The EU has stated it isn’t subject to the General Data Protection Regulation, according to a report published in the Daily Telegraph.
The Daily Telegraph report followed up on an Indivigital report from earlier this week that found the institution is serving spreadsheets containing names, addresses, phone numbers and email addresses from its website Europa.eu.
Indivigital’s analysis also discovered the EU is serving third-party content from platforms like YouTube and Twitter.
The EU’s Cedefop website featured a site-wide Twitter feed under the “network” menu item that showcased the agency’s latest tweets. According to a snapshot on archive.org the feed was still available as of 26th May, however it was deleted on Tuesday or Wednesday of this week and prior to this date it was setting third-party cookies on users’ computers.
To this day, the EU’s website, which consists of upwards of hundreds of subdomains, still sets third-party cookies on users’ computers from organizations including YouTube and Google.
According to the report in the Daily Telegraph, EU officials have claimed Europa.eu is “separate from the data protection regulations for ‘legal reasons’”. The report also claims the EU will follow new legislation set to be enacted later this year that broadly “mirrors” the GDPR.
The GDPR has caused widespread upheaval as organizations have scrambled to update privacy policies and acquire more rigorous expressions of consent from users.
As a consequence of the GDPR, some organizations have begun blocking EU visitors from their websites and the world’s largest email marketing platforms have even publicly disagreed on how to interpret the new legislation.
The LA Times and the Chicago Tribune are two of the largest publications in the US to block EU visitors while organizations like USA Today are redirecting all EU visitors to new websites without advertising.
According to a report in the Financial Times, Global 500 organizations will each spend $16m, or a combined $8bn, on compliance costs for the GDPR this year.
A lot of this spend is a projected cost for hiring new employees to help shore up knowledge and facilitate new roles like that of Data Protection Officer.
Organizations found contravening the GDPR could face fines of up to €20 million or 4 percent of annual turnover.