By Harry Pettit for MailOnline
An ’embarrassing’ leak shows the European Union has fallen short of its own data protection laws.
The European Commission’s website has published 700 records, including the names, addresses and mobile numbers of conference attendees, according to a report.
Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation (GDPR).
The Commission has previously warned that those who breach these rules, which came into force last week, could face millions in fines.
Following the leak, a spokesperson said the authority was exempt from GDPR laws for ‘legal reasons’.
Officials in Brussels will follow a similar set of new laws that ‘mirror’ those laid out in GDPR.
These rules will not enter force until autumn, according to the Telegraph.
The spokesperson added that the Commission is ‘taking and will continue to take all the necessary steps to comply’.
GDPR aims to strengthen and unify data protection for all individuals within the EU, which means cracking down on how companies use and sell user data.
Under GDPR, companies are required to report data breaches within 72 hours, as well as allow customers to export their data and delete it.
Companies scrambled to comply with the rules before they were ratified on May 25 with the Commission threatening hefty fines for those who breached them.
The bureaucracy’s website exposed 700 records that include people’s names, professions, and even some postcodes and addresses.
Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation. GDPR aims to strengthen and unify data protection for all individuals within the EU.
The records, some of which featured the private information of Britons, were collected during EU meetings and conferences and stored on data spreadsheets.
Tech website Indivigital found the documents are among thousands hosted by the website Europa.eu that are freely accessible online.
Many of them could be found by simply searching for the document on Google.
This leak would constitute a breach of GDPR rules were the blunder committed by other organisations or businesses.
What is GDPR?
The General Data Protection Regulation is an EU-wide law that cam into force on May 25 2018.
It gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.
For consumers, it brings new powers that require firms to obtain clear consent from users before processing their data.
It also grants users a right to easily access the data collected from them and transparency on how it is being used.
Everyday users have to do very little to comply with GDPR – it’s more targeted at big online businesses.
Under the new rules, any company that controls or processes the data of EU citizens must adhere to the GDPR guidelines.
This ends territorial-based accountability used by some firms not based in the EU to previously avoid sanction.
The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around leaks.
The weight of fines able to be issued has also increased under GDPR.
Regulators will be able to issue penalties equivalent of up to four per cent of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.
For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.
Fines for such a breach can reach up to £17.5 million ($23 million) or four per cent of global turnover – whichever is largest.
Jon Baines, a data protection expert at law firm Mishcon de Reya, described the ‘irony’ of the EU’s admission.
‘Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made,’ he told the Telegraph.
Steve Gailey, security expert at database security firm Exabeam, added that the exposure ‘is embarrassing for the EU, coming hot on the heels of GDPR’.