The European Data Protection Supervisor has issued a resolution that claims that the European Parliament violated data protection law on its Covid test website.
The European Data Protection Supervisor (EDPS) has issued a resolution that claims that the European Parliament violated data protection law on its Covid test website by using Google Analytics, the Internet traffic analysis service of the North American search engine.
Europe continues to increase the pressure on Google and, a few weeks ago, Brussels ratified the fine of almost €2,500 million to the technology company for abuse of a dominant position.
The EDPS highlights that the use of Google Analytics and also the payment provider Stripe (both US companies) violate the ‘Schrems II’ judgement of the Court of Justice of the European Union (CJEU) on data transfers from Europe to the United States.
This ruling is one of the first decisions to implement “Schrems II” and may be the reference for hundreds of other cases pending resolution by regulators.
Sergio Carrasco Mayans, a lawyer at Faseconsulting specialising in new technologies, explains: “The European Supervisor has only made a decision once it has been understood that the transfer of data to the United States actually occurs.”
“There is an obligation to guarantee an equivalent level of protection in these international transfers, and after the decision of Schrems II, It has been understood that this territory does not meet the requirements in view of the regulations it has.”
The resolution follows a complaint filed a year ago by NOYB (None Of Your Business), a non-profit organisation based in Vienna, Austria, co-founded by Max Schrems and dedicated to protecting the digital rights of Europeans.
In January 2021 NOYB filed a complaint against the European Parliament for a Covid testing website. The issues that this complaint reflected were misleading cookie ads, sparse and unclear data protection notices, and the illegal transfer of data to the United States. EDOS investigated the matter and admonished Parliament for violating the European Data Protection Regulation.
NOYB explains in a statement that “In the so-called ‘Schrems II’ case, the CJEU made it clear that the transfer of personal data from the EU to the United States is subject to very strict conditions. Websites must refrain from transferring personal data to United States, where an adequate level of protection of personal data cannot be guaranteed.”
Mayans concludes that “public institutions, such as the European Parliament, must comply when it comes to guaranteeing the rights of their users, both with regard to information and the protection of their rights.”
“The use of tools such as Analytics is problematic today, and many entities are not yet aware of the risks they are exposed to with its use.”