EU Commission Sued For Violating Its Own Data Protection Rules

We've highlighted for years the problems with the data protection regime in the EU, mainly the GDPR, but other aspects as well. The underlying idea - that people have a right to have their data protected - may seem sound and logical, but in practice it's generally been a total mess*, that has likely caused much more harm than its solved. We recently wrote about the surprising news that the EU's top data protection official was finally admitting that the GDPR really hasn't worked out the way anyone expected, which was so surprising since it's become important for EU data protection" experts to prop up the myth that the GDPR has been a success.

Of course, rather than recognize that it's the entire framework of the GDPR that is the problem, the official insisted that the real problem was not enough enforcement by data protection authorities. Basically it's not the law that's wrong, it's the fact that we haven't punished more companies." The logic there could make sense if the real problem were that companies don't actually care about how they make use of our data (which may be true in some cases, but actually seems much rarer than most people believe).

But, that belief that more enforcement is the answer starts to look a lot more questionable when the actual issue might be that the rules and the framework of the GDPR are impossible to comply with.

And, just to put an exclamation point on that, the EU Commission itself has now been sued for violating its data protection rules. This is not technically the GDPR, as (of course) the Commission is exempt from the GDPR itself, but does have other, mostly similar, data protection rules it must follow.

The litigation regards the website of the Conference of the Future of Europe, a conference meant to engage EU citizens in deciding the future of the bloc and its member states.

Amazon Web Services host the website, hence when registering for the event, personal data such as the IP address is transferred to the United States.

Moreover, the Commission's website also allows users to log in via their Facebook accounts. The US-based social media has also been challenged for illegally transferring personal data to the US, and a complaint in this regard is currently being looked into by the Irish Data Protection Commissioner.

As the European Commission is the website's operator, the plaintiff asked for information on how personal data is processed in two inquiries. According to the lawsuit, one of the inquiries was answered incompletely, and the other was not answered at all, violating the information rights under the data protection law.

There are a few things to comment on here. First, the underlying issue is the failure of the successive EU/US agreements on data sharing/transfers, which, as we've noted, really has a single issue at the crux: the NSA's spying on the internet. The US could fix all that by stopping such overly intrusive mass surveillance, but instead has basically hung the US internet sector out to dry by pretending the real problem is their data protection practices (which are often way better than just about any other industry).

But, as it stands, right now it's effectively a violation of EU data protection laws to use the most widely used American internet services.

The second, more important point, is that this (once again) shows how the problem is not necessarily the lack of enforcement, but rather the ridiculous nature of the framework, in which no one can actually comply with the rules in a reasonable manner. Even the EU Commission itself.

And this isn't the first time this kind of thing has been pointed out. Soon after the GDPR went into effect, people noticed that the EU Parliament's own website likely violated the law.

This should lead people to recognize that maybe the framework we have here is wrong. The issue isn't that we need more fines and more aggressive enforcement - because all that does is drive up compliance costs on a system that is impossible to fully comply with no matter what anyone does. And the biggest companies can easily pay off these fines.

For everyone else: you're basically screwed. Anyone who wants to cause trouble for basically anyone with a website in the EU can find some way in which a website is not in compliance and then basically create a huge hassle for them.

Should we find better ways for people to keep their data safe and away from misuse? Absolutely. Is that answer to create a cumbersome, impossible to comply with, system of confusing laws that requires expensive lawyers to constantly give you non-committal answers on how to minimize your risk? It doesn't seem like it. Is the answer to make sure that no one in the EU can actually make use of useful online services? Also doesn't seem like it.

There has to be a better way. But, rather than look for the better way, so many people seem content with assuming that this is the way things have to be done: by creating ridiculously complex laws that basically make it legally risky to have a website. And, of course, it's spreading. In many ways, the California privacy law is modeled on a similar framework to the GDPR and has already created messes for businesses in California. And other states are looking to do the same.

The very fact that the EU Commission itself can't comply should be seen as a flashing warning sign that the problem is the framework of the law.

* For what it's worth, every time I write about the GDPR, data protection" experts in the EU get furious with me. But none have ever been able to explain how this setup makes any sense or how whatever benefits they insist accrue as a result of this regime outweigh the very obvious problems (which they rarely seem willing to acknowledge).