European Parliament has found breach of EU rules on data transfer and cookie licensing - TechCrunch
The European Union's chief data protection director has approved the European Parliament for a series of breaches of the bloc's data protection rules.
The decision serves as a major warning to sites and services in the region about the need for due diligence in the flow of personal data and transactions - including proper scrutiny of any third-party providers, plug-ins or pieces. another of rooted code - to avoid the threat. with costly sanctions. Although parliament has avoided a financial penalty this time.
The intervention of the European Data Protection Supervisor (EDPS) is related to the COVID-19 test hosting website launched by the European Parliament in September 2022 - using a third-party provider, added called Ecolog.
The website drew a number of complaints, filed by six MEPs, last year - with support from the European privacy campaign group noyb - about the presence of third - party fans and confusing cookie flags, among other compliance issues. , which is. also includes data transparency and accessibility issues.
Following an investigation, the EDPS found that parliament was at fault in a number of ways and has issued criticism - ordering any outstanding issues to be rectified within a month.
The test hosting site was found to be releasing cookies related to Google Analytics and Stripe - but parliament did not show that they had put in place specific measures to ensure the transfer of personal data associated with the US is adequately protected as a result of the famous Schrems. II decision by the EU's supreme court.
In July 2022, the CJEU struck the bloc's flagship data transfer agreement with the US (aka, EU-US Privacy Shield) and issued further guidance requiring a risk assessment of the transfer of EU personal data to third parties. country on a case-by-case basis.
The ruling also made clear that EU regulators must step in and block data flows if they believe people's information is at risk. So in order to avoid some legal moves (such as EU-US data streams) additional measures may be needed to raise the level of protection to the level of equality required by EU law - something that the European Data Protection Board (EDPB) has since published detailed guidance.
However - with regard to the parliamentary COVID-19 test site - the EDPS found no evidence that it or its provider had taken further steps to protect EU-US movements as a result of including Google Analytics and Stripe cookies.
Turns out the supplier had copied a code from another website he had built, for a test center at Brussels International Airport - so there were cookies for the company Stripe will pay on the parliament site (although payments for a test booked through the website are not required). ).
At the same time, Google Analytics cookies appeared to have been introduced by the provider to "reduce the risk of spoofing and for website optimization purposes", according to EDPS findings.
Following Schrems II, the presence of cookies designed to send data to US - based providers for processing poses an immediate legal risk to EU - based websites - and / or their visitors (in this case parliament was found by the EDPS as the only one). data controller, and Ecolog was the data processor). So the introduction of Google Analytics could do more than "increase" your website's compliance with EU data protection law.
That said, implementation of this particular compliance issue has been a slow one, even since the CJEU 2022 ruling - with only a few regulator - led investigations, with the clearest leadership coming from the EDPS itself.
A (very) protracted complaint against Facebook-EU-US data movements, meanwhile, has not been filed by noyb founder Max Schrems in the wake of Snowden's 2013 revelations about the NSA's massive study of social networking and data internet, still leading to its final decision by its chief data protection director, the Data Protection Commission of Ireland (DPC) - despite the final agreement years ago that he would "promptly" close the complaint.
Again, however, this makes the EDPS's intervention on the parliamentary complaint even more important. tl; dr: EU banhamers are gradually falling.
In another decision against parliament, the EDPS referred to disruptive cookie permission notifications that were shown to visitors of the trial booking website - who found them providing erroneous information; it did not always offer clear options for denying third-party tracking; and includes a deceptive design, which may manipulate consent.
In contrast, EU law on consent as a legal basis for the handling of human data requires that choice must be informed, specific (ie limited by purpose, rather than circumvented) and given pass freely.
It also found that parliament did not respond appropriately to complainants' requests for information - a breach of the law by additional legal requirements that give Europeans a set of access rights related to their personal data.
While parliament has landed in disgraceful criticism of the EDPS, it has avoided fines - as the regulator has limited powers to impose financial penalties. -ach said they did not encourage these breaches.
