Cordery

Legal.Compliance.

European Data Protection Supervisor Rules against European Parliament for Data Transfers Compliance Failure

What’s this all about?

The European Data Protection Supervisor (“the EDPS”), who acts as a kind of data protection regulator for the EU institutions, recently formally reprimanded the European Parliament for a number of privacy/data protection compliance failings including with regard to international data transfers. This article is a summary of the decision (solely concerning data transfers) and its implications.

Background – international data transfers

Transferring personal data from the EEA can only be done to countries that ensure an adequate level of data protection. Either the EU formally recognizes that a country provides this protection (granting a so-called “Adequacy Decision”) or an organization transferring data puts in place certain safeguards to ensure protection.

The safeguards organizations most commonly rely on are so-called Standard Contractual/Model Clauses (SCCs). SCCs are a set of essentially unchangeable clauses that lay out certain privacy commitments which organizations must abide by in order to be able to transfer data, which the European Commission has pre-approved (see our article about the new EU SCCs here https://www.corderycompliance.com/eu-new-sccs-for-idts/ and about the proposed UK data transfer mechanism, International Data Transfer Agreements or IDTAs   here https://www.corderycompliance.com/uk-consultation-scc-idta/).

In the summer of 2020, in the so-called Schrems case, the European Court ruled that, whilst the (then existing) SCCs were valid, due diligence still needs to be undertaken, notably on the legal regime in the country to where data will be sent to, in order to ensure an essentially equivalent level of protection for personal data to be transferred, and additional technical and/or contractual protections might need to be added. The new EU SCCs have in effect incorporated this due diligence requirement.

Background – the case

Complaints were brought to the EDPS by a number of members of the European Parliament and also the not-for-profit privacy activist organization NOYB (whose slogan is “My Privacy is None of Your Business”), which then undertook an investigation.

Software known as “webbkoll” (from the Danish non-profit organization Dataskydd) had been used to scan a particular European Parliament website which identified Google analytics and Stripe cookies and trackers used by the website in question and which had transferred the personal data of Members of Parliament and staff to the US, which it was claimed contravened the Schrems ruling.

What did the EDPS find?

The EDPS decided as follows:

  • The European Parliament’s website used cookies through which personal data was transferred to the US, where both Stripe and Google LLC were located;
  • The European Parliament had provided no documentation, evidence or other information regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website in question;
  • The EDPS therefore considered that the European Parliament had failed to meet the requirements of data protection rules (in this case GDPR type legislation for the EU institutions) for the period between 30 September and 4 November 2020, during which the cookies in question were present on the website in question;
  • The EDPS did not however issue a fine but instead opted for an official reprimand, which, within three months of the reprimand decision, the European Parliament must inform the EDPS of its views about.

Takeaways

This decision further shows the trend of regulators enforcing international data transfer issues, and there is also also some litigation about it (see our articles here https://www.corderycompliance.com/cnpd-enforces-schrems3/ and here https://www.corderycompliance.com/munich-privacy-shield-action/). Accordingly businesses should check that they have implemented compliant data transfer mechanisms, notably SCCs – doing nothing is not an option.

The European Data Protection Supervisor’s decision can be found here: https://noyb.eu/en/edps-sanctions-parliament-over-eu-us-data-transfers-google-and-stripe

We have written about guidance about data transfers here: https://www.corderycompliance.com/edpd-guidance-international-data-transfers/.

We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

We report about compliance issues here: https://www.corderycompliance.com/news/.

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.