EU Parliament breached data protection laws on its Covid-19 websiteLeigh Mc Gowranon January 11, 2022 at 10:41 Silicon RepublicSilicon Republic


The European Parliament has been reprimanded by the European Data Protection Supervisor (EDPS) for violating GDPR rules on its internal Covid-19 testing website.

On behalf of six MEPs, the Vienna-based non-profit digital rights group NOYB filed a data protection complaint against the European Parliament in January 2021. The issues raised were deceptive cookie banners, unclear data protection notices and the illegal transfer of data to the US, as the website used Google Analytics and the payment provider Stripe.

The EDPS said that according to the Schrems II ruling in July 2020, transfers of personal data to the US can only take place if there is a sufficient level of protection. Parliament had not ensured an adequate level of protection for the personal data transferred to the US “in the context of the use of cookies on its website”.

NOYB said this is one of the first cases that has based its ruling on the Schrems II verdict may set precedent for other pending cases.

“The EDPS made it clear that even the placement of a cookie by a US provider is violating EU privacy laws.” Honorary chairman of NOYB Max Schrems said.

“No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance. We expect more such decisions on the use of US providers in the next months, as other cases are also due for a decision.” Schrems added.

The complaint also said the information on the website’s cookies were unclear, as not all cookies were listed by the banners and the information changed when using different languages.

The EU Parliament now has one month to update its data protection notice and address the remaining issues regarding transparency. “The EDPS notes that the Parliament has been consistently responsive and collaborative throughout the investigation of the complaint, and that as at the date of the decision most of the infringements have been remedied.”

One of the complainants, MEP Patrick Breyer said: “The Schrems II ruling was a great victory for the protection of our privacy and the confidentiality of our communications and internet use. Unfortunately, this case shows that our data is still being illegally transferred to the US in large numbers.”

Last month, Schrems accused Ireland’s Data Protection Commission of lobbying other EU regulators to allow Facebook to bypass user consent requirements for ad-related data collection.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

The post EU Parliament breached data protection laws on its Covid-19 website appeared first on Silicon Republic.

Leave a Comment