The European Parliament is being investigated by the European Data Protection Supervisor after allegations that its COVID testing website didn’t meet EU privacy standards.
The website was set up to help MEPs schedule COVID tests, and while it didn’t handle any health information itself, sending data to the US for processing would still be illegal. According to the complaint, the testing website made over 150 requests to third parties, including Google and Stripe. Under EU law, data can only be transferred to the US if “an adequate level of protection for the personal data [can] be ensured,” and noyb argues that the companies “clearly fall under relevant US surveillance laws that allow [targeting of] EU citizens.”
The complaint also alleges that the cookie banners on the site didn’t disclose all of the cookies that would be stored on the user’s computer, and that the banners prodded users toward the “Accept All” button. Since cookies are used to track users across websites, and some of the ones found were from the aforementioned US companies, it’s understandable that EU regulators might be caught off guard.