BRUSSELS – A privacy activist filed a complaint with an EU watchdog on Friday over the European Parliament’s COVID-19 testing app for its staff, saying it could be transferring data illegally to the United States.
READ MORE: Twitter slapped with fine for breaking EU's data privacy law
The Austrian privacy advocacy group Noybaid, led by Max Schrems, said it had taken its case to the European Data Protection Supervisor (EDPS) on behalf of six European Union lawmakers.
The complaint said that EU lawmakers, on accessing the virus test site, discovered that it had sent over 150 third-party requests, including requests to US-based companies Google and Stripe, in breach of an EU court judgment in July last year
Schrems, an Austrian and prominent figure in Europe’s digital rights movement against intrusive data-gathering by Silicon Valley tech giants, pursued two cases against Facebook, winning landmark judgments that forced the social network to change how it handles user data in Europe.
The complaint said that EU lawmakers, on accessing the virus test site, discovered that it had sent over 150 third-party requests, including requests to US-based companies Google and Stripe, in breach of an EU court judgment in July last year.
A number of these third-party requests were for user data in targeted advertising and to enable software to function smoothly.
“The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the US,” Noybaid said in a statement.
Cookies are used by companies to track online browsing behavior, key to online advertising.
ALSO READ: EU privacy law heralds new era in online data protection
Schrems said the EU parliament should have known better.
“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law. This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled US authorities to access data of its staff and its members.”
EDPS confirmed receipt of the complaint. The European Parliament did not immediately respond to a request for comment.
