The European Parliament is being investigated by the European Union’s leading data regulator over a complaint that a website set up for MEPs to book coronovirus tests may have violated data protection laws.
The complaint, filed by six MEPs and supported by the Privacy Campaign Group Noyb, The charges were dropped to third-party trackers without proper consent And the cookie banners presented to visitors were deceptively and deceptively designed.
It is also alleged that personal data was transferred to the US without a valid legal basis, referencing a landmark legal ruling by Europe’s top court last summer (aka Schrems ii) is.
The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data regulations, confirmed receipt of the complaint and said it had begun an investigation.
It also said that after the complaints “litigation cookies” had been deactivated, Parliament said that no user data was actually transferred outside the European Union.
“Complaints were actually filed by some MEPs about the European Parliament’s coronavirus testing website; an EDPS spokesperson told TechCrunch that EDPS pursued Article 57 (1) (e) EUDPR (GDPR for EU Institutions) The investigation has begun. “Following this complaint, the European Parliament’s Data Protection Office informed EDPS that litigation cookies were now disabled on the website and confirmed that no user data was sent outside the European Union.”
“EDPS is currently assessing this website to ensure compliance with EUDPR requirements. The EDPS findings will be communicated to the Comptroller and the complainants in due time.
MEP, Alexandra Geese of Greens, Germany, filed an initial complaint with EDPS on behalf of other MPs.
Two of the MEPs who have joined the complaint and are making their names public are Patrick Breyer and Mikulus Pecsa, members of the Pirate Party in Germany and the Czech Republic, respectively.
We have reached the European Parliament and the company that supplied the test website for comment.
The complaint is notable for some reasons. Firstly because the allegations of failure to maintain regional data protection regulations are very embarrassing for the EU institution. Data protection can also be particularly important for “politically exposed individuals such as members and staff of the European Parliament”, as NAB calls it.
In the back 2019 The EU’s EDPS was approved as the first such regulator of the EU’s Institute of Regulations – on the use of US-based digital campaign company, NationBuyler, to process citizens’ voter data before spring elections.
So this is not the first time Parliament has received hot water for attention to detail on third party data processors (Parliament’s COVID-19 test registration website is being provided by a German company named Ecolog Deutschland GmbH). Once inspection can occur, it starts appearing twice muddy…
Secondly, this complaint could offer a relatively quick path to a referral to the European Union’s top court, CJEU, to further clarify the interpretation of Srems II – a ruling that has implications for thousands of businesses who are using personal data. Transferring out of the European Union includes – follow a challenge to a decision by the EDPS.
The EDPS decisions can be challenged directly before the EU Justice, ”noted in a press release. “This means that the appeal can be brought directly to the Supreme Court of the European Union, in charge of a uniform interpretation of EU law. This is particularly interesting because on many other matters raising similar issues before the national DPA noyb is working
Guidance for businesses involved in transferring data out of the European Union who are trying to understand how (or often they can) comply with data protection laws, Post-Shremes II, is still limited EU regulators have excluded.
Further interpretation by CJEU may bring more clear light – and, in fact, less wiggling room for processors wanting to legally place Europeans’ data above the pond depends on how the cookie Falls (if you forgive the punishment).
Noyb notes that the complaint calls for EDPS to prohibit transfers that violate EU law.
“Public officials, and particularly EU institutions, have to lead by example to follow the law,” said Max Schrems, Honorary President of Noyb in a statement. “This is also true when it comes to the transfer of data outside the European Union. Using American providers, the European Parliament enabled the NSA to access the data of its staff and its members.”
According to the complaint, concerns about third-party trackers and data transfers were initially raised in Parliament in October last year – when MEP used a tracker scanning tool to analyze the COVID-19 test booking website and a total of 150 Third-party requests and a detected cookie were placed on her browser.
In particular, the EcoCare COVID-19 trial registration website included dropping a cookie from US-based company Stripe, as well as several other third-party requests from Google and Stripe.
The complaint also notes that a data security notice on the site had informed users that their data generated by the use of Google Analytics is “transmitted and stored on a Google server in the US”.
Where consent was concerned, the site was found to serve users with two separate conflicting data protection notices – one with reference to (possibly duplication) to Brussels Airport.
Various consent flows were also presented depending on the user’s area, with some visitors not being given any clear opt out buttons. The cookie notice was found to have a ‘dark pattern’ elbow towards the bright green button for the ‘accept all’ process, as well as confusing for ambiguous choices.
The EU has stringent requirements for (legally) aggregated consent for (non-essential) cookies and other third party tracking technologies which state that consent must be clearly communicated, specific and freely given.
In 2019, Europe’s top court confirmed this Consent must be obtained before leaving non-essential trackers. ()Health-related data also generally has a high consent-bar to be legally processed in the European Union, although in this case personal information relates to appointment registration rather than special category medical data).
The complaints allege that the EU cookie consent requirements on the website are not being met.
While the presence of requests for US-based services (and references for storing data in the US) is a legal problem in light of the Srems II decision.
America No longer enjoys the legally frictionless flow of personal data After the CJEU, the Commission provided the adequacy regime outside the European Union (invalidating the EU-US Privacy Shield mechanism) – meaning the transfer of data on people from the EU to US-based companies is complex.
Data controllers are responsible for estimating any such proposed transfer on a case by case basis. The data transfer mechanism called standard contractual clause was not invalidated by CJEU. But the court made it clear that SCC can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime introduced in the European Union – doing so while stating that the US is not in that standard. Does not meet
In view of the ruling, the guidance of the European Data Protection Board suggests that some EU-American data transfers to the EU may be possible in compliance with European law. Such as those that contain encrypted data with no US-based entity received.
However the bar for compliance varies depending on the specific context and case.
Additionally, for a subset of companies, which are certainly subject to US surveillance law (such as Google), the compliance bar may be impossibly high – because the monitoring law is the main legal stick point for EU-US transfers is.
Therefore, once again, this does not bode well for the Parliament website because there was a notice on its COVID-19 test website, stating that personal data would be transferred to Google’s servers in the US. (Even if that functionality is not activated, as claimed.)
Another reason noted against the European Parliament is that it highlights how the web infrastructure used in Europe can get legal approval for failing to comply with regional data protection regulations. If the European Parliament cannot correct this, then who is?
noyb filed A fleet of complaints against EU websites The previous year that identified it sending data via Google Analytics and / or Facebook Connect was integrated shortly after the Schrems II decision. (Those complaints are being looked into by the DPA in the European Union.)
Facebook’s EU data transfers are also very much on the hook here. Earlier this month The tech giant’s lead EU data regulator agreed to ‘expeditiously resolve’ the long-standing complaint about its transfers.
Schrems filed all kinds of complaints in 2013. He told us that he expected the matter to be resolved this year, within about six to nine months. Therefore, the final decision should come in 2021.
he keeps First suggested The only way for Facebook to fix the issue of data transfer is to enhance its service by storing data from local users locally. While Tech was a veteran last year Forced to deny It would cease its service in Europe if its major EU regulator followed through on the imposition of an initial order to postpone the transfer (which was blocked by applying for judicial review of the Irish DPC’s procedures ).
The alternative result is Facebook taking some kind of political resolution to keep the legal uncertainty clouded for EU-US data transfers. although European Commission warns that there is no quick fix – and US surveillance law needs to be reformed.
So with options to continue EU data protection enforcement against US tech giants is rapidly melting in the face of bar-setting CJEU regimes and ongoing strategic lawsuits like the latest noyb-backed grievance pressure only pro US surveillance law is going to keep building for privacy reform. It is not that Facebook has so far come out in support of reforming FISA.