European parliament found to have broken EU rules on data transfers and cookie consents


a cookie broken in half
Image Credits: Tekke (opens in a new window) / Flickr (opens in a new window) under a CC BY-ND 2.0 (opens in a new window) license.

The European Union’s chief data protection supervisor has sanctioned the European Parliament for a series of breaches of the bloc’s data protection rules.

The decision sounds a loud warning to sites and services in the region about the need for due diligence of personal data flows and transfers — including proper scrutiny of any third-party providers, plug-ins or other bits of embedded code — to avoid the risk of costly legal sanction. Although the parliament has avoided a financial penalty this time.

The European Data Protection Supervisor’s (EDPS) intervention relates to a COVID-19 test booking website which the European Parliament launched in September 2020 — using a third-party provider, called Ecolog.

The website attracted a number of complaints, filed by six MEPs, last year — with the support of the European privacy campaign group noyb — over the presence of third-party trackers and confusing cookie consent banners, among a raft of other compliance problems, which also included transparency and data access issues.

Following an investigation, the EDPS found the parliament was at fault in several respects and it has issued a reprimand — ordering rectification of any outstanding issues within one month.

The test booking website was found to be dropping cookies associated with Google Analytics and Stripe — but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers to the U.S. would be adequately protected in light of the landmark Schrems II decision by the EU’s top court.

In July 2020, the CJEU struck down the bloc’s flagship data transfer agreement with the U.S. (aka, the EU-U.S. Privacy Shield) and issued further guidance that transfers of EU people’s personal data to all third countries must be risk assessed on a case by case basis.

The ruling also made it clear that EU regulators must step in and suspend data flows if they believe people’s information is at risk. So in order for some transfers to be legal (such as EU-U.S. data flows) additional measures may be needed to raise the level of protection to the required standard of essential equivalence with EU law — something the European Data Protection Board (EDPB) has since issued detailed guidance on.

EU puts out final guidance on data transfers to third countries

However — in the case of the parliament’s COVID-19 test booking site — the EDPS found no evidence that it or its provider had applied any such extra measures to safeguard EU-U.S. transfers resulting from the inclusion of Google Analytics and Stripe cookies.

Turns out the provider had copypasted code from another website it had built, for a test centre in the Brussels International Airport — hence the presence of cookies for payment company Stripe on the parliament site (despite no payments actually being required for testing booked via the website).

Google Analytics cookies, meanwhile, had apparently been included by the provider to “minimise the risk of spoofing and for website optimisation purposes”, according to the EDPS’ findings.

Post-Schrems II, the presence of cookies designed to send data to U.S.-based providers for processing creates immediate legal risk for EU-based websites — and/or their clients (in this case the parliament was found by the EDPS to be the sole data controller, while Ecolog was the data processor). So incorporating Google Analytics may do the opposite of “optimizing” your site’s compliance with EU data protection law.

That said, enforcement of this particular compliance issue has been a slow burn, even since the 2020 CJEU ruling — with only a smattering of regulator-led investigations, and the clearest leadership coming from the EDPS itself.

A (very) long-running complaint against Facebook’s EU-U.S. data transfers, meanwhile, brought by noyb founder Max Schrems in the wake of the 2013 Snowden disclosures about NSA mass surveillance of social network and internet data, still hasn’t resulted in a final decision by its lead data protection supervisor, the Irish Data Protection Commission (DPC) — despite the latter agreeing a full year ago that it would “swiftly” finalize the complaint.

Again, though, that makes the EDPS’ intervention on the parliament complaint all the more significant. tl;dr: EU banhammers are, gradually, falling.

Europe’s top court strikes down flagship EU-US data transfer mechanism

In another finding against the parliament, the EDPS took issue with confusing cookie consent notices shown to visitors to the test booking website — which it found provided inaccurate information; did not always offer clear choices to reject third-party tracking; and included deceptive design, which could manipulate consent.

By contrast, EU law on consent as a legal basis to process people’s data requires is clear that choice must be informed, specific (i.e. purpose limited, rather than bundled) and freely given.

The parliament was also found to have failed to respond adequately to complainants’ requests for information — breaching additional legal requirements law which provide Europeans with a suite of access rights related to their personal data.

While the parliament has landed in the embarrassing situation of being reprimanded by the EDPS, it has avoided a fine — as the regulator only has narrow powers to issue financial penalties which it said these infringements did not trigger.

But the findings of fault by the bloc’s chief data protection supervisor draw fresh red lines around routine regional use of U.S.-based tools like Google Analytics (or, indeed, Facebook Pages) in the wake of the Schrems II decision by the Court of Justice of the European Union.

