Shortly after the EDPS decision, the Austrian data protection authority issued a decision in a complaint involving similar cookies violations. This decision was the first issued by a regulator in response to 101 complaints filed in 2020 by non-governmental organization None of Your Business (“NOYB”).
During the proceedings, the EP took steps to disable the relevant cookies and indicated to the EDPS that “new internal technical verifications on the web page of the test center confirmed that it is currently not possible to transfer any data to third countries” and that “further analysis is ongoing in order to verify the data workflow in the first period of activity of the centre and determine whether transfers to third parties did actually happen.” The EP also claimed that some of the cookies never had been active and that no personal data registered on the website for COVID-19 testing actually was transferred outside of the EU. However, further investigation revealed that the EP was “in no position to identify neither the users of the website (or IP addresses of users), who accepted the [analytics] cookies on the website, nor the personal data that were sent to [the analytics provider] from the use of such cookies” and that the EP’s third-party service provider “did not provide the EP services with complete certainty regarding the absence of data transfers to the U.S.”
The EDPS Decision
In conclusion, the EDPS’s decision found that the EP had failed to meet its data protection obligations for the period during which cookies were present on the specific website and issued a reprimand. The EDPS also identified other data protection violations, including in relation to transparency issues, and ordered the EP to update the data protection notices of the website in question within one month from the date of the decision.