In the last-minute panics before GDPR came into effect, few of us turned our attention to the many websites of the European Union. Surely, they are shining beacons of compliance, with their own sensible range of requirements? Well, security companies who have investigated the EU's own websites have been surprised to find several examples of non-compliance.
The European Union has, on its 'official website', leaked the personal details of hundreds of private individuals who have attended its workshops, events and conferences. Although consent to store the details was obtained in some cases, this isn't recorded in most, and the information has been retained amongst the mass of 16.5 million pages for up to ten years.
It is not the only EU-related site that hasn't yet done the necessary work, according to Indivigital. Cedefop, for example, the European Centre for the Development of Vocational Training, serves third-party scripts, cookies and content without the users' explicit content, yet not meeting the criteria for exemption, contrary to Regulation 6.
Anything like this would constitute a breach of GDPR had any other organization done it. When asked why, an EU spokesman evidently reported to the Telegraph that the European Commission was 'separate' from the data protection regulations for 'legal reasons' and that their law did not come into effect for them until this autumn.
Those of us who work with organizations to explain the necessity for the GDPR, and who try to reassure the data people who are in the firing line that their work is important, will probably be as irritated as I am about the EU's non-compliance. Technically, there may be a loophole that gives them more time to put their house in order, but by exploiting the loophole for its own convenience, the EU broadcasts the wrong message.
Just the other day, I was advising a charity about what they needed to do, stressing the work was necessary to provide a fair and common basis for the correct handling of personal data. They bought into the idea that it provided a legal backing for common courtesy and decency, in ensuring the privacy of the ordinary person. Yet there, on the dark side, is the EU, in whose name these necessary standards have been enforced, seemingly carrying on as if it didn't really matter. One suspects that they secretly eat bananas of 'abnormal curvature' too.