None Of Your Business files complaint against European Parliament

Flashback: on 26 April, the European Parliament informed the European Data Protection Supervisor (EDPS) of a massive data breach concerning its People recruitment platform. Anyone applying for a job at the institution must first register on this platform, which was launched in 2018, and provide a host of personal data: national identity card or passport, criminal record, marital status, certificate of residence or any other document proving an address, documents proving training and experience, military papers–a non-exhaustive list of documents that could potentially reveal a person’s ethnicity, political opinions, religious beliefs or sexual orientation.

According to the non-profit organisation NOYB (None Of Your Business), it is still unclear how this breach occurred, when it started and how long it lasted, affecting 8,000 current and former employees. The European Parliament informed those affected that all the documents they had uploaded had been compromised. It advised them on 31 May to replace their identity cards and passports as a precautionary measure, at the expense of the European Parliament.

European institutions vulnerable to cyber attacks

NOYB justifies the filing of these two complaints on behalf of four employees of the European institution by the fact that the European Parliament has not done enough to protect the personal data of its own staff. “This incident is particularly worrying, because the parliament has long been aware of cybersecurity vulnerabilities: in November 2023, the parliament’s IT department conducted a cybersecurity review–and concluded that the institution’s cybersecurity ‘has not yet met industry standards’ and that existing measures were ‘not fully in-line with the threat level’ posed by state-sponsored hackers. Not only that, but the People breach occurred alongside a number of other cyberattacks on EU institutions. Russian hacking groups attacked the parliament’s website in November 2022 and numerous European governments in autumn 2023. In February 2024, the parliament suffered a different breach in its security and defence subcommittee, when two MEPs and a staff member found Israeli spyware on their devices,” NOYB says on its website.

“As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions,” comments Max Schrems, chairman of NOYB.

NOYB wants to set an example

NOYB also points out that the parliament is not complying with the requirements of the GDPR (General Data Protection Regulation) in terms of data minimisation and retention. While the European regulation requires EU institutions to process only data that is “adequate, relevant and limited to what is necessary for the purposes for which it is processed,” the retention period for such data is 10 years. For Schrems, “the breach also shows that just getting rid of personal data in time could likely have limited the impact of the breach.”

Among the four complainants is one to whom the parliament allegedly refused a request for erasure made after the breach, even though they had not worked at the institution for several years.

NOYB asked the European Data Protection Supervisor to use its remedial powers to order the parliament to bring its processing into line and suggested that the supervisory authority “impose an appropriate administrative fine to prevent similar violations in the future.”

The European Parliament’s line of defence

Questioned by Paperjam, the European Parliament said that it had taken note of the complaint and explained that it “constantly monitors security and cybersecurity, hybrid threats and threats linked to disinformation, as well as potential cyberattacks against its working environment, and rapidly deploys the necessary measures to prevent them.”

On the current case, the parliament provided the following clarifications: “the intensified efforts deployed by the European Parliament’s services against hybrid threats in the months leading up to the European elections led to the identification of a data breach–dating back to early 2024–on an external application. The application concerned was suspended and corrected by the parliament’s services as soon as the vulnerability was identified. The application has been fully secured and is open to users.”

“As expected, the parliament immediately alerted the European Data Protection Supervisor (EDPS) after the detection to inform them of the potential risks related to the breach. In accordance with the parliament’s obligation and duty of care, in close cooperation with the EDPS, all active or past users potentially affected by the data breach have been duly informed and have received a set of recommendations. They also have a specific contact to answer any questions they may have. We understand the difficulties encountered and our departments are assisting the users concerned. They will continue to do so and to provide information and support,” said the institution.

The ball is now in the EDPS’ court.

The two complaints can be viewed and .

This article was originally published in .