The EU’s data protection watchdog has warned the bloc’s institutions that they should refrain from embarking on new activities that involve transferring personal data to the US, in the wake of a decision from the European Court of Justice earlier this year.
The warning comes after a EURACTIV report on Wednesday (28 October) that revealed the European Parliament’s coronavirus test management website is overrun with user tracking requests, some of which are siphoning data to US-based firms.
The European Data Protection Supervisor (EDPS) weighed in on the story on Thursday, saying that institutions should not be engaging in such practices.
“With regard to new processing operations or new contracts with service providers, the EDPS strongly encourages European Union institutions to avoid processing activities that involve transfers of personal data to the United States,” a statement from the EDPS read.
The EDPS’s advice in this regard comes after a July ruling from the European Court of Justice, which invalidated the EU-US Privacy Shield agreement, a mechanism intended to ensure the protection of EU data when sent across the Atlantic, in line with the General Data Protection Regulation (GDPR).
Judges ruled that the US surveillance regime, particularly Section 702 of the US Foreign Intelligence Surveillance Act (FISA), puts EU data at risk.
Since then, US firms seeking to transfer EU data out of the bloc to the US, have had to fall back on the use of Standard Contractual Clauses (SCCs), individual agreements designed by the EU executive, which safeguard EU data protection standards between two parties taking part in a transfer.
In this context, the EDPS said on Thursday that an order has recently been sent to EU institutions, instructing them to complete “a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data.”
Institutions are required to inform the EDPS on such transfers, the EU data watchdog added.
“These are transfers that do not have a legal basis, transfers that are based on derogations and transfers to private entities towards the U.S. presenting high risks for data subjects.”
Parliament COVID19 website
Meanwhile, the news that the European Parliament’s coronavirus test management website features more than ‘150’ user tracking requests, some of which transfer personal data to US-based firms including Google and Stripe, came after Green MEP Alexandra Geese attempted to use the platform.
The website, run by EcoCare, a subsidiary of the United Arab Emirates firm Ecolog, requests permission to transfer the personal data of those using the platform – European Parliament staff members – to third party companies.
The platform requests that registrants input certain personal information, including sensitive data on whether they have had high-risk contacts or if they have coronavirus symptoms.
“When I registered for my COVID-19 test to travel back from Brussels to Germany, I was surprised to find that all of my personal data I inputted into the form was being transferred to the US,” Geese told EURACTIV.
The Green MEP filed a complaint to the EDPS, who made their response clear on Thursday and added that they will continue to monitor such data transfer processes on a ‘case-by-case’ basis.
[Edited by Zoran Radosavljevic]