EDPS - 2020-1013

From GDPRhub
EDPS - 2020-1013
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 5(3) ePrivacy Directive
Regulation 2018/1725
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.01.2022
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2020-1013
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPS (in EN)
Initial Contributor: n/a

The European Data Protection Supervisor (EDPS) issued a reprimand against the European Parliament for illegally transferring data to the US, having unclear cookies banners and therefore placing cookies without valid consent, having a data protection notice that did not comply with its transparency requirements, and failing to answer an access request by the complainants.

English Summary

Facts

In January 2021, noyb filed a complaint against the European Parliament on behalf of six Members of the European Parliament over an internal coronavirus testing website. The issues raised were: confusing and unclear cookie banners, vague and unclear data protection notices, and the illegal transfer of data to the US.

Holding

On data controllership

According to the EDPS, the processor may enjoy a considerable degree of autonomy in providing its services and may identify the ‘non-essential’ elements of the processing operation. Furthermore, the processor may advise or propose certain measures in this respect, but it is up to the controller to decide whether to accept such advice or proposal.

The analysis of the EDPS shows that the European Parliament (EP) delegated some aspects on the setting up and functioning of the website to Ecolog. The EDPS considers the EP acts as the sole data controller for the processing in question, i.e. the operation of the Parliament’s dedicated website, whereas Ecolog acts as a processor.

After having assessed the instructions given by the EP to the processor, the EDPS concluded that the EP did not show the necessary diligence required from a data controller and, ultimately, failed to comply with the Regulation, in particular with Articles 26(1) and 29(1) of the Regulation.

Moreover, the EDPS considered that the EP failed to provide the necessary detailed instructions to Ecolog for the setting up of the website, including the drafting of the data protection notice. The absence of documented instructions is therefore in violation of Article 29(3) of the Regulation.

Transparency and information requirements

The EDPS confirmed that the data protection notice published at the time of the complaint did not reflect the processing done by the EP, since it merely consisted in a copy of the testing center of Zaventem's airport. Moreover, the reference made in the document to Article 6(1)(f) GDPR was wrong since it stems from the same error. The EDPS confirmed that the EP did not meet its transparency requirements.

The EDPS also analysed the updated version of the data protection notice during the procedure and raised several remaining -and even new- inconsistencies and issues. Among other things, the following problems persisted after the data protection notice was updated:

  • a mere reference to Article 15 and 16 of the Regulation is misleading as the Regulation applies in its entirety;
  • the reference to the processing of health data is not correct since no such data are processed in the case at hand - the retention period mentioned is not precise enough;
  • the sections of the data protection notices relating to the recipients of the personal data fail to make any reference to the processor
  • inconsistencies between the different linguistic versions of the data protection notices were still observed: The English and German versions refer to Ecolog and the Laboratory van Poucke as processors under Article 29 of the Regulation, whereas the French version refers to them as controllers (‘responsables du traitement’). Moreover, the DPO’s contact details on the website refer to Ecolog, in all three linguistic versions of the website, when they should be referring to the Parliament

Cookies and transfers of personal data to the US

The EDPS confirmed that tracking cookies, such as the Stripe and the Google analytics cookies, are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection.

In the same vein, the EDPS rejected the EP's argument and confirmed that upon installation on the device, a cookie cannot be considered ‘inactive’. Every time a user visited Ecolog’s website, personal data was transferred to Stripe through the Stripe cookie, which contained an identifier.

The EDPS reached the conclusion that a transfer of data was taking place to the US, via the use of Google and Stripe cookies, since Google Analytics is hosted in the US and the data protection notice referred to SCC for the transfer of data outside of the EU.

However, the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.

Cookie banner on the Parliament’s dedicated website

The EDPS reminds that

  • before setting cookies or any other technology falling within the scope of Article 5(3) of the ePrivacy Directive, the EU institution must provide the user with adequate information on what is accessed or stored on the user’s terminal equipment, on the purposes of this action and the means for expressing their consent.
  • no action may be performed before the consent is collected. In addition, users must be enabled to withdraw their consent at any time
  • ‘cookie walls’ are not in line with the Regulation, meaning that for consent to be freely given, access to the website’s service and functionalities should not depend on the users’ consent for cookies that are not strictly necessary in the sense described above
  • in case personal data collected through the cookies are shared with third parties, such as analytics partners, the cookie banner should draw the users’ attention to it.

The EDPS reached the conclusion that the cookie banners in all three languages were not in line with the definition of consent under Article 3(15) of the Regulation nor did they meet the requirements of Article 37 of the Regulation and Article 5(3) of the ePrivacy Directive. The cookie banner further failed to provide transparent information regarding the processing of personal data in relation to the cookies on the website.

Request for access to personal data

The Parliament was aware that the complainants’ personal data had been processed through the cookies, which were present on the website for the period between 30 September to 4 November 2020, since transfers of personal data had taken place. Consequently, and especially following the EDPS’ inquiry on the matter, the Parliament should have replied to the complainants’ access to personal data request.

The Parliament should have provided the relevant information even if it was aware that the processing of the personal data in question was unlawful, as the main purpose of the right of access under Article 17 is precisely to enable data subjects to become aware of the processing and verify the lawfulness thereof, or exercise other data subject rights.

Conclusion

The EDPS concludes that the Parliament has infringed the following Articles of the Regulation 2018/1725:

  1. Articles 26(1) and 29(1) due to its failure to fulfil its responsibilities as controller and use a processor providing sufficient guarantees to implement appropriate technical and organisational measures;
  2. Article 29(3) due to its failure to provide documentation relating to the detailed instructions given to the processor for the setting up and functioning of the website;
  3. Articles 4(1)(a) and 14, 4(2), and 15 due to its failure to respect the principle of transparency, accountability and the data subjects’ right to information because of the inaccurate data protection notice and cookie banner on the dedicated website;
  4. Article 46 and Article 48(2)(b) of the Regulation, due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection;
  5. Article 37 read in the light of Article 5(3) of the ePrivacy Directive, due to its failure to protect information (the cookies) transmitted to, stored in, related to, processed by and collected from the users’ terminal equipment;
  6. Articles 17 and 14(4) due to its failure to reply to the data subjects’ request for access to their personal data.

On the basis of the above, the EDPS decides:

  1. to issue a reprimand to the Parliament in accordance with Article 58(2)(b) of the Regulation, for the above infringements;
  2. to order the Parliament, pursuant to Article 58(2)(b) of the Regulation, to update its data protection notices in the dedicated website in order to provide all relevant information relating to the processing of personal data. The Parliament should address this order within one (1) month from the date of the decision.

Comment

This decision of the EDPS is interesting at many levels, since it confirms that cookies linked to US providers -even if inactive- are transferring data outside of the EU and should therefore meet the requirement of data protection law on transfers.

It also confirms that the cookies banners should mirror the actual use of cookies on the website and list the recipients receiving the data.

It also shows that the controllers remain in responsible for all processing operations on their website and should make sure that they enter into an agreement or give written instructions to the processors regarding the processing operation and should demonstrate compliance with this obligation.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.