EDPS sanctions the European Parliament for illegal EU-US data transfers – among other violations

The European Union’s chief data protection supervisor has sanctioned the European Parliament for a series of breaches of the bloc’s data protection rules.

The European Data Protection Supervisor (EDPS) issued a decision after a complaint filed by noyb, a consumer advocacy site. The group asserted that the European Parliament violated data protection law on its COVID testing website.

In its finding, the EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the European Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. In July 2020, the CJEU issued the Schrems II judgement with significant implications for the use of US cloud services.

Customers of US cloud service providers must now themselves verify the data protection laws of the recipient country. They must then document their risk assessment and confer with their customers.

The ruling may be a template for many more decisions to come

The ruling is one of the first decisions implementing “Schrems II” on the ground and may show the way for hundreds of other cases pending before regulators.

The decision sends a warning to sites in the EU about the need for due diligence of personal data flows and transfers. This includes proper scrutiny of any third-party providers, plug-ins or other bits of embedded code. They now need to be extremely cautious to avoid the risk of costly legal sanction.

Indeed, the EDPS intervention relates to a COVID-19 test booking website which the European Parliament launched in September 2020. The Parliament used a third-party provider, called Ecolog.

Post-Schrems II, cookies that send data to U.S.-based providers for processing creates immediate legal risk for EU-based websites. It also poses problems for their clients. In this case, the parliament was judged to be the sole data controller, while Ecolog was the data processor.

In short: using Google Analytics to comply with EU data protection laws does not work. In fact, using Google Analytics may do just the opposite, putting you on the wrong side of Europe’s GDPR law.