Copypasting code with standard analytics calls might seem like a quick win to a website builder — but not if the entity responsible for safeguarding visitors’ information fails to properly assess EU-based legal risk.

The EDPS’ reprimand for the parliament thus has wider significance as it looks likely to prefigure a wave of aligned decisions by EU regulators, given the scores of similar complaints filed by noyb in August 2020 targeting websites across the bloc.

“We expect more rulings on this matter in the next month,” noyb’s honorary chairman, Max Schrems, told TechCrunch. “The fact that the EDPS has taken a clear position is a good sign for other DPAs.”

The EDPS’ sanction of the parliament over confusing cookie banners also sends a strong signal over what’s acceptable and what’s not when it comes to obtaining users’ consent to tracking — despite confusing dark patterns still being shamefully widespread in the EU.

(For a particularly ironic example of that, see this blog post by analyst Forrester — which warns that regulators are coming for “dark patterns”, even as the analyst’s own webpage serves what very much looks like a non-compliant cookie notice given the only obvious button reads “Accept cookies” and it takes multiple clicks through sub-menus to find an option to reject tracking cookies, so er… )

Noyb also kicked off a major effort targeting this type of cookie non-compliance last year — which it suggested could lead to it filing up to 10,000 complaints about dubious cookie banners with EU regulators.

Regional regulators are clearly going to have their work cut out to clean up so much infringement — which in turn may encourage DPAs to coordinate on standardizing enforcements to drive the necessary scale of change.

The EDPS decision adds high-level accelerant by sending a clear signal that confusing cookie banners are the same as non-compliant cookie banners from the body responsible for providing EU lawmakers with expert guidance on how to interpret and apply data protection law.

Here’s an illustrative snippet from its decision — which describes a portion of the confusion that hit visitors to the parliament website as they tried to parse the cookie notices at the time of the complaints (tracking cookies have since been removed from the site):

The English version only referred to essential cookies and prompted the user to either click on the ‘accept all’ or the ‘save’ button. The difference between the two buttons was unclear. The French version of the second layer of cookie banner referred both to essential cookies and ‘external media’. These external media cookies included cookies from Facebook, Google Maps, Instagram, OpenStreetMap, Twitter, Vimeo and Youtube. The visitor could also choose between ‘accept all’ or ‘save’. The German version of the second layer of the cookie banner referred to only one ‘external media’ cookie — Google Maps — in addition to the essential cookie.

The EDPS’ conclusion was that the cookie banners in all three languages failed to meet the EU standard for consent.

In another sign of the cookie (non)compliance reckoning that’s now unfolding in the region, some EU regulators have been taking actual action — such as France’s CNIL which issued a major slap-down to Google and Facebook last week, announcing fines of $170 million and $68 million, respectively, for choosing dark pattern design over clear choices in their cookie consent flows.

The EDPB, which supports DPAs’ enforcement of pan-EU rules like the General Data Protection Regulation, established a task force on the cookie issue last fall — saying it would “coordinate the response to complaints concerning cookie banners” noyb had filed with a number of regional agencies.

Schrems describes that step as a “good” development — but said it is also slowing things down.

Although he suggested the direction of travel is toward a standard that will require a simple yes/no for tracking. (Which will of course mean a firm “no” in the vast majority of cases, given how few people like being stalked by ads — hence the U.K. DPA’s recent warning to adtech that the end of tracking is nigh.)

“The CNIL and the EDPS decisions support the view by us that we need to move to fair ‘yes or no’ options,” Schrems told us. “We expect other authorities to follow this lead.”

What about his vintage data flows complaint via-a-vis Facebook’s EU-U.S. transfers? Is there any sign of Ireland’s promised “swift” resolution to that particular complaint — which should have led to a DPA order to Facebook to suspend data flows years ago? But has so far only led to a preliminary order in September 2020 that Facebook suspend transfers.

“They always say that each decision is coming any day — I stopped following these rumors but there is a rumor on this again right now… ” Schrems said on the DPC, concluding his text with an eyeroll emoji.

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints

Europe’s cookie consent reckoning is coming

Facebook’s EU-US data transfers face their final countdown

More TechCrunch

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

9 hours ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

11 hours ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise

X, formerly Twitter, turned TweetDeck into X Pro and pushed it behind a paywall. But there is a new column-based social media tool in town, and it’s from Instagram Threads.…

Meta Threads is testing pinned columns on the web, similar to the old TweetDeck

As part of 2024’s Accessibility Awareness Day, Google is showing off some updates to Android that should be useful to folks with mobility or vision impairments. Project Gameface allows gamers…

Google expands hands-free and eyes-free interfaces on Android