EDPS reprimands European Parliament for use of Google Analytics

Illegal EU-US data transfers by the European Parliament lead to sanction from EDPS 

 

Due to a complaint made approximately one year prior, the European Parliament has been sanctioned by the EDPS over illegal EU-US data transfers, among other violations. On a COVID-19 testing site, the use of Google Analytics and Stripe (both US companies) by the European Parliament was a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. In the complaint, filed in January 2021 by noyb, several issues were raised, including deceptive cookie banners, vague and unclear data protection notices, and of course.  the illegal transfer of data to the US. The European Parliament did not incur a fine, but was reprimanded and ordered to come into compliance and address its data protection notice and other transparency issues within a month. 

 

Personal data transferred from the EU to the US is subject to very strict conditions, and must ensure an adequate level of protection.

 

Since the Schrems II ruling, Data transfers to the US have, under much scrutiny. This is because personal data transferred from the EU to the US in most cases do not ensure adequate protection for the data. The COVID-19 testing website provided by the European Parliament was no different. According to the EDPS, “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.” The data stored included health data, for example symptoms and results of a COVID-19 test. This is considered special category personal data, and therefore particularly sensitive. 

 

The EDPS found the European Parliament to be in violation of several articles of the GDPR and therefore issued a reprimand.

 

The placement of cookies by a US provider without having appropriate measures in place is a violation of EU privacy law. This leaves the site open to possible surveillance by US bodies. The complaint from noyb also highlighted the fact that the site’s cookie banners were unclear and deceptive. The banner did not list all the cookies, and there were also differences between the language versions. As a result users were unable to give valid consent. The European Parliament removed all cookies from the website during the investigation. 

 

There were also several issues of transparency noted in the complaint filed by noyb. It stated that the privacy policy was not clear and transparent and referred to a wrong legal basis. The privacy policy was also changed during the course of the investigation, however the changes made may have worsened the situation. The EDPS concluded that the European Parliament was violating the obligation of transparency under the GDPR. In addition it was found that the Parliament did not adequately reply to the access request of the complainants. The EDPS found the European Parliament To be in violation of several articles of the GDPR, and therefore issued a reprimand in accordance with article 58(2)(b) of the Regulation.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Leave a Comment

(0 Comments)

Your email address will not be published.