January 25, 2021
By Foo Yun Chee
BRUSSELS (Reuters) – An EU privacy watchdog is investigating the European Parliament’s COVID-19 testing website for its staff after a privacy activist filed a complaint on concerns that the site could be transferring data illegally to the United States.
The Austrian privacy advocacy group Noyb, led by Max Schrems, took its case to the European Data Protection Supervisor (EDPS) on behalf of six European Union lawmakers.
Schrems, an Austrian and prominent figure in Europe’s digital rights movement against intrusive data-gathering by Silicon Valley tech giants, pursued two cases against Facebook, winning landmark judgments that forced the social network to change how it handles user data in Europe.
EDPS said it had already begun an investigation following a complaint by some EU lawmakers in October last year
“We received today additional information of direct relevance to this complaint that will be examined thoroughly,” said a spokesman for the EU body, which has oversight of privacy issues related to EU institutions.
The complaint said that EU lawmakers, on accessing the virus test site, discovered that it had sent over 150 third-party requests, including requests to U.S.-based companies Google and Stripe, in breach of an EU court judgment in July last year.
A number of these third-party requests were for user data in targeted advertising and to enable software to function smoothly.
“The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the U.S.,” Noyb said in a statement.
Cookies are used by companies to track online browsing behaviour, key to online advertising.
Schrems said the EU parliament should have known better.
“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law. This is also true when it comes to transfers of data outside of the EU. By using U.S. providers, the European Parliament enabled U.S. authorities to access data of its staff and its members.”
The European Parliament did not immediately respond to a request for comment.
(Reporting by Foo Yun Chee; Editing by Mark Heinrich)