The European Parliament is currently under scrutiny from the EU’s primary data protection authority following a formal complaint alleging potential breaches of data protection regulations related to a website established for MEPs to schedule coronavirus tests.

The complaint, submitted by a group of six Members of the European Parliament and backed by the privacy advocacy organization noyb, claims that third-party tracking technologies were implemented without obtaining appropriate consent and that the cookie consent mechanisms presented to website visitors were unclear and potentially misleading.

Furthermore, the complaint asserts that personal data was transferred to the United States without a legitimate legal foundation, referencing a significant ruling from Europe’s highest court last year (commonly known as Schrems II).

The European Data Protection Supervisor (EDPS), responsible for overseeing data compliance within EU institutions, has acknowledged receipt of the complaint and confirmed the commencement of an investigation.

The EDPS also stated that the problematic tracking technologies had been deactivated in response to the concerns, and that the parliament assured them no user data had been transmitted outside of the EU.

“A complaint was indeed received from several MEPs regarding the European Parliament’s coronavirus testing website; the EDPS has initiated an investigation in line with Article 57(1)(e) EUDPR (the GDPR equivalent for EU institutions),” a spokesperson for the EDPS explained to TechCrunch. “Subsequent to this complaint, the Data Protection Office of the European Parliament informed the EDPS that the contentious cookies were disabled on the website and confirmed that no user data was sent beyond the borders of the European Union.”

“The EDPS is presently evaluating this website to guarantee adherence to EUDPR stipulations. Findings from the EDPS will be communicated to the data controller and the complainants in due course,” the spokesperson added.

Alexandra Geese, a Member of the European Parliament representing Germany’s Green Party, initially filed the complaint on behalf of fellow parliamentarians.

Patrick Breyer and Mikuláš Peksa, both affiliated with the Pirate Party in Germany and the Czech Republic respectively, are two of the MEPs publicly supporting the complaint.

We contacted the European Parliament and the company responsible for providing the testing website for a response. Update: The European Parliament Press Service has now issued the following statement:

The complaint is significant for several reasons. First, the allegations of failing to uphold regional data protection standards are particularly unfavorable for an EU institution. Data protection may also be especially critical for “politically exposed persons such as Members and staff of the European Parliament”, as noyb points out.

In 2019, the European Parliament was previously sanctioned by the EDPS for utilizing a U.S.-based digital campaign platform, NationBuilder, to process citizen voter data in advance of the spring elections—marking the regulator’s first-ever enforcement action against an EU institution.

This is not the first instance of the parliament facing scrutiny regarding its attention to detail concerning third-party data processors (the parliament’s COVID-19 test registration website is managed by a German company named Ecolog Deutschland GmbH). An isolated incident might be an oversight, but repeated occurrences suggest a systemic issue…

Secondly, the complaint could potentially expedite a referral to the EU’s highest court, the CJEU, to seek further clarification on the interpretation of Schrems II—a ruling with broad implications for the thousands of businesses involved in transferring personal data outside the EU—should a subsequent challenge arise from a decision by the EDPS.

“The decisions of the EDPS can be directly appealed to the Court of Justice of the EU,” noyb notes in a press release. “This allows for a direct appeal to the highest court of the EU, responsible for the consistent interpretation of EU law. This is particularly relevant as noyb is currently pursuing multiple other cases raising similar issues before national DPAs.”

Currently, guidance for businesses transferring data out of the EU and attempting to understand how to (or whether they can) comply with data protection laws post-Schrems II is limited to the guidance issued by EU regulators.

Further interpretation from the CJEU could provide greater clarity—and potentially stricter limitations for processors seeking to legally transfer European data across borders, depending on the outcome.

Additionally, noyb emphasizes that the complaint requests the EDPS to prohibit any data transfers that violate EU law.

“Public authorities, and particularly EU institutions, must set an example by adhering to the law,” stated Max Schrems, honorary chairman of noyb, in a statement. “This also applies to data transfers outside the EU. By utilizing U.S. providers, the European Parliament potentially enabled the NSA to access data belonging to its staff and members.”

