Following a major breach of the European Parliament’s recruitment system in April 2024, when sensitive personal information was exposed, digital rights NGO Noyb filed two legal complaints for alleged data protection law violations on Thursday (22 August), against the EU institute.
In May, the Parliament said it experienced a data breach in its recruitment application, PEOPLE, used to hire temporary staff. The breach was confirmed to have taken place in April, when sensitive personal data was exposed such as identity documents, criminal records, and work experience.
Concerns had been raised at the time, about the delayed notification and the potential misuse of the compromised data. The Parliament recommended affected individuals replace their IDs and passports as a precaution, offering to cover the associated costs.
Now, the NGO Noyb, the European Center for Digital Rights, has filed two complaints with the European Data Protection Supervisor (EDPS) on behalf of four Parliament employees, noting that the data of more than 8,000 staff was affected, including the data of former employees.
“As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions,” said Max Schrems, activist and chairman of Noyb.
Back in May, the EDPS confirmed to Euractiv that they had been notified about the breach in less than 72 hours, from the moment the Parliament became aware of it.
Euractiv contacted the EDPS for a comment, but they declined, saying they do not provide statements on complaints.
The supervisor can, however, investigate complaints and use corrective measures if EU institutions violate data protection rules, including issuing warnings, enforcing compliance with data access requests, banning data processing operations, imposing fines, or referring cases to the Court of Justice of the European Union.
The complaints
Noyb believes the breach highlights the Parliament’s non-compliance with the General Data Protection Regulation’s (GDPR) data minimisation and retention requirements.
The GDPR’s data minimisation rules require organisations to collect and retain the minimum amount of personal data, necessary for a specific purpose. The retention requirement sets limits on how long this data can be stored, ensuring it is not kept longer than necessary.
One of the legal complaints involves the Parliament’s refusal to erase data after the breach, citing a 10-year retention policy, despite the complainant’s concerns and the fact that they had not worked at the EU institution for years.
The NGO also urged the EDPS to use its corrective powers to bring the EU institute into compliance and impose an administrative fine to prevent future violations.
Under GDPR, data should only be processed when necessary and relevant, according to Noyb. The Parliament’s 10-year retention period of recruitment files exceeds this standard, so raising concerns.
Especially since these files may include sensitive data that should be protected under GDPR including; ethnicity, political opinions, and sexual orientation. For instance, one of the legal complainants highlights that an uploaded marriage certificate inadvertently revealed the sexual orientation of a staff member, the NGO points out.
According to Noyb, the hack is especially concerning given the Parliament’s known cybersecurity weaknesses. A November 2023 review found its defences were below industry standards, and not fully aligned with threats from state-sponsored hackers.
The PEOPLE breach is part of a series of cyberattacks, including Russian hacks in 2022 and 2023, and Israeli spyware discovered on members of European Parliament’s devices in early 2024.