Data Protection Weekly 51/2022

Dec 22, 2022

European Union

European Commission: Digital rights and principles

The European Commission, European Parliament, and the European Council signed the European Declaration on Digital Rights and Principles, as proposed by the Commission in January 2022 and in support of the 2030 Digital Compass objectives. The declaration which comprises six chapters presents the “EU’s commitment to a secure, safe, and sustainable digital transformation” putting fundamental rights at the centre, with the aim of guiding policy makers and companies in dealing with new technologies. The declaration is designed to steer the EU’s approach to digital transformation globally. The European Institutions also emphasized via the declaration, the fostering of digital connectivity for citizens with a particular mention on “control about how personal data is used and with whom it is shared.” The press release can be read here.

European Ombudsman: Decision on whether the European Commission collects sufficient information to monitor Ireland’s implementation of the EU’s General Data Protection Regulation (GDPR) (Case 97/2022/PB)

The European Ombudsman opened an inquiry to examine whether the European Commission collects sufficient information to monitor Ireland’s implementation of the GDPR. The European Ombudsman has found that the Irish Data Protection Commission’s bi-monthly detailed updates to the European Commission are “an encouraging example of a specific targeted monitoring measure that – in the circumstances of this case – is appropriate and in line with good administration.” The Ombudsman considered, however, that a number of technical improvements could be made, and made suggestions to that effect. The full report can be read here.

European Data Protection Supervisor – EDPS: Secure instant payments for individuals in the EU

In its Opinion published on 19 December 2022, the EDPS welcomes the proposed Regulation aiming to increase the use of instant credit transfers, in an efficient and accurate way. In particular, the EDPS welcomes the proposed measures aiming to resolve issues linked to instant credit transfers, under the current Regulations. Namely, tackling the high rate of rejected instant payments due to the misidentification of individuals. Wojciech Wiewiórowski, EDPS, said: 

Individuals make payments multiple times a day; they need to be able to trust confidently that their payment data, and other related personal data, are protected securely when carrying out transactions, such as credit transfers. In light of this, I welcome the proposed Regulation as a legislative instrument that aims to protect individuals in the EU, their personal data and financial interests.”

The press release and opinion can be read here.

National Authorities

Germany: Citizens are allowed to photograph parking violators for the purposes of reporting them to the police

Citizens who send photos of parking violators to the police as part of a report does not (under normal circumstances) constitute a violation of data protection laws. This is the result of two landmark decisions of the Ansbach Administrative Court. The court ruled in favour of two men who had sued against warnings issued by the Bavarian State Office for Data Protection Supervision (BayLDA). The BayLDA had reprimanded their reports of parking violations on footpaths and cycle paths, which were supported by photographs.

The court had to decide whether the transmission of the image files constituted lawful data processing within the meaning of Article 6 (1) sentence 1 (f) of the GDPR. According to the GDPR, there must be a legitimate interest in sending the image files. On the other hand, the transfer and processing of data must be necessary. Accordingly, the parties to the case argued about whether the complainants had to be personally affected by the parking violations and whether it was sufficient to describe the facts in writing or by telephone, stating the licence plate number.

The judgements are of fundamental importance from a legal point of view but are not yet legally binding. Read article (in German) here.

Germany: The state data protection authority of Baden Württemberg (LfDI) has opened fine proceedings against PimEyes

Following on from media reports as early as 2021 which highlighted that the company PimEyes engages in “mass scanning of online facial images for individual characteristics” and stores biometric data (i.e. personal characteristics such as the shape of the face, eye colour or facial dimensions), which can be used to identify individuals with accuracy; the State Commissioner for Data Protection and Freedom of Information in the state of Baden Württemberg, opened proceedings against the company asking it to comment on the data processed.

In its response dated 1 November 2022, PimEyes stated that it only processes publicly available images and that it cannot assign them to identifiable persons. The company stated argued that the data stored by PimEyes is therefore not related or to specific and identifiable persons at all, so there is no processing of personal data.

For the State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, the statement by the PimEyes company is by no means sufficient or satisfactory, leaving many question unanswered. Due to the apparent lack of data protection measures and, in the view of the LfDI, considerable deficiencies in the area of technical-organisational measures on the part of PimEyes, the State Commissioner is therefore now opening enforcement proceedings against PimEyes. Read press release (in German) here.

Germany: Joint press release: Police searches after wave of cease-and-desist letters due to “Google Fonts” use

In proceedings against two defendants – a 53-year-old lawyer with his office in Berlin and his 41-year-old client, the alleged representative of an “IG Datenschutz” – search warrants were executed this week by the German police on behalf of the Berlin public prosecutor’s office in Berlin, Hanover, Ratzeburg and Baden-Baden on suspicion of (partial) attempted warning fraud and attempted extortion in at least 2,418 cases. Two arrest warrants “In Rem” with a total sum of 346,000 euros were also issued.

The defendants are accused of having issued warning letters to private individuals and small traders throughout Germany who had used so-called “Google Fonts” – an interactive directory with over 1,400 fonts that determine the typeface of a website – on homepages. At the same time, they offered the recipients to avoid civil proceedings by paying a settlement sum of 170 euros each.

“For context, Google Fonts is a tool that is provided royalty-free by Google for website operators. Internet sites that use this usually automatically transmit the Internet Protocol (IP) address to Google in the USA without the knowledge and consent of visitors to the website. Against this background, the Regional Court of Munich decided in its judgment of 20 January 2022 (case no. 3 O 17493/20) that the automatic disclosure of the IP address (as personal data) by the operator of a website constitutes an interference under data protection law to which the visitor to the page has not consented. This procedure should therefore actually constitute a violation of the General Data Protection Regulation and thus also a corresponding injunctive relief claim if an inexperienced user visits such a website”.

