European parliament found to have broken EU rules on data transfers and cookie consents

The European Union’s chief data protection supervisor has sanctioned the European Parliament for a series of breaches of the bloc’s data protection rules.

The decision sounds a loud warning to sites and services in the region about the need for due diligence of personal data flows and transfers — including proper scrutiny of any third-party providers, plug-ins or other bits of embedded code — to avoid the risk of costly legal sanction. Although the parliament has avoided a financial penalty this time.

The European Data Protection Supervisor’s (EDPS) intervention relates to a COVID-19 test booking website which the European Parliament launched in September 2020 — using a third-party provider, called Ecolog.

The website attracted a number of complaints, filed by six MEPs, last year — with the support of the European privacy campaign group noyb — over the presence of third-party trackers and confusing cookie consent banners, among a raft of other compliance problems, which also included transparency and data access issues.

Following an investigation, the EDPS found the parliament was at fault in several respects and it has issued a reprimand — ordering rectification of any outstanding issues within one month.

The test booking website was found to be dropping cookies associated with Google Analytics and Stripe — but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers to the U.S. would be adequately protected in light of the landmark Schrems II decision by the EU’s top court.

In July 2020, the CJEU struck down the bloc’s flagship data transfer agreement with the U.S. (aka, the EU-U.S. Privacy Shield) and issued further guidance that transfers of EU people’s personal data to all third countries must be risk assessed on a case by case basis.

The ruling also made it clear that EU regulators must step in and suspend data flows if they believe people’s information is at risk. So in order for some transfers to be legal (such as EU-U.S. data flows) additional measures may be needed to raise the level of protection to the required standard of essential equivalence with EU law — something the European Data Protection Board (EDPB) has since issued detailed guidance on.

However — in the case of the parliament’s COVID-19 test booking site — the EDPS found no evidence that it or its provider had applied any such extra measures to safeguard EU-U.S. transfers resulting from the inclusion of Google Analytics and Stripe cookies.

Turns out the provider had copypasted code from another website it had built, for a test centre in the Brussels International Airport — hence the presence of cookies for payment company Stripe on the parliament site (despite no payments actually being required for testing booked via the website).

Google Analytics cookies, meanwhile, had apparently been included by the provider to “minimise the risk of spoofing and for website optimisation purposes”, according to the EDPS’ findings.

Post-Schrems II, the presence of cookies designed to send data to U.S.-based providers for processing creates immediate legal risk for EU-based websites — and/or their clients (in this case the parliament was found by the EDPS to be the sole data controller, while Ecolog was the data processor). So incorporating Google Analytics may do the opposite of “optimizing” your site’s compliance with EU data protection law.

That said, enforcement of this particular compliance issue has been a slow burn, even since the 2020 CJEU ruling — with only a smattering of regulator-led investigations, and the clearest leadership coming from the EDPS itself.

A (very) long-running complaint against Facebook’s EU-U.S. data transfers, meanwhile, brought by noyb founder Max Schrems in the wake of the 2013 Snowden disclosures about NSA mass surveillance of social network and internet data, still hasn’t resulted in a final decision by its lead data protection supervisor, the Irish Data Protection Commission (DPC) — despite the latter agreeing a full year ago that it would “swiftly” finalize the complaint.

Again, though, that makes the EDPS’ intervention on the parliament complaint all the more significant. tl;dr: EU banhammers are, gradually, falling.

In another finding against the parliament, the EDPS took issue with confusing cookie consent notices shown to visitors to the test booking website — which it found provided inaccurate information; did not always offer clear choices to reject third-party tracking; and included deceptive design, which could manipulate consent.

By contrast, EU law on consent as a legal basis to process people’s data requires is clear that choice must be informed, specific (i.e. purpose limited, rather than bundled) and freely given.

The parliament was also found to have failed to respond adequately to complainants’ requests for information — breaching additional legal requirements law which provide Europeans with a suite of access rights related to their personal data.

While the parliament has landed in the embarrassing situation of being reprimanded by the EDPS, it has avoided a fine — as the regulator only has narrow powers to issue financial penalties which it said these infringements did not trigger.

