EU Parliament breached data protection laws on its Covid-19 website

11 Jan 2022

Image: © Grecaud Paul/Stock.adobe.com

This is one of the first decisions implementing the Schrems II ruling and may set a precedent for EU-US data transfer cases.

The European Parliament has been reprimanded by the privacy watchdog overseeing EU institutions for violating data protection rules on its internal Covid-19 testing website.

This site, dedicated to testing for members and officials, failed to comply with directives around transatlantic data flows, the European Data Protection Supervisor (EDPS) found.

On behalf of six MEPs, Vienna-based non-profit digital rights group NOYB filed a data protection complaint against the European Parliament in January 2021. The issues raised were deceptive cookie banners, unclear data protection notices and the illegal transfer of data to the US through cookies from Google Analytics and payment provider Stripe.

According to the Schrems II ruling in July 2020, transfers of personal data from the EU to the US can only take place if there is a sufficient level of protection. The EDPS said the European Parliament had not ensured an adequate level of protection for the personal data transferred to the US “in the context of the use of cookies on its website”.

NOYB said this is one of the first cases based on the Schrems II verdict and may set precedent for other pending cases.

“The EDPS made it clear that even the placement of a cookie by a US provider is violating EU privacy laws,” said Austrian privacy campaigner and NOYB chair Max Schrems.

“No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance. We expect more such decisions on the use of US providers in the next months, as other cases are also due for a decision.”

The complaint also said that information on the website’s cookies was unclear, as not all cookies were listed by the banners and the information changed when using different languages. The EDPS agreed that this violated transparency obligations.

The European Parliament now has one month to update its data protection notice and address any remaining issues regarding transparency.

“The EDPS notes that the Parliament has been consistently responsive and collaborative throughout the investigation of the complaint, and that as at the date of the decision most of the infringements have been remedied,” the data supervisor said in its decision.

One of the complainants, MEP Patrick Breyer, said: “The Schrems II ruling was a great victory for the protection of our privacy and the confidentiality of our communications and internet use. Unfortunately, this case shows that our data is still being illegally transferred to the US in large numbers.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com