The European Parliament's headache over a major human resources data breach earlier this year just won't fade.

Austria-based digital rights group noyb on Thursday said it had filed two complaints against the European Union institution for infringing the bloc's flagship privacy law, the General Data Protection Regulation (GDPR), over a data breach discovered before the summer.

In June, Parliament notified up to 9,000 staffers that it had suffered a data breach of its recruitment application PEOPLE, which contained staffers’ ID details, birth certificates, employment history, medical records, marriage certificates — which revealed sexual orientation — and proof of work dating back 10 years.

Following the leak, Parliament advised those affected to replace their IDs and passports as a precautionary measure and offered to reimburse the costs.

On Thursday, the noyb said it had lodged two complaints with the European Data Protection Supervisor (EDPS) on behalf of four Parliament employees. Both complaints claim that the institution infringed the GDPR given that the breach compromised the confidentiality of personal data, the institution’s storage practices enabled the breach, and it “lacked adequate security measures” despite known cybersecurity vulnerabilities, citing two previously reported articles by POLITICO.

But the first represents a complainant whose sexual orientation was revealed following the leak of a certificate — which, according to noyb, is a special category of data.

“This breach comes after repeated cybersecurity incidents in EU institutions over the past year,” Lorea Mendiguren, data protection lawyer at noyb, said in a statement. “The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors.”

The second alleges that Parliament refused to erase the personal data of a complainant made after the breach, even though the complainant hadn't worked at the institution since 2018, which noyb deems "unnecessary."

“The breach also shows that just getting rid of personal data in time could likely have limited the impact of the breach,” Max Schrems, noyb's co-founder, said in a statement.

Noyb alleges that the Parliament still doesn’t seem to know the cause of the breach and asks the EDPS to use its powers to bring the institution's processing into compliance. The rights group also suggests that the EDPS impose an "appropriate administrative fine" to prevent similar violations in the future.

The Parliament did not respond to a request for comment in time for publication.

Politico

More about: