EU Parliament under fire over ‘illegal US data transfers’ from COVID website

European Parliament services are coming under pressure from a group of MEPs working with the European Center for Digital Rights group (noyb), headed by privacy activist Max Schrems, over allegations that the institution's coronavirus test management website is siphoning data to US-based firms illegally.

A file picture dated 09 April 2015 of Austrian student and plaintiff Max Schrems speaking to journalists prior to the start of the trial concerning the admission of the claim of a class action lawsuit against the privacy policy of Facebook, in Vienna, Austria. [EPA/HANS PUNZ]

European Parliament services are coming under pressure from a group of lawmakers working with privacy activist Max Schrems over allegations that the institution’s coronavirus test management website is illegally siphoning data to US-based firms.

Last year, EURACTIV revealed that MEPs had stumbled upon privacy loopholes in the European Parliament’s COVID website, which is run by EcoCare, a subsidiary of the United Arab Emirates firm Ecolog.

The website had requested permission to transfer the personal data of those using the platform – European Parliament staff members – to third-party companies including Google and the US financial services platform Stripe. The system asks registrants to input personal information, including sensitive data on whether they have had high-risk contacts or if they have coronavirus symptoms.

Such data transfers would be in violation of EU data privacy rules, according to European privacy group noyb headed by Max Schrems, an Austrian lawyer and online privacy activist.

Indeed, a July 2020 decision from the European Court of Justice invalidated the EU-US Privacy Shield agreement, which was a mechanism intended to ensure the protection of EU data when sent across the Atlantic, in line with the EU’s General Data Protection Regulation (GDPR).

Since the decision, American firms seeking to transfer EU data to the US, have had to fall back on the use of Standard Contractual Clauses (SCCs), or individual data transfer agreements designed by the European Commission.

On Friday (22 January), noyb, along with a group of 6 Parliamentarians, filed a complaint with the European Data Protection Supervisor, urging them to prohibit US data transfers from taking place on the European Parliament’s coronavirus test management system.

While the names of the MEPs haven’t been made public, EURACTIV understands that Pirate MEPs Patrick Breyer and Mikuláš Peksa are part of the group.

“Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. Stripe and Google clearly fall under relevant US surveillance laws that allow the targeting of EU citizens,” the complaint states.

“This is especially relevant for politically exposed persons like Members and staff of the European Parliament,” it goes on.

Max Schrems, the privacy activist who heads the group, said that EU institutions should “lead by example” in complying with their own standards. “By using US providers, the European Parliament enabled the NSA to access data of its staff and its members,” he said.

The complaint also highlights issues related to deceptive cookie banners and unclear information on the website.

“The banners do not list all of the cookies placed on the browser, and nudges the users to accept all cookies,” the document states. “Consequently, the processing of data on the website and the placing of cookies based on user consent, fall short of a valid legal basis.”

The complaint submitted on Friday comes after an earlier objection was tabled by Green MEP Alexandra Geese. The EDPS is now set to analyze the additional submissions made by noyb and will issue an opinion on the case in due course.

[Edited by Frédéric Simon]

Subscribe to our newsletters