EU parliament quietly keeps visitors' wi-fi data
Journalists and anyone else logging into the European Parliament's wi-fi may in the future want to think twice.
The Brussels-based institution says it reserves the right to monitor individual users on its publicly-financed wi-fi networks set up by commercial providers like UK firm BT. It also collects personal data, stored on servers in Brussels and Luxembourg, which it then retains up to six months.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
An IT support technician working at the European Parliament and speaking on the condition of anonymity, told this website on Tuesday (15 October) that the issue of retaining the data for six months had been discussed "but they told us to keep doing it."
The technician says they retain the encrypted data should a government or someone inside the European Parliament want access.
Asked if anyone has made a request for it, the source said no.
A flurry of legal challenges have since hit the UK's so-called snooper's charter, the Investigatory Powers Act, which entitles authorities access to data stored by British telecom operators.
For its part, the European Parliament's terms and conditions references the EU's data protection regulation (GDPR), which allows the collection and processing of personal data if there is consent.
People who agree to those terms, which is required before being given access to the internet, allow the parliament's internal IT department to process the data. But the type of data processed is not mentioned in the conditions, despite rules that require them to spell it out.
The European Parliament says such data is not transferred to BT or any other supplier. "By doing so, they would be breaching the contract and several laws", a spokesperson told EUobserver, in an email.
Although it does not collect individual emails, the parliament's terms and conditions also advises users to "not transmit messages via the internet which they wish to remain fully private" for security reasons.
Fine print
Journalists working in the European Parliament's press room can also access the internet through a personalised and dedicated account.
But using such an account in the press room also means the reporter's IP address is likely attached to the data collected before it is purged six months later.
Others who log in to the European Parliament's visitor wi-fi are also affected, although their names remain unknown.
"The European Parliament reserves the right to monitor network use by individual users," says the terms and conditions of use to access the assembly's visitors wi-fi.
It also points out data is retained for six months.
"This is done in cases where it is necessary in response to duly substantiated requests made in connection with an investigation," it states.
Asked to explain, European Parliament spokeswoman said the terms and conditions apply to everyone.
"This is just a basic text for wi-fi users in the European Parliament," she said.
She said the conditions were aligned with the European data protection rules specific to the EU institutions.
In 2016, the European Court of Justice (ECJ) in Luxembourg said drawing up legislative measures when it comes to the "general and indiscriminate retention" of data is illegal. It said authorities can only order targeted data retention to fight serious crime.