The European Union's chief data protection supervisor has been reprimanded for a number of breeches of the bloc's data protection rules.
The decision sounds a warning to sites and services in the region about the need for due diligence of personal data flows and transfers, including proper scrutiny of any third party providers, plug-ins or other bits of embedded code, to avoid the risk of costly legal sanction. The parliament avoided a financial penalty.
The European Data Protection Supervisor is intervening in the case of the European Parliament using a third party provider for a test booking website.
The website attracted a number of complaints, filed by six MEPs, last year, over the presence of third party trackers and confusing cookie consent banners, among a raft of other compliance problems.
The parliament has been reprimanded by the EDPS and ordered to fix any outstanding issues within a month.
The parliament failed to demonstrate that any personal data transfers to the US would be adequately protected, despite the fact that the test booking website was dropping cookies associated with the two companies.
The EU-US Privacy Shield was struck down in July 2020 by theCJEU, and they issued further guidance that transfers of EU people's personal data to all third countries must be risk assessed on a case by case basis.
The ruling made it clear that EU regulators have to suspend data flows if they think people's information is at risk. The European Data Protection Board has issued detailed guidance on how to raise the level of protection for EU-US data flows in order for them to be legal.
Final guidance on data transfers to third countries is put out by the EU.
In the case of the parliament's COVID-19 test booking site, the EDPS found no evidence that the provider had applied any extra measures to protect EU-US transfers from the inclusion of Google Analytics and Stripe cookies.
The provider had copied code from another website it had built for a test centre in the Brussels International Airport, which resulted in the presence of cookies for payment company Stripe on the parliament site.
According to the findings of the EDPS, the provider included the cookies to make them less likely to be spoofed.
Post-Schrems II, the presence of cookies designed to send data to US-based providers for processing creates immediate legal risk for EU-based websites and their clients. The opposite ofoptimizing your site's compliance with EU data protection law may be incorporating a tool like Google Analytics.
Since the 2020CJEU ruling, there has been a slow burn in the enforcement of this particular compliance issue.
A long running complaint against Facebook's EU-US data transfers, brought by noyb founder Max Schrems in the wake of the 2013 revelations about the National Security Agency's mass snooping of social network and Internet data, still hasn't resulted in a final decision.
That makes the intervention on the parliament complaint all the more significant.
The EU-US data transfer mechanism was struck down by Europe's top court.
The EDPS found that confusing cookie consent notices shown to visitors to the test booking website, did not always offer clear choices to reject third party tracking, and included deceptive design which could manipulate consent.
EU law on consent as a legal basis to process people's data requires that choice must be informed, specific and freely given.
The parliament was found to have failed to respond adequately to requests for information, which is a violation of the law which gives Europeans access to their personal data.
The parliament has avoided a fine as the regulators only have the power to issue financial penalties, which they said did not cause the problems.
The findings of fault by the bloc's chief data protection supervisor draw fresh red lines around routine regional use of US-based tools like Facebook Pages, in the wake of the Court of Justice of the European Union's decision on data protection.
If the entity responsible for protecting visitors' information fails to properly assess EU-based legal risk, copying code with standard calls might seem like a quick win to a website builder.
The reprimand for the parliament by the EDPS is significant as it looks like it will be the start of a wave of aligned decisions by EU regulators.
Max Schrems, noyb's chairman, said they expect more rulings in the next month. The fact that the EDPS has a clear position is a good sign.
The sanction of the parliament over confusing cookie banners sends a strong signal over what is acceptable and what is not when it comes to obtaining users consent to tracking.
Forrester warns that regulators are coming for dark patterns, even as their own website serves a cookie notice that looks like a non- compliant one.
Noyb kicked off a major effort targeting this type of cookie non-compliance last year, which it suggested could lead to it filing up to 10,000 complaints about dubious cookie banners with EU regulators.
Regional regulators are going to have a hard time cleaning up all of the wrong doing, which may encourage them to coordinate on standardizing enforcements to drive the necessary scale of change.
The decision of the EDPS adds high level credibility by sending a clear signal that confusing cookie banners are the same as non- compliant cookie banners from the body that provides EU lawmakers with expert guidance on how to interpret and apply data protection law.
The parliament website had a portion of confusion when visitors tried to read the cookie notices at the time of the complaints.
The English version only referred to essential cookies, so the user had to either accept them or save them. There was no clear difference between the buttons. The second layer of cookie banner referred to essential cookies in the French version. The external media cookies included cookies from Facebook. The visitor could either accept all or save. The German version of the second layer of the cookie banner referred to only one external media cookie in addition to the essential cookie.
The cookie banners in all three languages failed to meet the EU standard for consent, according to the conclusion of the EDPS.
The EU has been taking action against non-compliance, such as France's CNIL which fined both Facebook and Google $170 million last week.
A task force was established by the EDPB last fall to coordinate the response to complaints about cookie banners.
Schrems said that step is a good one, but it is also slowing things down.
He suggested that the direction of travel should require a simple yes/no for tracking. It will mean a firm "no" in most cases, given how few people like being followed by ads.
We need to move to fair options, according to the decisions of the CNIL and the EDPS. Other authorities are expected to follow this lead.
What about his data flows complaint? Is there any sign that Ireland will act quickly to resolve the complaint, which should have led to a suspension of Facebook data flows years ago? In September 2020 a preliminary order was made that Facebook suspend transfers.
They always say that each decision is coming any day, but I stopped following rumors but there is a rumor about this again right now.
EU websites use of Facebook Connect and Google Analytics have been targeted by privacy complaints.
Europe's cookie consent is about to change.
The EU-US data transfers face their final challenge.