The European Parliament was given a one-month ultimatum to fix a privacy flaw that allowed lawmakers’ COVID-19 test data to be illegally sent to the U.S. via tracking cookies owned by Google and digital payments company Stripe Inc.
The assembly hired a company in 2020 to provide mass testing via a dedicated website for members and officials, but failed to comply with strict curbs on transatlantic data flows, the privacy watchdog in charge of E.U. institutions found.
From Sept. 30 to Nov. 20 of that year “during which the trackers remained on the website, personal data processed through them were transferred to the U.S., where both Stripe and Google LLC are located,” the European Data Protection Supervisor said in a Jan. 5 decision, which was posted online by privacy group Noyb on Tuesday.
The bloc’s top court in 2020 struck down an E.U.-approved tool for companies such as Meta Platforms Inc.’s Facebook and thousands of others to transfer data across the Atlantic, amid fears of potential U.S. surveillance. Privacy campaigner Max Schrems, who set up Noyb, was at the origin of the E.U. case, arguing that E.U. citizens’ data is at risk the moment it gets sent to the U.S.
The EDPS said in a statement that it trusts that the Parliament “will implement the necessary measure.”
More Must-Reads From TIME
- The 100 Most Influential People of 2024
- Coco Gauff Is Playing for Herself Now
- Scenes From Pro-Palestinian Encampments Across U.S. Universities
- 6 Compliments That Land Every Time
- If You're Dating Right Now , You're Brave: Column
- The AI That Could Heal a Divided Internet
- Fallout Is a Brilliant Model for the Future of Video Game Adaptations
- Want Weekly Recs on What to Watch, Read, and More? Sign Up for Worth Your Time
Contact us at letters@time.com