The European Parliament’s coronavirus test management website is overrun with user tracking requests, some of which are attempting to siphon data to US-based firms, just as the future of transatlantic data flows is far from clear.
The website, which is run by EcoCare, a subsidiary of the United Arab Emirates firm Ecolog, requests permission to transfer the personal data of those using the platform – European Parliament staff members – to third party companies.
Those include Google and the US financial services platform Stripe, backed by Silicon Valley investor Peter Thiel, chairman of data analytics firm Palantir.
The platform requests that registrants input certain personal information, including sensitive data on whether they have had high-risk contacts or if they have coronavirus symptoms.
EU-US data transfers
A July ruling from the European Court of Justice invalidated the EU-US Privacy Shield agreement, which was a mechanism intended to ensure the protection of EU data when sent across the Atlantic, in line with the General Data Protection Regulation (GDPR).
Judges ruled that the US surveillance regime, particularly Section 702 of the US Foreign Intelligence Surveillance Act (FISA), put EU data at risk.
FISA 702 permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers.
Since then, US firms seeking to transfer EU data out of the bloc to the US, have had to fall back on the use of Standard Contractual Clauses (SCCs), individual agreements designed by the EU executive, which safeguard EU data protection standards between two parties taking part in a transfer.
The court said in July that SCCs are theoretically valid but risks involved with contracting particular data transfers to third countries must be taken into account.
Since the July ruling, the Commission has been in talks with US representatives with a view to potentially charting a new transatlantic data accord. The executive is also in the process of ‘modernising’ the SCCs, with revisions to be unveiled before the close of the year.
MEP takes a stand
Against this backdrop, the use of third-party trackers on the European Parliament’s coronavirus management website has provoked concern among some who work in the institution, including prominent privacy activist MEP Alexandra Geese, of the Greens.
“When I registered for my COVID-19 test to travel back from Brussels to Germany, I was surprised to find that all of my personal data I inputted into the form was being transferred to the US,” Geese told EURACTIV.
“The EU Parliament’s test centre uses pieces of code that allow Google to track users across the internet – and since the Snowden revelations, we know that the company makes such data available to US intelligence agencies.”
For her part, Geese has pressed Parliament’s Quaestors – a group of MEPs who oversee the administrative functions of Parliament – for details on why such a service was chosen that could potentially put the data of Parliament staff at risk.
The Green MEP has also filed a complaint to the European Data Protection Supervisor, the body in charge of ensuring data protection standards across the EU institutions.
EcoCare has not yet responded to EURACTIV’s request for comment.
[Edited by Sam Morgan]