On 5 January 2022, the European Data Protection Supervisor (EDPS) issued its decision against the European Parliament (EP) in relation to the use of third-party cookies operated by US companies and the resulting transfer of data to the US. The decision highlights the need for businesses to conduct thorough due diligence, and, where necessary, an impact assessment, prior to the use of data collection methods such as cookies, particularly where data is being transferred to third countries.
Over the course of late 2020 and early 2021, shortly after the EP’s new dedicated COVID-19 test booking website for members of European Parliament (MEP’s) and other officials (the Website) went live, the EDPS received complaints from six MEP’s in relation to the use of third-party trackers, confusing cookie consent banners and problems relating to transparency around data collection and data access.
The basis of the complaint was a report obtained by the complainants following a scan of the website for cookies and trackers. The report showed the presence of Google Analytics and Stripe cookies, the latter of which is used to redirect users to a payment page, despite the website not requiring any form of payment for a test to be booked.
Upon further investigation, it came to light that the company responsible for producing the website, Ecolog, had previously produced a similar COVID-19 testing website for the Brussels International Airport and had copied some of the code, resulting in the cookies being carried over to the EP site.
As a result of the above, the complainants brought their complaint against the EP, under Article 68 of Regulation (EU) 2018/1725 (the Regulation), on the following grounds:
- The alleged transmission and storage of data collected by the aforementioned cookies on servers located in the US;
- The fact that website visitors were presented with two different data protection notices, neither of which were compliant with the EP’s obligations under the Regulation;
- The lack of information provided by, and the deceptive design of, the cookie banner; and
- The lack of satisfactory response to their request under Article 17 of the Regulation relating to their right to access their personal data.
It is also important to note the significance of the key decision in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) (Schrems II) to the complaints. In particular, the fact that following this decision, the so-called EU-US Privacy Shield, which allowed companies located in the European Economic Area (EEA) to legally transfer data to a specific list of US companies, was declared invalid. This led to the introduction of stricter requirements for transfers based on the use of the EU Standard Contractual Clauses (SCCs).
Notably, the Court of Justice for the European Union held that the US did not provide an essentially equivalent level of data protection to that found in the EU. Accordingly, data controllers seeking to use the SCCs must ensure that additional measures are implemented where necessary if the level of protection afforded by the third country in question is not essentially equivalent to that provided by the EU’s GDPR regime.
In relation to the complaint about the data protection notices, the EDPS noted the requirement for the EP to abide by the principles of lawfulness, fairness and transparency, as codified in Article 4(1)(a) of the Regulation. However, the notices referred to incorrect information (the COVID-19 testing website at the Brussels International Airport) and also stated that the legal basis for processing was contained in Article 6(1)(f) of the General Data Protection Regulation (Regulation 2016/679) which does not have an equivalent under the Regulation. Consequently, the EP was deemed not to have complied with the principles of transparency and accountability as well as the data subject’s right to information under the Regulation.
The cookie banners were also found to be an infringement of the abovementioned principle of transparency as they contained differing information depending on whether they were being read in English, French or German and only the German banner offered the option to accept necessary cookies only.
There was also a discrepancy relating to which external cookies were in use and the difference between the user clicking on “accept all” or “save” had not been made clear. Further, the first layer of the cookie banners did not allow the user in question to reject all cookies. Consequently, the banners also breached the EP’s obligations under Article 5(3) of the ePrivacy Directive which stipulates that cookies must only be used where the visitor has given their consent having been ‘provided with clear and comprehensive information… inter alia, about the purposes of the processing, and is given the right to refuse such processing’.
Finally, in relation to the request by the complainants to access their personal data in accordance with Article 17(1) of the Regulation, the response received from the EP that it “was in no position to identify neither the users (or IP addresses of users), who accepted the Google Analytics cookies”, when considered in light of their further acknowledgement that Ecolog were unable to provide certainty as to whether data transfers had taken place, was deemed by the EDPS to demonstrate the EP’s awareness that the personal data had been processed and, as a result, a comprehensive reply should have been provided.
The above decision demonstrates the importance of ensuring that where cookies that transfer data to third countries are being used, it is necessary to ensure that an impact assessment has been conducted, a record of the findings produced and, where necessary, further steps taken to ensure that the data will be protected as though it were still in the EEA.
Whilst the EP was likely to have been unaware of the cookies having been included on the site, the EDPS held that the EP “failed to provide the necessary detailed instructions to Ecolog for the setting up of the website, including the drafting of the data protection notice”.
Further, they acknowledged that Ecolog had been asked to draft the data protection notice despite the EP “being aware that such tasks are not within Ecolog’s primary field of expertise and knowledge”. As a result, it is essential to provide clear instructions to the contractor you engage to develop your website and to ensure that each task, including the drafting of data protection notices, is completed by a qualified expert.
The organisation who brought the case, NOYB, has also filed a number of similar complaints against websites throughout the EEA. Consequently, there is the potential for the decision to open the floodgates and lead to a greater level of compliance and due diligence throughout the EEA, a reassuring step-forward for website users. Although this should also stand to highlight the urgency with which a review should be conducted of existing data protection policies.
Should you have any questions in relation to the above or need assistance in ascertaining whether your website is GDPR compliant, please contact Peter Kouwenberg.