The European Parliament is facing scrutiny over its data protection practices following a significant breach of personal information.

Austrian privacy advocacy group NOYB (None Of Your Business) has lodged two complaints with the European Data Protection Supervisor (EDPS) against the institution, citing inadequate security measures and potential violations of data protection regulations.

The complaints stem from a massive data breach affecting the Parliament's recruitment platform, PEOPLE, which was disclosed on 26 April 2024. More than 8,000 current and former employees had their personal data compromised, including sensitive documents such as passports, criminal record extracts, and marriage certificates.

Lorea Mendiguren, data protection lawyer at NOYB, expressed concern about the breach, stating, "This comes after repeated cybersecurity incidents in EU institutions over the past year. The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors."

The incident is particularly alarming as it follows a series of cybersecurity vulnerabilities identified within EU institutions. In November 2023, an internal review by the Parliament's IT department concluded that its cybersecurity measures "had not yet met industry standards" and were "not fully in-line with the threat level" posed by state-sponsored hackers.

Max Schrems, chairman of NOYB, commented on the broader implications of the breach: "As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions."

The complaints filed by NOYB allege that the European Parliament has breached several articles of the EU General Data Protection Regulation (GDPR). Of particular concern is the Parliament's data retention policy, which keeps recruitment files for 10 years – a practice NOYB argues violates the GDPR's data minimisation principle.

"The breach also shows that just getting rid of personal data in time could likely have limited the impact of the breach," Schrems added.

NOYB is calling on the EDPS to use its corrective powers to order the Parliament to bring its data processing practices into compliance with GDPR requirements. The group has also suggested that the supervisor impose an appropriate administrative fine to deter similar violations in the future.

The European Parliament advised affected individuals on 31 May to replace their identification documents as a precautionary measure, offering to reimburse the associated costs. However, at the time of the complaint filing, it remained unclear how long unauthorised parties had access to the applicants' personal data.

---