EDPS sanctions Parliament over EU-US Data Transfers to Google and Stripe

Cookie Banners
 /  11 January 2022

EDPS sanctions the European Parliament for illegal EU-US data transfers - among other violations

The European Data Protection Supervisor (EDPS) issued a decision after a complaint filed by noyb confirming that the European Parliament violated data protection law on its COVID testing website. The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the Court of Justice's (CJEU) "Schrems II" ruling on EU-US data transfers. The ruling is one of the first decisions implementing "Schrems II" on the ground and may show the way for hundreds of other cases pending before regulators.

Complaint filed one year ago. In January 2021, noyb filed a complaint against the European Parliament on behalf of six Members of the European Parliament over an internal corona testing website. The issues raised were deceptive cookie banners, vague and unclear data protection notices, and the illegal transfer of data to the US. The EDPS investigated the matter and issued a reprimand on the Parliament for violation of the "GDPR for EU institutions" (Regulation (EU) 2018/1725 applicable only to EU institutions).

Illegal data transfers to the US.  In the so-called "Schrems II" case, the CJEU made clear that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data and highlighted: "the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website."

In August 2020 noyb has filed 101 complaints against EU companies that included Google and Facebook functions on their websites. After the forming of a "task force" by the relevant data protection authorities, noyb soon expects ruling for private websites the follow the EDPS decision.

“The EDPS made it clear that even the placement of a cookie by a US provider is violating EU privacy laws. No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance. We expect more such decisions on the use of US providers in the next months, as other cases are also due for a decision.” Max Schrems, Honorary Chairman of noyb.eu

Confusing cookie banner. The Complaint also raised that the site’s cookie banners were unclear and deceptive. For example, not all cookies were listed by the banners and there was divergence between language versions. Consequently the users were not able to give valid consent. During the investigation, the Parliament removed all cookies from its website. noyb is currently working on similar complaints on cookie banners, which is supported by this decision.

Unclear and irrelevant information. In addition, the complaint noted that the privacy policy was not clear and transparent since it referred to the COVID testing of the Brussels airport or to a wrong legal basis. During the investigation, the Parliament changed its policy but made it partly even worse. noyb raised the different inconsistencies in the new privacy policy of the EP.  The EDPS agreed that the information provided by the Parliament was violating the obligation of transparency, which is a basic legal requirement under data protection law. Finally, the EDPS also held that the Parliament did not adequately reply to the access request of the complainants.

No fine, but a reprimand and an order to comply. The EDPS issued a reprimand against the Parliament for the different violations of the Data Protection Regulation applicable to the EU institutions. Contrary to national DPAs under the GDPR, the EDPS can only issue a fine in limited circumstances that were not met in this case. In addition, the EDPS gave the Parliament one month to update its data protection notice and address the remaining issues regarding transparency.