EDPS sanctions the European Parliament for illegal EU-US data transfers – among other violations
In January 2021, noyb filed a complaint against the European Parliament on behalf of six Members of the European Parliament over an internal corona testing website. The issues raised were deceptive cookie banners, vague and unclear data protection notices, and the illegal transfer of data to the US.
The European Data Protection Supervisor (EDPS) issued a decision after a complaint filed by noyb confirming that the European Parliament violated data protection law on its COVID testing website. The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. The ruling is one of the first decisions implementing “Schrems II” on the ground and may show the way for hundreds of other cases pending before regulators.
Complaint filed one year ago. The EDPS investigated the complaint against the European Parliament made by noyb and issued a reprimand on the Parliament for violation of the “GDPR for EU institutions” (Regulation (EU) 2018/1725 applicable only to EU institutions).
In August 2020 noyb has filed 101 complaints against EU companies that included Google and Facebook functions on their websites. After the forming of a “task force” by the relevant data protection authorities, noyb soon expects ruling for private websites the follow the EDPS decision.
“The EDPS made it clear that even the placement of a cookie by a US provider is violating EU privacy laws. No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance. We expect more such decisions on the use of US providers in the next months, as other cases are also due for a decision.” Max Schrems, Honorary Chairman of noyb.eu
Confusing cookie banner. The Complaint also raised that the site’s cookie banners were unclear and deceptive. For example, not all cookies were listed by the banners and there was divergence between language versions. Consequently the users were not able to give valid consent. During the investigation, the Parliament removed all cookies from its website. noyb is currently working on similar complaints on cookie banners, which is supported by this decision.
No fine, but a reprimand and an order to comply. The EDPS issued a reprimand against the Parliament for the different violations of the Data Protection Regulation applicable to the EU institutions. Contrary to national DPAs under the GDPR, the EDPS can only issue a fine in limited circumstances that were not met in this case. In addition, the EDPS gave the Parliament one month to update its data protection notice and address the remaining issues regarding transparency.
This article was first published by noyb here.
(Contribution by: EDRi member, noyb)