. Thus laws must be adjusted to accommodate the different legal structures.
The second category is consent. All interactions with companies are based on consent. A company cannot force a citizen to use one of its services. Interactions with governments however are not based on consent. Whether taking mugshots or requesting tax information, the rules governing interactions between companies and citizens and the rules governing interactions between governments and citizens are different in all EU member states.
The fact that this exempts those making the laws from following them themselves is equally universal for virtually all laws passed in EU member states.
Summary
Several websites belonging to the European Commission showed poor handling of data privacy which would certainly constitute GDPR violations. A breach as such has not been confirmed to have taken place at the time of writing this briefing. Articles claiming that it had were overstating the facts.
The EC itself is not subject to GDPR but is preparing to pass equivalent regulations in the fall of 2018 due to the different nature of citizen-corporate and citizen-government interactions.