Noyb files complaints against European Parliament over data breach
Austrian privacy organization Noyb is filing two complaints against the European Parliament over a massive data breach that took place last May.
The incident involved the European Parliament’s recruiting platform called PEOPLE. Everybody who applies for a job at the Parliament, has to register himself on this platform.
Next, applicants have to provide a list of personal details, including a copy of their ID card or passport, criminal record extracts, residence documents, marriage certificates. More than 8,000 current and former employees have done so.
On April 26, staff members discovered a data breach in PEOPLE, exposing personal and sensitive information. As soon as the incident came to light, the European Parliament informed the European Data Protection Supervisor (EDPS), an independent supervisory authority that monitors European institutions to see if they respect privacy and data protection laws.
Even to this day it’s unclear when and how the data breach actually occurred. What we do know is that other European bodies have been targeted alongside a number of cyberattacks.
For example, Daniel Freund, a German member of the European Parliament for the Greens/European Free Alliance, revealed in July he was being monitored by Israeli spyware. The same thing happened in February to two MEPs and a staff member in the Parliament’s security and defense subcommittee. In November 2022 the website of the European Parliament was taken offline by Russian hacking groups and numerous EU institutions were attacked in the autumn of 2023.
The European Parliament’s IT department conducted a cybersecurity review of the data breach and concluded that the Parliament’s cybersecurity “has not yet met industry standards”. Furthermore, it said that existing measures were “not fully in-line with the threat level posed by state-sponsored hackers”.
“This breach comes after repeated cybersecurity incidents in EU institutions over the past year. The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors,” says Lorea Mendiguren, data protection lawyer at Noyb.
He also points out that the European Parliament gathered more data necessary from its applicants. Article 4 of the General Data Protection Regulation (GDPR) states that a body can only process data that is “adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed”.
In addition, the Parliament’s retention period for recruitment files is ten years, which is way too long. On top of that, the European Parliament refused an erasure request that was made after the data breach.
All things considered, Noyb has filed two complaints with the EDPS on behalf of four employees: one for collecting too much personal data for its purpose, and one for storing recruitment files for too long. Furthermore, the Austrian privacy organization asks the supervisor to impose an appropriate administrative fine to prevent similar violations in the future.
Your email address will not be published. Required fields are marked