EU watchdog condemns Parliament over illegal data transfer from COVID website

The European Parliament in Brussels. [Shutterstock/Alexandra Lande]

The European Data Protection Supervisor (EDPS) issued a reprimand to the European Parliament for violating the bloc’s privacy laws on January 5.

The decision follows October 2020’s complaint from six MEPs, later supported by the non-profit privacy organisation noyb.

The complaint came after it was revealed that the internal COVID-19 testing website where lawmakers and Parliament’s staff could book an appointment to get tested was transferring data outside the EU, through cookies of the US-based companies Google and Stripe.

EP's COVID website overrun with US web trackers, MEP raises data concerns

The European Parliament’s coronavirus test management website is overrun with user tracking requests, some of which are attempting to siphon data to US-based firms at a time in which the future of transatlantic data flows is far from clear.

The EU Court of Justice ruled in July 2020 that the US does not offer protection that matches the legal framework provided by the bloc and that the transfer of personal data to the US must therefore be subject to very strict conditions.

In the decision seen by EURACTIV, the EDPS noted that the “Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”

“The EDPS made it clear that even the placement of a cookie by a US provider is violating EU
privacy laws”, said Max Schrems, Honorary Chairman of noyb.

“No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance. We expect more such decisions on the use of US providers in the next months, as other cases are also due for a decision,” he added.

The complainants also argued that the cookie banners were unclear and deceptive, making it impossible for the user to give an informed and valid consent. “The cookie banner further failed to provide transparent information regarding the processing of personal data in relation to the cookies on the website”, agreed the EDPS.

The European Parliament was criticised on the legal basis of the Data Protection Regulation applicable to the institutions. Fines are only allowed to be issued in limited circumstances.

Most of the shortcomings were fixed as the investigation was ongoing. The EU privacy watchdog has given one month to the Parliament to address the remaining issues.

[Edited by Nathalie Weatherald]

Subscribe to our newsletters