A recent inspection by the European Data Protection Supervisor (EDPS) found that the websites of major EU institutions and bodies were far from secure in terms of data protection and data security issues.

The EDPS inspected EU institutional websites, including those of the European Parliament, the shared website of the Council and the Council of the European Union, the Commission, the Court of Justice, Europol, and the European Banking Authority. The EDPS also inspected the websites of the European Data Protection Board (EDPB), the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC 2018), and the EDPS website itself.
“The responses to this remote inspection have been reassuring. The EU institutions responsible for the most important websites have informed us of technical measures that they have implemented to significantly reduce the risks to security and privacy that were detected in our inspection,” said the EDPS’ Giovanni Buttarelli on 3 June, while also suggesting that the feedback received was positive. “We expect to be able to confirm that all remaining issues are resolved in a follow-up inspection.”
The EDPS selected ten public websites, including those operated by the largest EU institutions and bodies and those that, due to the nature of their work, should apply special caution in their handling of personal data. Each of the institutions received recommendations from the EDPS on how to ensure that their websites are fully compliant.
To carry out the inspection, the data protection watchdog developed a programme that automatically collects information on personal data processing by websites, including the use of cookies, web beacons, page elements loaded from third parties, and the security of encrypted connections (HTTPS).
One of the issues that were of particular concern for the EDPS was third-party tracking without prior consent, a highly problematic development as there are cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of website visitors.

The EDPS use of trackers for web analytics without visitors’ prior consent and the submission of personal data collected through web forms using non-encrypted connections as a major source of concern, however, all of the EU institutions that took part in the exercises are now providing secure HTTPS connections and have significantly reduced the number of thirdparty trackers they use.