Data Protection Weekly 26/2022

Jul 1, 2022

European Union

EPRS publishes a report on opportunities, risks and policy implications of the Metaverse

The EPRS published on 24 June 2022, a report dedicated to the opportunities, risks and policy implications of the Metaverse.

According to the EPRS, the exact scope and impact of this immersive and constant virtual 3D world on society and the economy remains unknown, the metaverse will open up opportunities but also risks in a variety of policy areas.

Some of these risks concern potential misleading advertising practices, personal data protection and cybersecurity issues (how to collect the user consent and protect its avatar against identity thief).

 Regarding Personal data protection :

The metaverse implies the collection of massive amounts of data, including sensitive personal data under the GDPR ( biometric data, data on the emotional and physiological responses of users) and thus require explicit consent for each purpose for which data is used.

Some other issues identified by the EDPRS are :

  • Defining the distinction between data controller and data processor in the metaverse might become a big challenge as the entities present in a particular universe will be highly intermingled ;
  • Protecting the confidentiality of personal correspondence in the metaverse and the redefinition of private virtual space to protect it from commercial and state interests.
  • The storage, handling and safeguarding of data used in the metaverse ;
  • The responsibility for data theft or misuse.
  • The data sharing and data portability.
  • The issue of direct marketing ( as users will be offered product selection based on their behaviours and reactions).
  • The potential intrusive profiling ( access to sensitive data could lead to intrusive ways of profiling)
  • The metaverse workplace could enable employers to perform intrusive surveillance of their employees.


The EPRS also highlights that according to the European Parliament,  the current privacy and data protection framework was not designed to address some of the challenges now presented by the metaverse and as such,  the GDPR should be revised.

You can read the full report, here.


 EDPB opens consultation on guidance for certifications as tools of transfers

The EDPB published on 30 June 2022, draft guidance on the use of certifications as tools for transfers.

A public consultation is open until Sept. 30.

You can read the draft guidance, here.


EDPS raises concern regarding the Amended Europol regulation

Following the publication of the amended Europol Regulation in the Official Journal of the EU, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection and do not ensure an appropriate oversight of the Europol.

According to the EDPS, The amended regulation  allows Europol, in certain cases, to process large datasets, “leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity ».

The EDPS considers that the expansion of Europol’s mandate should have been compensated with strong data protection safeguards.

You can read the press release, here.



National Authorities

Ireland: The DPC issues guidance on use of drones

The DPC published on 28 June 2022, guidance on the use of drones.

These guidelines have been developed for drone operators for purposes other than public law-related purposes and also to answer queries from the perspective of data subjects.

You can read the guidance, here.


Germany: The Federal Office for Information Security issues guidance for securing mobile health care applications

You can read the guidance, only available in German, here.

 Spain: The AEPD issues guidelines directed at health care professionals

The guidelines adress the legal bases for processing, access to patient histories, data minimization and access limitation practices.

You can read the guidelines, only available in Spanish, here.


Germany: The DSK publishes an FAQ dedicated to Facebook pages

At its second interim conference in 2022, the conference of the independent data protection
supervisory authorities of the federal and state governments (DSK) adopted a FAQ on Facebook fan pages.

The FAQ adresses the following :

  • What exactly is a facebook page ?
  • Why is the operation of facebook fan pages subject to data protection law problematic ?
  • How about a data protection compliant use of facebook fan pages required ? What can those responsible do ?
  • Do Facebook fan pages have to be desactivated immediately ?
  • Do other social media services ( Instagram, Twitter, TikTok,) have the same issues ?

You can read the FAQ, only available in German, here.


France: Council of State upholds Amazon’s 35M euro cookie fine

In a decision published on 27 June 2022, the French Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism provided for by the GDPR.

For the French Council of State, the CNIL was competent to sanction breaches of Article 82 of the Data Protection Act, even in cases where the data controller is not established in France, but has an establishment on French territory involved in activities related to the processing carried out, in this case the promotion and marketing of advertising tools by the company Amazon Online France.

You can read the decision, only available in French, here.



France: CNIL fines Total Energie €1 million for breaches of the GDPR in relation to commercial prospecting and the exercise of data subjects’ rights 

The CNIL has issued on 30 June 2022, an administrative fine of 1 million euros on TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE, notably for failing to comply with its obligations regarding commercial prospecting and personal rights.

The CNIL has received several complaints concerning the difficulties encountered by individuals in having their requests for access to their data and opposition to receiving calls for the purposes of direct marketing taken into account by the company.

Sanctioned breaches :

  • Failure to allow individuals to object to commercial prospecting
  • Failure to provide information and respect the exercise of rights
    • failure to comply with the obligation to inform individuals solicited (article 14 of the GDPR).
    • A failure to respect the right of access to data (article 15 GDPR) and the right to object of data subjects (article 21 GDPR).
    • A failure to comply with the obligations relating to the modalities for exercising rights (Article 12 of the GDPR).


You can read the decision, only available in French, here.