December 6. 2024. 5:06

The Daily

Read the World Today

Digital rights NGO files complaints against European Parliament for data breach


Following a major breach of the European Parliament’s recruitment system in April 2024, when sensitive personal information was exposed, digital rights NGO Nyob filed two legal complaints for alleged data protection law violations on Thursday (22 August), against the EU institute.

In May, the Parliament said it experienced a data breach in its recruitment application, PEOPLE, used to hire temporary staff. The breach was confirmed to have taken place in April, when sensitive personal data was exposed such as identity documents, criminal records, and work experience.

Concerns had been raised at the time, about the delayed notification and the potential misuse of the compromised data. The Parliament recommended affected individuals replace their IDs and passports as a precaution, offering to cover the associated costs.

Now, the NGO Noyb, the European Center for Digital Rights, has filed two complaints with the European Data Protection Supervisor (EDPS) on behalf of four Parliament employees, noting that the data of more than 8,000 staff was affected, including the data of former employees.

“As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions,” said Max Schrems, activist and chairman of Noyb.

Back in May, the EDPS confirmed to Euractiv that they had been notified about the breach in less than 72 hours, from the moment the parliament became aware of it.

European Parliament’s recruitment application compromised in data breach

The European Parliament sent on Monday (6 May) an internal notification to its staff, seen by Euractiv, about a data breach in the application PEOPLE, used for the recruitment of the institution’s non-permanent staff.

The complaints

Nyob believes the breach highlights the parliament’s non-compliance with the General Data Protection Regulation’s (GDPR) data minimisation and retention requirements.

The GDPR’s data minimisation rules require organisations to collect and retain the minimum amount of personal data, necessary for a specific purpose. The retention requirement sets limits on how long this data can be stored, ensuring it is not kept longer than necessary.

One of the legal complaints involves the parliament’s refusal to erase data after the breach, citing a 10-year retention policy, despite the complainant’s concerns and the fact that they had not worked at the EU institution for years.

The NGO also urged the EDPS to use its corrective powers to bring the EU institute into compliance and impose an administrative fine to prevent future violations.

Under GDPR, data should only be processed when necessary and relevant, according to Noyb. The parliament’s 10-year retention period of recruitment files exceeds this standard, so raising concerns.

Especially since these files may include sensitive data that should be protected under GDPR including; ethnicity, political opinions, and sexual orientation. For instance, one of the legal complainants highlights that an uploaded marriage certificate inadvertently revealed the sexual orientation of a staff member, the NGO points out.

According to Noyb, the hack is especially concerning given the parliament’s known cybersecurity weaknesses. A November 2023 review found its defences were below industry standards, and not fully aligned with threats from state-sponsored hackers.

The PEOPLE breach is part of a series of cyberattacks, including Russian hacks in 2022 and 2023, and Israeli spyware discovered on members of European Parliament’s devices in early 2024.

Passports, criminal records leaked in EU Parliament data breach

Identity cards, passports, excerpts of criminal records, and work experience documents were among the personal data of European Parliament employees compromised in a data breach, according to an internal email sent on Wednesday and seen by Euractiv.

Read more with Euractiv

UK regulator closes app store probe, but new rules could lead to renewed scrutiny of big tech

UK regulator closes app store probe, but new rules could lead to renewed scrutiny of big tech

The UK’s Competition and Markets Authority closed its investigation into Google and Apple app stores on 21 August, but new laws that would give it more power to control the dominance of big tech companies could ensure that scrutiny continues.