EDPS flags data protection issues on EU institutions’ Websites

Each of the institutions concerned has received recommendations from the EDPS on how to ensure their Websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified, the EDPS said.

“The responses to this remote inspection have been reassuring,” European Data Protection Supervisor Giovanni Buttarelli said in a statement. “The EU institutions responsible for the most important Websites have informed us of technical measures that they have implemented to significantly reduce the risks to security and privacy that were detected in our inspection. We have already received positive feedback from the inspected institutions concerning our recommendations, and we expect to be able to confirm that all remaining issues are resolved in a follow-up inspection.”

The EDPS inspection concerned the data protection compliance of public Web services, including Websites, controlled by the EU institutions and bodies, excluding their social network presence. It assessed compliance with Regulation 2018/1725, which sets out the data protection rules for the EU institutions and bodies, the ePrivacy Directive 2002/57EC and the recommendations provided to EU institutions and bodies by the EDPS in his “Guidelines on Web Services,” published in 2016.

For the first wave of inspections, which took place in August 2018, the EDPS selected ten public Websites, including those operated by the largest EU institutions and bodies and those that, due to the nature of their work, should apply special caution in their handling of personal data. Websites included those of the European Parliament, the shared Website of the European Council and the Council of the European Union, the European Commission, the Court of Justice of the EU, Europol, and the European Banking Authority. The EDPS also inspected the Websites of the European Data Protection Board (EDPB), the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC 2018), and the EDPS Website itself.

To carry out the inspection, the EDPS developed a programme that automatically collects information on personal data processing by Websites. This information includes the use of cookies, Web beacons, page elements loaded from third parties, and the security of encrypted connections (HTTPS).

The inspection revealed that several of the Websites were not compliant with the regulation or with the ePrivacy Directive and did not follow the EDPS Guidelines on Web Services. One of the issues encountered was third-party tracking without prior consent. “This is especially problematic in cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of Website visitors,” the EDPS said. “Other issues encountered included the use of trackers for Web analytics without visitors’ prior consent and the submission of personal data collected through Web forms using non-encrypted connections.”

Due to the EDPS’ inspection findings, all inspected EU institutions now provide secure HTTPS connections and have significantly reduced the number of third-party trackers they use. The inspection’s summary findings were presented by the EDPS and discussed with the network of data protection officers in the EU institutions.

The EDPS said it will follow up on the efforts of the EU institutions inspected while also continuing Website inspections in the months to come. The next wave of Website inspections will focus on the most visited Websites of the EU institutions and bodies.