Today, noyb files a complaint against the European Parliament on behalf of six MEPs – including Patrick Breyer of the Pirate Party. The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the US.
“After the end of the unsuitable ‘Privacy Shield’, there must be no more forwarding of our data to the USA without our consent. The data protection authorities must enforce the stop of the data outflows. It is outrageous that a European institution allows the transfer of sensitive data of its staff and MPs. This is a good precedent to clarify EU data protection rules without having to involve national authorities first.” – Pirate Party MEP and co-complainant Dr. Patrick Breyer
COVID testing website forwarded data to third parties
The European Parliament (EP) is offering COVID-19 PCR tests to all employees and members of the European Parliament (MEPs). The EP called upon the services of the provider EcoCare to set up a test center for which staff and members of the EP can register on the intranet. When accessing the website, the MEPs discoveredthat the website sent over 150 third-party requests, including requests to US-based companies Google and Stripe. Furthermore, not only was a Stripe cookie dropped on their browser, but the website’s data protection notice also stated that Google Analytics cookies were used on the website. However, no health data were sent to third parties, as the page was only concerned with the registration of testing appointments.
Illegal data transfers to the US, despite Schrems II
Both Google and Stripe are based in the US. In the Schrems II judgment, the CJEU made clear that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. Stripe and Google clearly fall under relevant US surveillance laws that allow to target EU citizens. This is especially relevant for politically exposed persons like members and staff of the European Parliament. Therefore, the complaint asks the EDPS to prohibit such transfers that violate EU law.
“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law. This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled US authorities to access data of its staff and its members.” – Max Schrems, Honorary Chairman of noyb.eu
Deceptive cookie banner and unclear information
In addition, the site’s cookie banners were unclear and deceptive: the banners do not list all of the cookies placed on the browser, and nudges the users to accept all cookies. Consequently, the processing of data on the website and the placing of cookies based on user consent, fall short of a valid legal basis.
The information provided on the website is also confusing. The users were even faced with two different data protection notices with differing information.
noyb has joined forces with six MEPs to support them in a complaint filed before the European Data Protection Supervisor (EDPS). The initial complaint was filed end of October 2020 by Mrs. Alexandra GEESE on behalf of other MEPs. The EDPS is the special data protection authority (DPA) responsible only for EU institutions and agencies.
Direct access to the Court of Justice, relevant for larger Cookie Issues
The EDPS will now analyse the additional submissions made by noyb and should issue a decision on the matter in due course.The complaint before the EDPS also potentially allows direct access to the highest European court. A decision can be directly challenged before the European Court of Justice (ECJ). This means that fundamental questions of European data protection law can also be clarified with a simple complaint about an EU website.