European Parliament slapped down for GDPR breach

EU buildingIn a move which has all the makings of a Brexiteers’ dream, the European Parliament has been spanked for a series of breaches of GDPR, the data protection law that was voted in by MEPs nearly four years ago.

Although the Parliament has avoided a financial penalty, the bloc’s top privacy cop – the European Data Protection Supervisor – has battered the organisation over its Covid-19 test booking website, launched in September 2020, using a third-party provider called Ecolog.

The website attracted a raft of complaints, filed by MEPs, last year and backed by the Max Schrems campaign group NOYB, over the presence of third-party trackers and confusing cookie consent banners. They also balked at the site’s transparency and data access.

An investigation by the EDPS, found the test booking website was using cookies associated with Google Analytics and Stripe but the Parliament had failed to demonstrate it had applied measures to ensure that any associated personal data transfers to the US would be adequately protected.

This breached the landmark decision – dubbed Schrems II – which saw the Privacy Shield agreement to transfer personal data between the EU and the US invalidated by the European Court of Justice in 2020.

According to the EDPS, Ecolog had simply copy and pasted code from another website it had built, for a test centre in the Brussels International Airport, complete with cookies for payment company Stripe, despite no payments actually being required for testing.

Meanwhile, Ecolog had also included Google Analytics cookies, to “minimise the risk of spoofing and for website optimisation purposes”, according to the EDPS’ findings.

The regulator has issued a reprimand and given the Parliament one month to rectify any outstanding issues.

Observers claim the decision should set off alarm bells to sites and services in the EU about the need for due diligence of personal data flows and transfers – including proper scrutiny of any third-party providers, plug-ins or other embedded code – to avoid the risk of costly legal sanction.

Related stories
Top brands face official probe for illegal consent cookies
Facebook nemesis targets sites over consent cookies
Apple cut to the core by new unlawful tracking claims
Decision Marketing at 10: How GDPR changed the world
US tech giants rocked as Privacy Shield gets the chop
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’