EU websites track users without warning, against own rules


EXCLUSIVE / European institutions are tracking users of their web sites, in breach of the EU's own data protection rules, EURACTIV has learned. The fact has been confirmed by Europe’s data protection watchdog, in an interview with EURACTIV, while Brussels is reviewing privacy legislation to tackle the abuse.

The European Data Protection Supervisor, Peter Hustinx, said that institutions were aware of the problem, that new guidelines are being drawn up to deal with the issue, and that his own office avoided using EU institutional software last year  because he realised they were “inappropriate”.

The breach admission comes in the wake of recent reports of the US National Security Agency’s (NSA) alleged Prism scheme, about which Hustinx said he was deeply concerned, and called for “profound clarification, explanation and justification”.

Under European rules for web cookies – data items that can track users’ internet browsing histories – web sites should seek consent from users to store inessential data.


Institutions are aware of the problem

The European Commission's homepage sets cookies to store information on surveys – which are not essential to the operation of its website – and technically they should warn about keeping the data.

Users browsing the Commission’s EURES homepage are tracked by Google Analytics without warnings, in clear breach of the current data protection rules. EURACTIV has evidence of similar breaches on the Parliament’s web site.

Contacted by EURACTIV in relation to the issue late last week (14 June), the Commission has not yet replied.

Hustinx told EURACTIV he recognised the problem. “We are aware of the problems with cookies and web tracking on EU web sites and there is a legal and technical side to this,” he said.

The watchdog explained that rules governing the use of cookies were introduced in 2009, but data protection regulations governing the institutions were adopted much earlier, in 2001, and have never been updated so that rules on cookies could be included.

New guidelines are underway

Hustinx said that his office was currently preparing new guidelines for website and email use, and said these would also address the issues of tracking and cookies.

Hustinx admitted that last year, when his office organised an on-line opinion survey as part of a strategic review, he discovered that using the EU institutions methodology “would not have been appropriate”. Instead he used “another operator which respected the existing cookie rules”.

Hustinx also reacted to recent reports following whistleblower Ed Snowden’s revelations that the NSA has secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.

According to documents leaked to the Washington Post and Guardian newspapers, the programme gave US officials access to emails, web chats and other communications from companies like Google, Facebook, Twitter and Skype.

“The story is profoundly troubling. I am deeply concerned and I think it requires very profound clarification, explanation and justification,” Hustinx said.

Answers are not reassuring so far

Such justification was needed to clarify the scale and size of privacy incursions, Hustinx said, but also to clarify the legal situation underpinning any security programme.

“In order to be acceptable it has to be on the basis of clear law, providing predictability, proportionality, and adequate safeguards. I must say that the answers are not reassuring so far,” said the data watchdog.

Meanwhile Hustinx praised recent attempts by the Irish EU presidency to find a compromise on the controversial new data protection regulation, saying that a new text recently produced by the Irish “seems to be moving in the right direction”, and represented “a huge step forward”.

Europeans have reacted angrily to revelations that US authorities had tapped the servers of internet companies for personal data, saying such activity confirmed their fears about American Web giants' reach and showed that tighter regulations were needed just as the EU and US are about to launch transatlantic trade talks.

Meanwhile, the European Commission published in January 2012 a broad legislative package aimed at safeguarding personal data across the EU.

The package consists of two legislative proposals: a general regulation on data protection (directly applicable in all member states) and a specific directive (to be transposed into national laws) on data protection in the area of police and justice.

The two proposals have been discussed extensively in the European Parliament and the Council and are due to be voted on by the Parliament in the near future.

  • June-July 2013: European Parliament continues to find agreement on new data protection regulation

Subscribe to our newsletters