According to the complaint, initial concerns regarding third-party trackers and data transfers were raised with the parliament last October—after an MEP employed a tracker-scanning tool to analyze the COVID-19 test-booking website, identifying a total of 150 third-party requests and a cookie placed on her browser.

Specifically, the EcoCare COVID-19 testing-registration website was found to implement a cookie from the U.S.-based company Stripe, alongside numerous third-party requests originating from Google and Stripe.

The complaint also highlights that a data protection notice on the site indicated that data related to user activity generated by Google Analytics is “transmitted to and stored on a Google server in the U.S.”

Regarding consent, the site was observed to present users with two different, conflicting data protection notices—one of which contained a (presumably copied) reference to Brussels Airport.

Varied consent processes were also presented based on the user’s location, with some visitors lacking a clear option to opt-out. The cookie notices were also found to employ a “dark pattern” encouraging acceptance of all processing through a prominent green button, alongside ambiguous wording for alternative choices.

In 2019, Europe’s highest court further affirmed that consent must be secured before deploying non-essential trackers. (Data related to health also generally requires a higher standard of consent for legal processing within the EU, although in this case the personal information pertains to appointment registrations rather than sensitive medical data.)

The complaints allege that the website does not meet these EU cookie consent requirements.

The use of U.S.-based services (and the reference to storing data in the U.S.) presents a legal challenge in light of the Schrems II judgment.

The U.S. no longer benefits from seamless data flows out of the EU after the CJEU invalidated the adequacy arrangement granted by the Commission (invalidating the EU-U.S. Privacy Shield mechanism)—meaning transfers of data on EU citizens to U.S. companies are now complex.

Data controllers are responsible for evaluating each proposed transfer on a case-by-case basis. Standard Contractual Clauses, a data transfer mechanism, were not invalidated by the CJEU. However, the court clarified that SCCs can only be used for transfers to countries where data protection is substantially equivalent to the standards offered in the EU—while simultaneously stating that the U.S. does not meet that standard.

Guidance from the European Data Protection Board following the ruling suggests that some EU-U.S. data transfers may be permissible under European law, such as those involving encrypted data with no access by the receiving U.S.-based entity.

However, the threshold for compliance varies depending on the specific context and situation.

Furthermore, for certain companies subject to U.S. surveillance law (such as Google), achieving compliance may be exceedingly difficult—as surveillance law is the primary legal obstacle to EU-U.S. transfers.

Therefore, it is problematic for the parliament’s website to have included a notice on its COVID-19 testing website stating that personal data would be transferred to a Google server in the U.S. (Even if that functionality was not activated, as has been claimed.)

Another significant aspect of the complaint against the European Parliament is that it underscores the potential for widespread legal challenges facing web infrastructure within Europe for failing to comply with regional data protection rules. If the European Parliament cannot ensure compliance, who can?

Indeed, noyb filed numerous complaints against EU websites last year, identifying those still sending data to the U.S. via Google Analytics and/or Facebook Connect integrations shortly after the Schrems II ruling. (These complaints are currently under investigation by DPAs across the EU.)

Facebook’s EU data transfers are also under intense scrutiny. Earlier this month, the tech giant’s lead EU data regulator agreed to “swiftly resolve” a long-standing complaint regarding its transfers.

Schrems filed that complaint back in 2013. He anticipates a resolution this year, likely within six to nine months. A final decision is expected in 2021.

He has previously suggested that the only solution for Facebook to address the data transfer issue is to federate its service, storing European users’ data locally. Last year, the tech giant denied it would discontinue its service in Europe if its lead EU regulator enforced a preliminary order to suspend transfers (which it challenged through a judicial review of the Irish DPC’s procedures).

Facebook has also been advocating for a political resolution to the legal uncertainty surrounding EU-U.S. data transfers. However, the European Commission has cautioned that there is no quick fix—and reform of U.S. surveillance law is necessary.

As options for maintaining the status quo regarding EU data protection enforcement against U.S. tech giants diminish in light of landmark CJEU rulings and ongoing litigation like this latest noyb-supported complaint, pressure will continue to mount for pro-privacy reform of U.S. surveillance law. Facebook has not yet publicly supported reforming FISA.