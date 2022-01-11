The European Parliament was given a one-month ultimatum to fix a privacy flaw that allowed lawmakers’ Covid-19 test data to be illegally sent to the US via tracking cookies owned by Google and digital payments company Stripe.

The assembly hired a company in 2020 to conduct mass Covid-19 PCR testing within the Parliament’s premises.

In order to respect the epidemiological precautions, testing is conducted following online registration via a dedicated website for members and officials.

However, it failed to comply with strict curbs on transatlantic data flows, the privacy watchdog in charge of EU institutions found.

Personal data transferred to US

From September 30 to November 20 of that year “during which the trackers remained on the website, personal data processed through them were transferred to the US, where both Stripe and Google LLC are located,” the European Data Protection Supervisor (EDPS) said in a January 5 decision, which was posted online by privacy group Noyb on Tuesday.

The bloc’s top court in 2020 struck down an EU-approved tool for companies such as Meta Platforms Inc’s Facebook and thousands of others to transfer data across the Atlantic, amid fears of potential US surveillance.

Privacy campaigner Max Schrems, who set up Noyb, was at the origin of the EU case, arguing that EU citizens’ data is at risk the moment it gets sent to the US.

The EDPS said in a statement that it trusts that the Parliament “will implement the necessary measure”.

Bloomberg