Data Protection Weekly 48/2022

Dec 1, 2022

  European Union

EDPO: Google Fonts warning: Here is what Google says about it

There have been a series of warnings in connection with Google Fonts causing a stir in Europe for a while. The matter has now also reached the headquarters of the search engine giant, and Google has now commented on it.

Since last summer, a number of lawyers and their plaintiffs have repeatedly caused waves of warnings in connection with violations of the General Data Protection Regulation (GDPR). Strictly speaking, anyone who does not integrate Google Fonts locally is guilty of a GDPR infringement.

The essence of the potential violation is linked to whether or not the fonts are stored locally, if not the browser downloads them from an external server. According to a Munich court ruling at the beginning of the year, personal data is subsequently sent to Google via the associated server, namely to the USA.

[…] Google further emphasizes that it respects privacy: “The Google Fonts Web API is designed to limit the collection, storage, and use of data to what is necessary for the efficient delivery of fonts and for aggregated usage statistics. This data is kept secure and separate from other data.” Read article here and Google’s response in a blog post here.


European Council: EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation

The Council of the European Union announced, on 28 November 2022, that it had adopted new legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. The new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive). The NIS2 Directive will be published in the Official Journal of the EU in the coming days and will enter into force on the 20th day following the publication. Thereafter, the Council highlighted that Member States will have 21 months from the entry into force of the NIS2 Directive to transpose its provisions into their national law. The press release can be found here.


EDPS: Pairing up cybersecurity and data protection efforts: EDPS and ENISA sign Memorandum of Understanding (MoU)

The MoU establishes the strategic cooperation framework between the European Data Protection Supervisory (EDPS) and the EU Agency for Cyber Security (ENISA). The MoU is aimed at addressing issues of common concern such as cybersecurity as a way of protecting individuals’ personal data. The MoU can be found here.


National Authorities

Germany: AG DSK “Microsoft Online Services Summary of the evaluation of the current agreement on commissioned processing

According to the German Data Protection Conference (DSK), Microsoft 365 remains in breach of data protection rules and is therefore not suitable for legally compliant use in for example schools or public authorities. Although there has been slight progress on the matter, this is by no means sufficient to meet the legal requirements for privacy and security. In addition, Microsoft explained in more detail how it evaluates data itself and for what purposes this is done. For example, Microsoft generates non-personal statistics from pseudonymised data and uses them for its own purposes. However, it is still not possible to assess externally what information Microsoft is extracting, which raises the question whether everything is above board.

The new assessment of Microsoft 365 was preceded by the revised version of the Microsoft Products and Services Data Protection Addendum. Read article (in German) here.


Germany: DSK adopts recommendations on research with health data

The Conference of the Independent Data Protection Authorities of the Federation and the of the federal states (DSK) provides guidance for the scientific processing of health data at its 104th conference. The chairman of the DSK, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) Professor Ulrich Kelber, said: “Scientific research brings necessary and decisive benefits to our society. It is important to enable research while at the same time safeguarding the fundamental rights of citizens”. Document (in German) can be found here.


Germany: Data protection in the USA – current situation

The Hamburg DPA published a press release regarding the impact of the new US Executive Order(“EO”), which aims to address the problems surrounding EU-US data transfers as brought forward in the Schrems-II decision of the ECJ. The DPA is of the view that the Executive Order requires a sound, open-ended audit, and monitoring. When assessing adequacy of the EO, the European Commission will face the challenge of assessing an abstract legal text that is not yet put into practice. Crucial points such as the interpretation of proportionality by the US secret services or the functioning of the data protection court will depend on the actual application. Against this background, the Hamburg DPA states that it is advisable to keep an eye on future developments ‘on the ground’. It goes further stating that this requires transparency, which must be demanded from the European side. And that necessary conditions and reservations may be included in an eventual adequacy decision by the European Commission. Read the press release (in German) here.


France: The Data Protection Officer (DPO): a rapidly changing profession

CEDPO’s French member AFCDP participated in the annual study on the profession of the data protection officer (DPO) entrusted to the AFPA (French national agency for adult professional training) by the Ministère du Travail. The survey and study on the on-going needs and training requirements of the DPO have now been made public:
Key takeaways include:

  • The number of DPOs increased from 21,000 in 2018 to 28,810 in 2021.
  • Diversification of profiles47% come from areas of expertise other than legal and IT (+12 points since 2019).
  • 75% of DPOs express a need for training and 31% of DPOs say they want to follow a more complete training. It should be noted that 23% of DPOs surveyed declared that they are certified on the basis of the CNIL DPO Competencies standard.
  • On training topics, 52% want training orientation on IT content, 52% on legal content, 41% on communication and project management content, and 56% on content specific to the DPO profession (impact assessments, annual review, etc.)
  • Training frequency is down: 33% to have not followed any IT or GDPR related training since 2016 (+7% points) while they increasingly come from environments outside IT and legal.
  • 42% of DPOs exercise their function in isolation (+14 points).

