• 82 per cent of EU government websites are tracking user behaviour in blatant contravention of EU law
• Only Germany, the Netherlands and Spain have clean hands.
• Cookies from 112 commercial companies embedded in government websites
• Privacy and control over personal data? In your dreams!

Please note that this is not an April Fool's Day joke, although it should be. The European Union (of which the UK remains a member as of this April 1) last year introduced the widely-welcomed and popular General Data Protection Regulation (GDPR) which gives individuals control over their personal data.

Under GDPR, any organisations, businesses or bodies that have any form of access to or control over the personal data of individual EU citizens must have in place a range of technical and organisational measures to implement the data protection principles of the Regulation and safeguard personal data or face swingeing financial and other penalties.

Private data must not be publicly accessible without explicit, informed consent and cannot be used to identify a subject without additional information that is stored separately. What's more, no personal data may be processed unless under requirements and safeguards specified by the GDPR, or unless the a known and nominated data controller or processor has received an unambiguous and individualised consent from the data subject, who maintains the right to revoke the consent at any time.

It's a shame then that an investigation by members of the European Parliament (MEPs) has revealed that 25 of the government websites of the 28 countries that comprise the EU are riddled with hidden, undisclosed ad-tech trackers. Yes, the government sites are in direct contravention of the GDPR and only Germany, the Netherlands and Spain have clean hands and clean consciences. The remaining 25 member States are a bloody disgrace.

The report shows that at least 112 commercial companies have cookies embedded in EU government websites and these track user's browsing patterns. MEPs, declaring the revelations to be "a dreadful state of affairs" are demanding that the European Council and the EU's data protection authorities and regulators take immediate action to purge the government websites of the offending cookies.

MEPs say the fact that the trackers are in place and operating on government websites is particularly cynical and insidious and their existence will be detrimental to citizens’ trust in the EU's over-arching institutions and legislation. MEPs Sophie in 't Veld of the Netherlands and Birgit Sippel of Germany have written to the European Council to ask "if citizens are even being tracked on official websites of the government" it "poses a threat to the fundamental rights of citizens and therefore needs to be ended?" The answer is, of course, Yes!

Meanwhile, the head of the European Data Protection Board (EDPB), Andrea Jelinek, says the use of hidden embedded trackers is in contravention of the GDPR itself. She says, "Given the very detrimental consequences for citizens' perception on the extent to which GDPR can protect them against the advertisement industry, even on government websites, it would be necessary for these practices to be ended as soon as possible." And just hazard a guess as to which company's cookies has the lion's share of trackers on government websites. Yes, it's Google. Now there's a surprise.

The MEPs are also demanding that the European Council gets its finger out and quickly adopts the European ePrivacy Regulation which is complementary to the GDPR and was actually designed and developed alongside it. It addresses communications data in the same way that the GDPR deals with personal data.

However, for reasons no-one seems to be able to articulate or fathom it has been stuck in a bureaucratic siding for years. Indeed, the European Parliament actually approved the final text of the ePrivacy regulation back in summer of 2018 but nothing has happened since. Maybe the latest revelations will give the process the kick up the jacksie it so richly deserves.