But the blockchain's chief data protection manager's fault decisions are drawing new red lines around the typical regional use of U.S. - based tools such as Google Analytics (or, of course, Facebook Pages) as a result of co - the closure of Schrems II by the Court of Justice. the European Union.
Copy code with standard analytics notifications may seem like a quick win for a website builder - but not unless the entity responsible for protecting visitor information makes a proper EU-based legal risk assessment.
The EDPS 's criticism of parliament therefore has a wider meaning as it is likely to pre-empt a wave of alignment decisions with EU regulators, with the scores of similar objections lodged by noyb in August 2022 targeting websites across the block.
"We expect to have more control over this issue next month," noyb honorary president Max Schrems told TechCrunch. "The fact that the EDPS has taken a clear position is a good sign for Other DPAs. "
Parliament's EDPS sanction over cookie-cutter banners also places a strong signal on what is appropriate and what is not when it comes to obtaining user consent for tracking - despite dark patterns through spouse who remains embarrassed in the EU.
(For a rather ironic example of this, see this blog post by analyst Forrester - which warns that regulators are coming for "dark patterns", even because the analyst's own web page Serves what looks like a non - compliant cookie notification with the same one. sin er…)
Noyb also embarked on a major effort to target this type of cookie non-compliance last year - suggesting he could file up to 10,000 complaints about suspicious cookie banners by EU regulators.
It is clear that regional regulators are going to be cut from their job to clean up so many breaches - which in turn could encourage DPAs to coordinate the coordination of rules to the extent of change necessary to lead.
The EDPS decision adds a high level of acceleration by sending a clear signal that confusing cookie flags are the same as non-compliant cookie flags from the organization responsible for providing expert guidance to EU lawyers on how to define and enforce data protection law.
Here is an illustrative summary of his decision - which describes some of the uproar that struck visitors to the parliament 's website as they tried to parse the cookie ads during the protests. continue to remove cookies from the site since then):
The English version only mentioned essential cookies and prompted the user to click on the 'accept all' or 'save' button. The difference between the two buttons was not clear. The French version of the second set of cookie flags referred to both essential cookies and 'external media'. These external media cookies included cookies from Facebook, Google Maps, Instagram, OpenStreetMap, Twitter, Vimeo and Youtube. The visitor could also choose between 'accept all' or 'save'. The German version of the second set of the cookie banner mentioned only one 'external media' cookie - Google Maps - in addition to the required cookie.
The EDPS concluded that the cookie flags in all three languages did not meet EU license status.
As another sign of the emerging cookie compliance (non-) account in the region, some EU regulators have taken real action - such as the French CNIL. A major slump down to Google and Facebook last week, announcing a $ 170 million fine. and $ 68 million, respectively, for choosing a dark pattern design over bright options in their cookie license streams.
The EDPB, which supports the implementation of pan-EU rules such as the Common Data Protection Regulation, set up a task force on the last fall cookie issue - saying it would "coordinate the response to complaints about cookie flags ”noyb filed with a number of regional agencies.
Schrems describes the move as "good" - but says it also slows things down.
Although he suggested that the journey towards a status that requires yes / no is simple to find. (Which of course means "no" firm in most cases, with so few people liking being stalked by ads - so the recent UK DPA warned adtech the end of tracking is near.)
"CNIL and EDPS decisions support our view that we need to move to fair 'yes or no' choices," Schrems told us. "We expect other authorities to follow this lead."
What about his old complaint about data flow through EU-US Facebook moves? Is there any trace of Ireland's "quick" intention to that particular complaint - which should have led to a DPA order to Facebook to shut down data streams years ago? But so far just following a start order in September 2022 that Facebook will stop moving.
"They always say that every decision comes any day - I stopped following those rumors but there is a rumor again right now…" said Schrems on the DPC, concluding. his text with emerji eyeroll.