Out-Law / Your Daily Need-To-Know

Cookies should form part of data transfers due diligence

Out-Law News | 14 Jan 2022 | 11:09 am | 2 min. read

A recent decision by an EU watchdog is a reminder to businesses of the need to consider cookies when assessing whether their international transfers of personal data comply with data protection laws, an expert has said.

Jonathan Kirsop of Pinsent Masons was commenting after the European data protection supervisor (EDPS) censured the European Parliament (19-page / 307KB PDF) over non-compliant data transfers to the US.

The EU General Data Protection Regulation, and its UK equivalent, impose strict conditions on the transfer of personal data outside of the jurisdiction – in the EU’s case, the European Economic Area (EEA). While the European Commission has put in place so-called adequacy agreements to enable data to flow freely from the EEA to certain ‘third countries’ that it deems have essentially equivalent data protection regimes to that in place in the EU, including the UK, in many cases businesses must carry out a transfer impact assessment and turn to legal tools such as standard contractual clauses (SCCs) as a means of providing for EU data protection standards to be applied to personal data transferred outside of the EEA.

The case scrutinised by the EDPS concerned a website through which MEPs could register for Covid-19 testing. The European Parliament commissioned a third-party company, Ecolog, to set up and operate the website.

According to the EDPS, however, while health data was not processed through the website, tracking cookies belonging to US-based companies were set by Ecolog and captured ‘online identifiers’ of site visitors. The watchdog considered those identifiers to constitute personal data and that the data was transferred to the US where those users were not logged into the Parliament’s network.

The EDPS considered that the Parliament was responsible for the data at issue but had failed to ensure sufficient measures were in place “to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website”.

The watchdog’s findings were made with reference to the due diligence obligations arising around data transfers from the EU to the US that were brought into sharp focus by the Court of Justice of the EU’s ruling in the so-called ‘Schrems II’ case in 2020. The outcome of that judgment is that businesses must conduct due diligence to understand the risks of foreign surveillance regimes and put in place any additional safeguards necessary to meet their obligations under EU data protection law if their assessment is that SCCs alone do not ensure adequate data protection for the transferred data.

In addition to finding fault in relation to the use of cookies, the EDPS also identified a series of other data protection infringements the Parliament was responsible for, including problems with the data protection notices it relied on. The Parliament was issued with a reprimand and given a month to make changes to those notices “in order to provide all relevant information relating to the processing of personal data”.

“The EDPS' decision highlights that cookies do need to be considered as part of a Schrems II compliance programme,” said Jonathan Kirsop of Pinsent Masons. “Tracking cookies are considered personal data, and if the providers of those cookies are located in the US, transfers to the US will take place. The case also highlights that transfers to the US may still be unlawful even where – as was the case here – it was acknowledged that the risks to data subjects was low given the nature of the data involved.”