The European Data Protection Supervisor (EDPS) issued a decision on Wednesday 5 January confirming that the European Parliament had violated data protection law with its internal Covid testing site, by illegally transferring data to the United States.
The decision follows a complaint filed by the European Centre for Digital Rights (NOYB) in January 2021 on behalf of six MEPs, including Alexandra Geese (Greens/EFA, Germany), who had initiated the complaint.
To go into the details, the EDPS considers that the use of services provided by Google Analytics and the payment company Stripe – both of which are American – violated the ‘Schrems II’ judgment of the Court of Justice of the EU (CJEU) of 16 July 2020, regarding the transfer of data between the EU and the USA (see EUROPE 12529/2). This decision regarding EDPS is one of the first to implement the ‘Schrems II’ judgment.
In addition, the offending site is also accused of deploying “misleading” cookie banners and “unclear” data protection notices.
While there is no question of a fine – the EDPS only has the power to issue fines in certain specific circumstances – the European Data Protection Supervisor has issued a reprimand by way of an order to bring the site into compliance.
See the EDPS decision: https://bit.ly/33kZwyQ (Original version in French by Thomas Mangin)