The European Parliament needs to improve its Covid-19 test website and better protect the privacy of users. This is requested by the EU data protection officer Wojciech Wiewiórowski and has given the legislative body a month to do so. In response to complaints from several MPs and the civil rights organization Noyb, he complains that the parliament on the side of the test center has violated data protection law.
Data to google
During the corona pandemic, Parliament relies on a test center from the provider EcoCare, for which the members of the institution can register on the intranet. When accessing on the website elected representatives discovered that they initially sent more than 150 requests from third-party providers. These included the US companies Google and Stripe.
Wiewiórowski highlights in his now published decision of January 5th shows that the use of Google Analytics and the payment provider Stripe is not compatible with the “Schrems II” ruling of the European Court of Justice (ECJ) on the transfer of personal data between the EU and the USA. With this ruling, the Luxembourg judges once again determined that US security laws allow mass surveillance and that data protection standards in the United States therefore do not correspond to those in the EU.
Wiewiórowski’s announcement is one of the first decisions to implement “Schrems II” in practice. It could lead the way in many other relevant cases currently being dealt with by courts and regulators. Previously, for example, the Wiesbaden Administrative Court had forbidden a university on the basis of the CJEU’s fundamental judgment from integrating the “Cookiebot” into its homepage and transmitting data to the USA in this way.
The Green Alexandra Geese had submitted the first complaint to the EU data protection officer on behalf of other MPs such as Patrick Breyer (Pirate Party). Noyb backed this up a year ago with another entry. The complainants also complained that the website’s cookie banners were unclear and misleading: the operators did not list all the browser files placed there, and there were also differences between the different language versions. As a result, it was not possible for users to give valid consent. Parliament then removed all cookies.
The inspector also confirmed the complainants’ view that the test center’s data protection information was not clear and understandable. In doing so, Parliament violated the transparency requirement. In addition, the panel did not respond correctly to requests for information.
The regulator issued a reprimand to Parliament for the various violations of a special data protection regulation applicable to the EU institutions. In addition, there is a warning and an injunction with a period of one month. Unlike the national data protection authorities, Wiewiórowski can only impose a fine in certain circumstances, which in this case were not complied with. The General Data Protection Regulation (GDPR), which does not apply here, offers more scope for sanctions.