But the findings of fault by the bloc’s chief data protection supervisor draw fresh red lines around routine regional use of U.S.-based tools like Google Analytics (or, indeed, Facebook Pages) in the wake of the Schrems II decision by the Court of Justice of the European Union.

Copypasting code with standard analytics calls might seem like a quick win to a website builder — but not if the entity responsible for safeguarding visitors’ information fails to properly assess EU-based legal risk.

The EDPS’ reprimand for the parliament thus has wider significance as it looks likely to prefigure a wave of aligned decisions by EU regulators, given the scores of similar complaints filed by noyb in August 2020 targeting websites across the bloc.

“We expect more rulings on this matter in the next month,” noyb’s honorary chairman, Max Schrems, told TechCrunch. “The fact that the EDPS has taken a clear position is a good sign for other DPAs.”

The EDPS’ sanction of the parliament over confusing cookie banners also sends a strong signal over what’s acceptable and what’s not when it comes to obtaining users’ consent to tracking — despite confusing dark patterns still being shamefully widespread in the EU.

(For a particularly ironic example of that, see this blog post by analyst Forrester — which warns that regulators are coming for “dark patterns”, even as the analyst’s own webpage serves what very much looks like a non-compliant cookie notice given the only obvious button reads “Accept cookies” and it takes multiple clicks through sub-menus to find an option to reject tracking cookies, so er… )

Noyb also kicked off a major effort targeting this type of cookie non-compliance last year — which it suggested could lead to it filing up to 10,000 complaints about dubious cookie banners with EU regulators.

Regional regulators are clearly going to have their work cut out to clean up so much infringement — which in turn may encourage DPAs to coordinate on standardizing enforcements to drive the necessary scale of change.

The EDPS decision adds high-level accelerant by sending a clear signal that confusing cookie banners are the same as non-compliant cookie banners from the body responsible for providing EU lawmakers with expert guidance on how to interpret and apply data protection law.

Here’s an illustrative snippet from its decision — which describes a portion of the confusion that hit visitors to the parliament website as they tried to parse the cookie notices at the time of the complaints (tracking cookies have since been removed from the site):

The English version only referred to essential cookies and prompted the user to either click on the ‘accept all’ or the ‘save’ button. The difference between the two buttons was unclear. The French version of the second layer of cookie banner referred both to essential cookies and ‘external media’. These external media cookies included cookies from Facebook, Google Maps, Instagram, OpenStreetMap, Twitter, Vimeo and Youtube. The visitor could also choose between ‘accept all’ or ‘save’. The German version of the second layer of the cookie banner referred to only one ‘external media’ cookie — Google Maps — in addition to the essential cookie.

The EDPS’ conclusion was that the cookie banners in all three languages failed to meet the EU standard for consent.

In another sign of the cookie (non)compliance reckoning that’s now unfolding in the region, some EU regulators have been taking actual action — such as France’s CNIL which issued a major slap-down to Google and Facebook last week, announcing fines of $170 million and $68 million, respectively, for choosing dark pattern design over clear choices in their cookie consent flows.

The EDPB, which supports DPAs’ enforcement of pan-EU rules like the General Data Protection Regulation, established a task force on the cookie issue last fall — saying it would “coordinate the response to complaints concerning cookie banners” noyb had filed with a number of regional agencies.

Schrems describes that step as a “good” development — but said it is also slowing things down.

Although he suggested the direction of travel is toward a standard that will require a simple yes/no for tracking. (Which will of course mean a firm “no” in the vast majority of cases, given how few people like being stalked by ads — hence the U.K. DPA’s recent warning to adtech that the end of tracking is nigh.)

“The CNIL and the EDPS decisions support the view by us that we need to move to fair ‘yes or no’ options,” Schrems told us. “We expect other authorities to follow this lead.”

What about his vintage data flows complaint via-a-vis Facebook’s EU-U.S. transfers? Is there any sign of Ireland’s promised “swift” resolution to that particular complaint — which should have led to a DPA order to Facebook to suspend data flows years ago? But has so far only led to a preliminary order in September 2020 that Facebook suspend transfers.

“They always say that each decision is coming any day — I stopped following these rumors but there is a rumor on this again right now… ” Schrems said on the DPC, concluding his text with an eyeroll emoji.