Here is the full survey report and results (in French) and a summary a here.


Belgium: Annual report: 2021, the year of the caseload explosion

The Belgian DPA released its annual report for 2021. It was a record year in terms of workload for the DPA. The number of incoming files rose spectacularly, with 279 requests for advice (+87.25% compared to 2020) and 1928 complaints (+181.46%), the highest number received since the creation of the DPA. As in 2020, 2021 was also dominated by the Covid-19 crisis, including the first DPA sanctions for pandemic-related files. Please see DPA press release (French version) with links to detailed 2021 figures and the online report.


 Belgium: Belgian DPA defines its priorities for 2023

The Belgian DPA issued, on 15 November 2022, a press release to the Belgian Chamber of Representatives communicating its major priorities for the coming year 2023. In particular, the Belgian DPA stated that the following areas will be the main priorities for 2023:

  • Cookies: In the absence of a harmonized point of view and policy position at the European level, the DPA will strive to explain and explain its own position on cookies;
  • DPOs: The DPA will reinforce its support to the DPO function within organisations particularly with regard to right to exercise complaints, as well as through controls on the proper functioning of the DPO via its investigations.
  • Smart Cities: the DPA would also like to develop initiatives in the area of smart cities such as in intelligent transport and will seek to dialogue with stakeholders working in related field.

The press release (French version) can be found here.


Ireland: Something ‘Christmassy’: The Irish DPC releases Guidance on connected toys and devices

The Irish Data Protection Commission (DPC) put together an advice note so that people know what to look out for this Christmas when shopping connected toys and devices. Read the Guidance here.


UK: ICO and Ofcom strengthen partnership on online safety and data protection

The ICO and Ofcom – the UK’s communications regulator – release joint statement on aligned approach to data protection and online safety. The press release and statement can be read here.


UK: Meta faces lawsuit to stop ‘surveillance advertising’

A lawsuit filed in the High Court of England and Wales has demanded that Meta’s Facebook social media platform stops harvesting personal data for the purposes of advertising and marketing. Read article here.


Finland: TIEKE announces a new GDPR4CHLDRN in a new project to promote data protection for children and young people

The Office of the Data Protection Ombudsman in Finland and TIEKE the Finnish Information Society Development Centre recently announced a new GDPR4CHLDRN two-year project to facilitate the protection of children’s data. During the term of the project, tools and information will be prepared to support the application of data protection legislation for children’s activities clubs. The purpose is to assist associations and organisation working with young children by creating clear practical instructions on protecting their data. The goal is also to increase and convey a better understanding of data protection and its importance to children and adolescents, and to parents. The online press release (in Finnish) can be found here.



Ireland: Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry

The Data Protection Commission (DPC) has this week announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures. Read full article here.

Ireland: Data Protection Commission fines confirmed

The Irish Data Protection Commission (DPC) yesterday had decisions to impose administrative fines on six different organisations confirmed in the Dublin Circuit Court, ranging between €1,500 and €17 million. The press release is here.

France: CNIL imposes EUR 600,000 penalty against EDF

On November 24, 2022, the CNIL sanctioned EDF, the French energy company, with a fine of 600,000 euros, in particular for not having respected its obligations in terms of commercial prospecting and the rights of individuals. The CNIL had received several complaints concerning difficulties encountered by people having their rights respected and taken into account by EDF. Based on the findings made during the inspections, the CNIL considered that the company had breached several obligations provided for under the GDPR and the French code of post and electronic communications (CPCE). The press release can be found here.

Italy: Garante’s monthly newsletter has been published

The Italian DPA – the Garante  – announced this week via its monthly newsletter, the publication of its Decision n°348 issued on 20 October 2022, in which it imposed a fine of €1.4 million and various corrective compliance orders to Douglas Italia S.p.A., (the Italian perfume and cosmetics chain) for multiple violations of the GDPR. The findings were established by the DPA following a series of investigation that were initiated following an individual complaint. Furthermore, the inspections were conducted in collaboration with the Special Unit for the Protection of Privacy & Technological Frauds of the Guardia di Finanza. The company which was established in 2019 having incorporated three companies in the sector, will also have to adopt a series of measures to comply with Italian and European legislation with particular regard to customer data retention times and processing carried out for marketing and profiling purposes.

  • The Garante published its decision (N°379 issued on 10 November 2022)   to impose a fine on Vodaphone €500,000 for unlawful use of personal data in promotional campaigns
  • The Garante published its decision (N°303 issued on 15 September 2022) to impose a fine on the Valle d’Aosta local heath authority €40,000 for violating access rights

More information on these announcements and links to the decisions (in Italian) can be found here.