The European Parliament is under fire following a massive data breach affecting over 8,000 current and former employees. The European Parliament data breach, which occurred in the Parliament’s recruitment platform, “PEOPLE,” has prompted noyb, a privacy advocacy organization, to file two complaints with the European Data Protection Supervisor (EDPS).
The complaints highlight violations of the EU General Data Protection Regulation (GDPR) and call for corrective action and potential fines to prevent future infractions.
The European Parliament Data Breach and Its Implications
In early May 2024, the European Parliament notified its staff of a significant data breach in its PEOPLE platform, which is used for recruitment purposes. The European Parliament data breach compromised sensitive personal data, including ID cards, passports, criminal record extracts, and residence documents.
The breach also exposed highly sensitive information such as marriage certificates, which could reveal the sexual orientation of applicants. This incident has raised serious concerns about the Parliament’s ability to safeguard the personal data of its employees and applicants.
The Parliament only became aware of the European Parliament data breach months after it occurred, and the exact cause remains unknown. This delay in detection has exacerbated concerns, especially given that the Parliament had been warned about vulnerabilities in its cybersecurity systems.
According to noyb, the Parliament’s failure to secure such critical data is a gross violation of the GDPR, particularly Articles 4(1)(c) and (f), which pertain to data minimization and the lawful processing of personal data, as well as Article 33(1), which mandates the timely notification of data breaches.
Noyb’s Response and Legal Action
Noyb has taken action in response to the European Parliament data breach, filing complaints with the EDPS on behalf of four Parliament employees. The organization argues that the Parliament’s actions—or lack thereof—constitute clear violations of the GDPR. In particular, noyb has criticized the Parliament for retaining personal data far beyond what is necessary, a practice that contravenes the principle of data minimization outlined in Article 4(1)(c) of the GDPR.
One of the complaints also highlights the Parliament’s refusal to honor an erasure request made by an individual who had not worked for the institution for several years. Despite the individual’s concerns following the breach, the Parliament cited a 10-year retention period as the reason for denying the request.
Noyb has urged the EDPS to use its corrective powers to compel the Parliament to comply with GDPR regulations and has suggested the imposition of an administrative fine to deter future violations.
Known Vulnerabilities and Repeated Cybersecurity Failures
The European Parliament data breach is particularly concerning given the Parliament’s prior knowledge of its cybersecurity vulnerabilities. In November 2023, the Parliament’s IT department conducted a cybersecurity review that revealed the institution’s defenses were inadequate and did not meet industry standards. The review warned that existing measures were not fully aligned with the threat level posed by state-sponsored hackers.
This data breach is just one in a series of cybersecurity incidents that have plagued EU institutions in recent years. In November 2022, Russian hacking groups targeted the Parliament’s website, and in autumn 2023, multiple European governments were similarly attacked. In February 2024, a separate breach occurred in the Parliament’s security and defense subcommittee, where Israeli spyware was found on the devices of two Members of the European Parliament (MEPs) and a staff member.
Lorea Mendiguren, a Data Protection Lawyer at noyb, emphasized the gravity of the situation: “This breach comes after repeated cybersecurity incidents in EU institutions over the past year. The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors.”
The Broader Implications of the European Parliament Data Breach
The data breach not only exposes the Parliament’s failure to protect personal data but also raises broader concerns about the vulnerability of EU institutions to cyberattacks. Max Schrems, Chairman of noyb, expressed his concern at the ongoing cybersecurity issues within EU bodies: “As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.”
The breach has also shed light on the Parliament’s data retention practices, which appear to be excessive. The GDPR mandates that personal data should only be retained for as long as necessary for the purposes for which it was collected. However, the Parliament’s 10-year retention period for recruitment files, which contain highly sensitive information, seems to violate this principle. Schrems noted, “The breach also shows that just getting rid of personal data in time could likely have limited the impact of the breach.”
Moving Forward: The Role of the EDPS
As the complaints move forward, all eyes are on the EDPS to see how it will respond to this significant data protection failure. Noyb has called on the EDPS to enforce compliance with the GDPR and to impose fines that reflect the seriousness of the violations. The outcome of this case could have far-reaching implications for how EU institutions handle personal data and address cybersecurity risks.
For now, the European Parliament faces the challenge of rebuilding trust and implementing stronger security measures to prevent future breaches.