EDPS Issues Decision Confirming EU Parliament’s Cookie Violations
During its investigation, the EDPS notified the Parliament that it had identified issues with the website, particularly in relation to the purpose of a unique identifier stored on the website along with a cookie. The Parliament took steps to disable the relevant cookies and made several statements regarding its compliance, including that it was not transferring any personal data outside the EU. However, further investigation revealed that it was not in a position to make said statements: the EDPS identified, for example, that the third party provider used by the Parliament could not confirm with certainty that no data was transferred internationally pursuant to delivering its services.
The EDPS came to the conclusion that the Parliament had in fact violated applicable privacy laws. The EDPS made the following statements regarding international transfers:
- For the period during which the trackers were on the website, personal data processed through these cookies was ultimately transferred to the U.S., where the cookie provider was located and hosted all relevant data.
- Whilst the transfers of personal data relied on the Standard Contractual Clauses (“SCCs”), in citing the decision of Schrems II, a sufficient assessment into the transfer was not undertaken which, in turn, led to no additional measures being implemented to provide the personal data with essentially equivalent protection. The EDPS stated specifically in its decision that the “Parliament provided no documentation, evidence or other information regarding the contractual, technical or organizational measures in place” in this respect.
In addition to such findings, the EDPS also found that the Parliament failed to meet other data protection obligations for the period during which cookies were present on the website, including with regard its lack of transparency due to its “inaccurate data protection notice and cookie banner” and its “failure to reply to the data subjects’ request for access to their personal data”.
On the basis of its findings, the EDPS decided to:
- issue a reprimand to the Parliament in accordance with Article 58(2)(b) of the Regulation 2018/1725, for the above infringements;
- order the Parliament, pursuant to Article 58(2)(b) of the Regulation 2018/1725, to update its data protection notices on the website in order to provide all relevant information relating to the processing of personal data. EDPS gave the Parliament one month to comply with this from the date of the decision.
Over the last year, we have seen an increasing number of actions taken against corporate organisations, usually those with a significant online user base or online traffic, using cookies in a non-compliant manner. Vast changes in the laws and requirements surrounding international transfers have also been in the spotlight. It is therefore not surprising that the EDPS has sought to take action against the Parliament in this instance, although it is not as severe or extreme as some local regulator enforcement actions we have seen in recent months. This action along with the several others recently should be a warning for organisations using cookies and transferring data internationally that these are both areas of scrutiny for regulators and matters of compliance which should be prioritised.