EU Parliament's Own Website Violates The GDPR

from the whoopsy dept

We've been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user's private data is, that still doesn't make the GDPR any less ridiculous. Indeed, we've pointed out that the setup of the GDPR is such that it's becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren't actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.

Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own "so easy" GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament's own website appears to violate the GDPR.

It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime). This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google’s servers without consent or any other legal basis.

Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point. Over the past couple months, nearly every startup company I've spoken to has discussed the GDPR, and for nearly every single one they have no idea if they're actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.

That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament's own website couldn't figure this out is just a shining example of why the GDPR is such a problem.

Related to that, the fallout from the GDPR is already being felt -- and it's not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it's hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: eu, eu parliament, gdpr, regulations, tracking, vera journova