A privacy activist filed a complaint with an EU watchdog on Friday over the European Parliament‘s COVID-19 testing app for its staff, saying it could be transferring data illegally to the United States.
The Austrian privacy advocacy group Noybaid, led by Max Schrems it had taken its case to the European Data Protection Supervisor (EDPS) on behalf of six European Union lawmakers. Schrems, an Austrian and prominent figure in Europe’s digital rights movement against intrusive data-gathering by Silicon Valley tech giants, pursued two cases against Facebook , winning landmark judgments that forced the social network to change how it handles user data in Europe.
The complaint said that EU lawmakers, on accessing the virus test site, discovered that it had sent over 150 third-party requests, including requests to U.S.-based companies Google and Stripe, in breach of an EU court judgment in July last year. A number of these third-party requests were for user data in targeted advertising and to enable software to function smoothly.
“The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the U.S.,” Noybaid said in a statement. Cookies are used by companies to track online browsing behaviour, key to online advertising.
Schrems said the EU parliament should have known better. “Public authorities, and in particular the EU institutions, have to lead by example to comply with the law. This is also true when it comes to transfers of data outside of the EU. By using U.S. providers, the European Parliament enabled U.S. authorities to access data of its staff and its members.”