European Bodies Held Accountable for Privacy Violations

The European Data Protection Supervisor (EDPS) has found two European bodies, the European Parliament and Europol, to be in violation of European privacy regulations.

The European Parliament received sanctions for multiple violations stemming from a COVID-19 test booking website which the European Parliament launched using a third party. Six members of the European Parliament filed complaints about the site, alleging improper use of third-party trackers, confusing cookie consent banners, improper data transfer practices, and problems with transparency and data access, including lack of timely response to individual requests for data access. EDPS sanctioned the European Parliament and ordered that all outstanding problems be rectified within the month.

Europol has been ordered to delete much of its vast trove of personal data after failing to set appropriate data retention periods or filter personal data appropriately, in violation of data minimization and retention principles. Europol holds at least 4 petabytes – equivalent to about a fifth of the U.S. Library of Congress’s entire contents – of personal data amassed from crime reports, asylum seekers, and hacked encrypted phone services, among other sources. Much of this data has been mass-collected and is not linked to any specific criminal activity The EDPS order imposes a 6 month retention period on data and orders Europol to delete all data it holds older than 6 months that has not been affirmatively linked to criminal activity.

These enforcement actions demonstrate a clear goal of consistent standards and enforcement of privacy protections, without exception for high-level organizations. EPIC has long advocated for clear and consistent data subject right protections and for holding government bodies accountable for privacy practices.