Jonathan Kirsop of Pinsent Masons was commenting after the European data protection supervisor (EDPS) censured the European Parliament (19-page / 307KB PDF) over non-compliant data transfers to the US.
The EU General Data Protection Regulation, and its UK equivalent, impose strict conditions on the transfer of personal data outside of the jurisdiction – in the EU’s case, the European Economic Area (EEA). While the European Commission has put in place so-called adequacy agreements to enable data to flow freely from the EEA to certain ‘third countries’ that it deems have essentially equivalent data protection regimes to that in place in the EU, including the UK, in many cases businesses must carry out a transfer impact assessment and turn to legal tools such as standard contractual clauses (SCCs) as a means of providing for EU data protection standards to be applied to personal data transferred outside of the EEA.
The case scrutinised by the EDPS concerned a website through which MEPs could register for Covid-19 testing. The European Parliament commissioned a third-party company, Ecolog, to set up and operate the website.
According to the EDPS, however, while health data was not processed through the website, tracking cookies belonging to US-based companies were set by Ecolog and captured ‘online identifiers’ of site visitors. The watchdog considered those identifiers to constitute personal data and that the data was transferred to the US where those users were not logged into the Parliament’s network.
The watchdog’s findings were made with reference to the due diligence obligations arising around data transfers from the EU to the US that were brought into sharp focus by the Court of Justice of the EU’s ruling in the so-called ‘Schrems II’ case in 2020. The outcome of that judgment is that businesses must conduct due diligence to understand the risks of foreign surveillance regimes and put in place any additional safeguards necessary to meet their obligations under EU data protection law if their assessment is that SCCs alone do not ensure adequate data protection for the transferred data.
“The EDPS' decision highlights that cookies do need to be considered as part of a Schrems II compliance programme,” said Jonathan Kirsop of Pinsent Masons. “Tracking cookies are considered personal data, and if the providers of those cookies are located in the US, transfers to the US will take place. The case also highlights that transfers to the US may still be unlawful even where – as was the case here – it was acknowledged that the risks to data subjects was low given the nature of the data involved.”