EU Parliament website violates GDPR

After reading an interview (german content) of the EU-Commisioner for Justice, Consumers and Gender Equality Věra Jourová with the German newspaper “Die Zeit” in which she stated that the GDPR is so easy, even she could implement it, I got very curious and wanted to see how compliant the EU’s websites are.

It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).

Source code snippet without the anonymizeIP flag

This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google’s servers without consent or any other legal basis. Seems like the EU is not quite ready for May 25th, yet ;-)

You can find more information about anonymizeIP here. Here’s a list courtesy of the EU comission of what is considered personal data. In regards to GDPR impelementation, ICO’s Guide to the General Data Protection Regulation is a great resource.

Reach out to me via twitter (@cerebuild) or e-mail at matthias@gliwka.eu. You can find the legal notice required by German law on most websites here.

Like what you read? Give Matthias Gliwka a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.