EDPS sanctions European Parliament for illegal data transfer to the US
Following a complaint by six MEPs, including Patrick Breyer of the Pirate Party, the European Data Protection Supervisor (EDPS) has confirmed that the European Parliament‘s COVID test website violated data protection rules. The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the European Court of Justice’s (CJEU) “Schrems II” ruling on data transfers between the EU and the US. The ruling is one of the first decisions to implement “Schrems II” in practice and could be groundbreaking for many other cases currently being considered by regulators.
On behalf of six MEPs, the data protection organisation noyb filed a data protection complaint against the European Parliament in January 2021. The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the US. The EDPS investigated the matter and issued a reprimand on the Parliament for violation of the “GDPR for EU institutions” (Regulation (EU) 2018/1725 applicable only to EU institutions).
Illegal data transfers to the U.S.
In the so-called “Schrems II” case, the CJEU stressed that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data and highlighted: “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”
Co-complainant and MEP Patrick Breyer (Pirate Party) comments:
“The Schrems II ruling was a great victory for the protection of our privacy and the confidentiality of our communications and internet use. Unfortunately, this case shows that our data is still being illegally transferred to the US in large numbers. With his decision, the EDPS makes it clear that this must end. There must be no more unnecessary disclosing of our personal data to the US without our consent, not even on the basis of the so-called standard contractual clauses, which do not protect us against the NSA mass surveillance schemes.”
No fine, but a reprimand and a compliance order
The EDPS issued a reprimand to the Parliament for the various breaches of the data protection regulation applicable to EU institutions. Unlike national data protection authorities under the GDPR, the EDPS can only impose a fine in certain circumstances, which were not met in this case. In addition, the EDPS gave the Parliament one month to update its data protection notice and resolve the remaining transparency issues.