EDPS sanctions European Parliament for unlawfully transfered data to the US

25. January 2022

The European Data Protection Supervisor (EDPS) ruled that the European Parliament (EP) offended against a judgement of the European Court of Justice (ECJ) by transferring data to the US using US origin tech tools on their website for COVID-19 tests. This judgement relies on a complaint that involves misleading cookie banners, uncertain data privacy statements and unlawful data transfers from the EU to the US.

The ECJ makes clear that the transfer of personal data from the EU to the US is topic of strict conditions. Websites can only transfer data to the US if a certain security level is given. In this case there was not such a security level available.

The misleading cookie banners were so vague that the cookies were not listed in total and some differences between language options became appearent. Therefore, the website users could not give their valid consent.

Furthermore, the data privacy information were not clear and transparent, in that they refer to an incorrect legal basis for the processing. The given references were also in violation of transperency and requests of information.

Even during the process the EP tried to improve the technical deficits.

The EDPS issued a caution because in contrast to national data protection authorities it can only sentence under certain conditions, which were not given in this case. In result, it imposed a cease and desist order with a one month deadline for the EP to adjust the compliance.