The European Parliament has been sanctioned for violating European privacy directives with cookies on its COVID website. Incredible, but true, a body such as the European Union that legislates certain laws has skipped one of them. These little biscuits have played a dirty trick on them and for this reason they have “self-sanctioned”. Cookies tend to be used mainly for two purposes: on the one hand, to remember accesses and to learn about browsing habits. They allow websites to identify your computer, remember who you are and what you have done on them before.

On the other hand, they have another more problematic function, and it is precisely this that has given them such a bad reputation. They allow information about your browsing habits to be disclosed to third parties and are used to send you information related to your interests. But that is not all, they also serve to identify you as a user according to the pages you visit.

This type of cookies are like surveillance cameras placed all over the internet. In this way, third party companies can find out which pages you visit, and create a profile of your personal tastes. They can also record your searches on search engines such as Google or internal search engines of online shops to learn about your tastes and needs.

Well, the EU has screwed up and has been fined. The official website of the body that provides information on COVID-19 abused third-party cookies, not respecting users’ privacy. It is appalling that an official body that has been particularly tough on the issue of cookies by enacting different laws has fallen into its own trap.

 

The investigation

The European Data Protection Supervisor is the body in charge of monitoring and ensuring the proper use of the internet in the Eurozone. It should be recalled that data protection on the internet was a turning point years ago in the European Parliament. Since then, big tech companies have been fined millions of dollars for not respecting the privacy of their users. A few years and a few lawsuits later, Europe has penalised itself for flouting privacy directives that they themselves had imposed.

In January 2021, Noyb, a non-profit organisation, filed a complaint against the European Parliament over an internal coronavirus testing website. The issues raised were misleading cookie banners, unclear data protection notices, and illegal transfer of data to the US. The EDPS investigated the matter and issued a warning to the Parliament for violating the GDPR for EU institutions.

In the so-called Schrems II case, the CJEU made it clear that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites are prohibited from transferring personal data to the US where an adequate level of protection of personal data cannot be guaranteed.

The EDPS confirmed that the website did indeed transfer data to the US without ensuring an adequate level of data protection by underlining that;

Parliament did not provide any documentation, evidence or other information on the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection for personal data transferred to the US in the context of the use of cookies on the website.

 

Is the law the same for everyone?

As mentioned above, several points were raised in the complaint, let us look at each of them in detail. 

  • Ambiguous cookie banner. The complaint stated that the site’s cookie banners were unclear and misleading. Not all cookies appeared on the banners and there were discrepancies between the language versions. Subsequently, users were unable to give valid consent. During the investigation, Parliament removed all cookies from its website. 
  • Insufficient information. Furthermore, the complaint pointed out that the privacy policy was not clear and transparent. It referred to the COVID tests at Brussels airport or to an erroneous legal basis. During the investigation, the Parliament changed its policy, making it even worse. Noyb raised the various inconsistencies in the new privacy policy. The EDPS found that the information provided by the Parliament violated the obligation of transparency, a basic legal requirement of data protection law. Finally, the EDPS also maintained that the Parliament had failed to respond adequately to the complainants’ request for access. 

In the end, there has been no fine, only a warning and a compliance order. In addition, the EDPS gave the Parliament one month to update its data protection notice and to amend the remaining transparency issues.

Although it has managed to avoid the financial penalty, the institution has breached the EU data protection regulation. This is why we at Somos Sinapsis are asking the question in the statement… Is the law really the same for everyone? 

Bibliotecaria frustrada que un día descubrió el potencial que tenía de creatividad y después de varios cursos de marketing decidió explotarlo en redes sociales y terminó haciéndose community mánager de diferentes empresas y artistas. Le encanta el silencio pero es melómana hasta la médula, puro espíritu de contradicción. Fanática de libros, películas y series de terror. Vive mirando una estrella, siempre en estado de espera.