European Parliament violated privacy rules on internal website for corona tests

The European privacy supervisor EDPS has reprimanded the European Parliament for violating privacy rules with cookies on an internal site for making a corona test appointment. Data was transferred to the US via cookies, which is against the rules.

According to the privacy regulator, the corona test website, on which MEPs can schedule a test appointment, passed cookie data to the US without ensuring an ‘adequate’ level of protection for the data. This makes the site of the European Parliament in violation of privacy legislation.

The head of the nonprofit noyb, one of the organizations that had filed a complaint about this last year, said: ”There was no adequate protection against surveillance by the US, despite the fact that European politicians are a known target for espionage. ”

In July 2020, the Court of Justice of the European Union ruled that the US does not provide adequate protection in line with the EU legal framework, and therefore transfers of personal data to America are only allowed under ‘strict conditions’. In this case, the data was illegally transferred to the US via cookies from US companies such as Google and Stripe.

The cookie banners on the site were also unclear and misleading, according to the regulator. “Insufficient transparent information was shared that would show how the personal data is processed.” That was also a violation of the privacy rules.

The European Parliament only gets a reprimand. Most of the issues have been resolved during the investigation, for example, the cookies have now been removed from the website, but the regulator is giving the EP one month to resolve remaining issues.