Skip to main content

An EU parliament website for COVID testing allegedly broke the EU’s privacy laws

An EU parliament website for COVID testing allegedly broke the EU’s privacy laws


A privacy watchdog has filed a complaint, and it’s not the first

Share this story

Illustration by Alex Castro / The Verge

The European Parliament is being investigated by the European Data Protection Supervisor after allegations that its COVID testing website didn’t meet EU privacy standards. Six members of the European Parliament (MEPs) have worked with data watchdog group noyb to bring the complaint, saying that the site illegally sent data to the US and that its cookie banners were deceptive.

The website was set up to help MEPs schedule COVID tests, and while it didn’t handle any health information itself, sending data to the US for processing would still be illegal. According to the complaint, the testing website made over 150 requests to third parties, including Google and Stripe. Under EU law, data can only be transferred to the US if “an adequate level of protection for the personal data [can] be ensured,” and noyb argues that the companies “clearly fall under relevant US surveillance laws that allow [targeting of] EU citizens.”

The complaint also alleges that the cookie banners on the site didn’t disclose all of the cookies that would be stored on the user’s computer, and that the banners prodded users toward the “Accept All” button. Since cookies are used to track users across websites, and some of the ones found were from the aforementioned US companies, it’s understandable that EU regulators might be caught off guard.

According to Reuters, the European Data Protection Supervisor started investigating the site back in October, following other complaints from MEPs. A spokesperson said that the information from noyb was “of direct relevance to this complaint [and would] be examined thoroughly.”

EU privacy laws can sometimes be hard for web developers to grasp, but most web developers aren’t under direction of the lawmakers themselves. Creation of the site was contracted out to a third-party company, but you’d hope that there was a specification for “follows all EU privacy laws” included in the brief.

Speaking to Reuters, noyb’s chairman Max Schrems said EU institutions like the parliament “have to lead by example,” and it seems that, in this instance, they haven’t lived up to that responsibility.