Four political groups have sent letters to the European Parliament President asking for further details, action, and “responsibilities” related to a recent data breach that affected a significant amount of employees’ personal data, including passports.
Three of the groups, the Greens, The Left, and Renew, asked for the matter to be discussed at the next meeting of the Parliament’s Bureau, scheduled for 24 June, in the letters seen by Euractiv. The Bureau is the body responsible for administrative issues that lays down the rules.
The Socialists (S&D) argued in their letter that “a general discussion on handling this type of data seems needed, as well as on the responsibilities of the European Parliament in case of damages caused”.
The liberal Renew Europe group is also demanding that the Parliament “offer the staff an Identity Theft Protection or an insurance against the misuse of their data”.
The letters, sent on 27 May, were signed by the presidents and vice presidents of the Greens, The Left, Renew, and S&D. They raised questions about how the Parliament handled the incident and asked for more information on current progress and next steps for securing the application.
“Internal analysis to see how systems and processes can continue to be reinforced and ensure further protection against hybrid threats is in place”, an EP spokesperson told Euractiv when asked about the letters.
On 6 May, the Parliament’s HR department sent an email to staff notifying them of a “data breach” they had discovered on 25 April. It dated back to “the beginning of 2024,” the email said.
The issue was discovered through checks by the EP’s cybersecurity team, spokespeople told Euractiv.
The Parliament notified the European Data Protection Supervisor (EDPS), the authority responsible for EU institutions leaks, within 72 hours, as specified in the relevant regulation, an EDPS spokesperson told Euractiv.
The incident is covered by EUDPR, a data protection regulation similar to GDPR, the EU’s general data privacy regulation, but applicable to EU institutions.
Legal implications
The parliament is required to inform the data subject “without undue delay” about the breach. “The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects,” the regulation states.
Details of what data was leaked was only revealed to staff on 22 May and a contact person was appointed at that later date, the Parliament spokesperson said.
The affected staff were advised to change their passports and IDs on 30 June, almost a month after the initial communication. The Parliament said in its email it would reimburse related costs.
The fact that the communication came in waves could indicate that “they were overly cautious and wanted to be a step ahead in terms of informing the data subject and be transparent,” said Claude-Etienne Armingaud, a partner at law firm K&L Gates who focuses on privacy and tech law.
The lawyer identified five potential points of failure which, if confirmed, could justify possible action from the data protection authority: a lapse in security, an unjustified amount of data being collected or for an unjustified amount of time, or an incomplete communication to the data subject. (** it seems only four are listed here?)
As this is a high-profile case, it is likely to be followed up by the EDPS, Armingaud said.
In another case, the EDPS found that the European Commission had breached data protection rules during its use of Microsoft Office products in March.
[Edited by Eliza Gkritsi/Zoran Radosavljevic]