On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a decision against the European Parliament (“EP”). The case resulted from a complaint submitted by certain Members of the European Parliament (“MEPs”) who alleged that the Parliament’s use of cookies violated data protection law, including requirements regarding the transfer of personal data outside of the EU. The EDPS is responsible for overseeing compliance of data protection rules by the EU institutions.

Shortly after the EDPS decision, the Austrian data protection authority issued a decision in a complaint involving similar cookies violations. This decision was the first issued by a regulator in response to 101 complaints filed in 2020 by non-governmental organization None of Your Business (“NOYB”).

Background

On October 29, 2020, the EDPS received an initial complaint jointly signed by a number of MEPs claiming that one of the EP’s websites violated EU data protection law. During its investigation, the EDPS notified the EP that it had identified issues relating to the use of cookies on the website http://europarl.ecocare.center, which is used to make appointments for COVID-19 tests. In particular, the EDPS inquired about the purpose of a unique identifier stored on the website along with a cookie. Additional complaints regarding the same issue followed. These complaints sought explanation from the EP regarding the transfer of personal data of MEPs and their staff to the U.S. in connection with the use of cookies of U.S. based companies on the EP’s website.

During the proceedings, the EP took steps to disable the relevant cookies and indicated to the EDPS that new internal technical verifications on the web page of the test center confirmed that it is currently not possible to transfer any data to third countries” and that “further analysis is ongoing in order to verify the data workflow in the first period of activity of the centre and determine whether transfers to third parties did actually happen.” The EP also claimed that some of the cookies never had been active and that no personal data registered on the website for COVID-19 testing actually was transferred outside of the EU. However, further investigation revealed that the EP was “in no position to identify neither the users of the website (or IP addresses of users), who accepted the [analytics] cookies on the website, nor the personal data that were sent to [the analytics provider] from the use of such cookies” and that the EP’s third-party service provider “did not provide the EP services with complete certainty regarding the absence of data transfers to the U.S.”

The EDPS Decision

In relation to cross-border data transfers and the use of cookies, the EDPS’s decision took the position that tracking cookies involve the processing of personal data “even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection” and that “personal data of visitors to the Parliament’s dedicated website were processed through the trackers even if this only happened where users visited the website through a network other than the Parliament’s.”  Furthermore, the EDPS concluded that for the period during which the trackers were on the website, personal data processed through these cookies eventually was transferred to the U.S., where the cookie provider was located and hosted all relevant data.

While the relevant transfers relied on EU Standard Contractual Clauses (“SCCs”), the EDPS highlighted that the use of SCCs do “not substitute the individual case-by-case assessment that […] a controller must carry out, in accordance with the Schrems II judgement, to determine whether in the context of the specific transfer, the third country of destination affords the transferred data an essentially equivalent level of protection to that in the EU.” Therefore, “the [data controller], where appropriate in collaboration with the data importer in the third country, must carry out this assessment of the effectiveness of the proposed safeguards before any transfer is made or a suspended transfer is resumed. Where the essentially equivalent level of protection for the transferred data is not effectively ensured, because the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the used SCCs for transfers or another transfer tool, the [data controller] must implement contractual, technical and organizational measures to effectively supplement the safeguards in the transfer tool, where necessary together with the data importer.” The decision also mentions that “the EDPS is of the view that transfers of personal data to the U.S. can only take place if they are framed by effective supplementary measures in order to ensure an essentially equivalent level of protection for the personal data transferred.” However, “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the U.S. in the context of the use of cookies on the website.”

In conclusion, the EDPS’s decision found that the EP had failed to meet its data protection obligations for the period during which cookies were present on the specific website and issued a reprimand. The EDPS also identified other data protection violations, including in relation to transparency issues, and ordered the EP to update the data protection notices of the website in question within one month from the date of the decision.

Read the EDPS decision.