By means of specially programmed software, the defendants are said to have first identified websites that use Google Fonts. In a second step, and using software developed for this purpose, they allegedly made automated website visits. The website visits then logged are said to have been the basis for the allegation of violations of data protection law and the assertion of claims for damages for pain and suffering, which the defendants allegedly claimed via letters could be averted by accepting the “settlement offer”. Read press release (in German) from the Berlin Chief Public Prosecutor’s Office here.

Slovenia: National Assembly adopts the Personal Data Protection Act

The National Assembly of the Republic of Slovenia announced, on 15 December 2022, that it had adopted the Personal Data Protection Act (ZVOP-2), which transposes General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) into Slovenian legislation. In particular, the National Assembly stated that the Act provides for greater legality of personal data processing, and that its adoption satisfies the requirements regarding the implementation of the GDPR. The Act also respects Article 38 of the Constitution of the Republic of Slovenia regarding the human right to the protection of personal data, and regulates the processing of confidentiality of personal data, video surveillance in public areas, and processing of special categories of data, among other things. The government’s press release (in Slovenian) can be found here.

UK: Joint statement on the data bridge between the UK and the Dubai International Financial Centre

The UK Department for Digital, Culture, Media & Sport (DCMS) and Dubai International Financial Centre (DIFC) recently issued a joint statement on deepening the data partnership between the UK Government and the DIFC Authority. In particular, the joint statement outlines that the UK and the DIFC have made significant progress, including obtaining feedback from the United Arab Emirates Government, towards building a “robust data bridge” – “a framework which will facilitate the free and secure flow of personal data following an assessment of the laws and practices that protect data to high standards”. The joint-statement can be read here.

UK: Michelle Donelan writes to parents, setting out how the Online Safety Bill will keep children safe

The UK Department of Digital, Culture, Media & Sport (DCMS) announced, on 16 December 2022, that DCMS Secretary of State, Michelle Donelan, has written an open letter to parents, carers, and guardians, setting out the key measures in the Online Safety Bill that will reinforce the protection of children and hold social media companies to account, while giving users a greater say in what they see on the internet. Moreover, the DCMS states that companies will be held legally responsible for their content and forced to protect users or face billion-pound fines or have their sites blocked. The press release and associated links can be found here.

France: Transfer of data outside the EU: the old standard contractual clauses (SCC) are no longer valid

The French data protection authority, the CNIL, issues a reminder on SCCs deadline. As of December 27, 2022, data exporters and importers will no longer be able to use the old European Commission standard contractual clauses and will either have to use the clauses updated in 2021 or use another transfer tool. The press release can be found here.

Norway: Datatilsynet criticises Government proposal on law enforcement data storage

The Norwegian data protection authority (Datatilsynet) issued, on 2 December 2022, a statement in which it criticised the Norwegian Government’s proposal to give the Police Security Service (‘PST’) the right to store data from open sources online to deliver analyses and intelligence assessments. In particular, the Datatilsynet took the view that the proposal permits a limitless collection of information about Norwegian citizens’ activity on the internet, disregards basic privacy principles, and lacks control mechanisms that safeguard human rights.

The press release, and link to the government statement (in Norwegian) can be read here: here.


Fortnite video game maker Epic Games to pay more than half a billion dollars over FTC allegations of privacy violations and unwanted charges

Epic the maker of the hit video game “Fortnite” has agreed to pay a total of USD 520 million to settle US government allegations that it misled millions of players, including children and teens, into making unintended purchases and that it violated a landmark federal children’s privacy law. Read press release from the Federal Trade Commission here.

Uber data breach of employee information caused by third-party vendor

“A new Uber data breach that took place on December 12 has reportedly compromised the information of about 77,000 employees. The incident has been traced back to a third-party vendor, and the stolen data has been posted to a dark web forum.

The breach resulted in the theft of a variety of internal company information; in terms of impact to individual employees, email addresses, company ID numbers and Windows Active Directory information was taken. The thieves also got away with source code and other internal corporate data.” Read full article here.

Microsoft to roll out ‘data boundary’ for EU customers from January 1

Microsoft Corporation said its European Union cloud customers will be able to process and store parts of their data in the region from January 1 2023. The phased rollout of its ‘EU data boundary’ will apply to all of its core cloud services – Azure, Microsoft 365, Dynamics 365 and Power BI platform.

“[…] The first phase will be customer data. And then as we move into the next phases, we will be moving logging data, service data and other kind of data into the boundary. The second phase will be completed at the end of 2023 and phase three will be completed in 2024.” Read Reuters article here.

Data brokers raise privacy concerns – but get millions from the federal government

“The idea was simple and appealing: Give citizens a single, easy-to-use webpage to access all kinds of federal services, from passport renewal to small-business loans.

The site,, launched in 2017 and got backing from the Biden administration in an executive order last December. As of this week, it’s connected to more than 20 government agencies, including the Small Business Administration, the Office of Personnel Management, the Social Security Administration and NASA.

But when citizens enter their personal information to register for the site, it’s not the federal government that validates it — it’s a group of private-sector data brokers, companies that are increasingly under scrutiny for collecting, storing and selling massive amounts of information on Americans without their knowledge.” Read article here.


France: France’s privacy watchdog fines Microsoft over cookies

France’s data protection authority the CNIL has imposed a 60 million EUR fine against Microsoft Ireland, saying it sanctioned the company for not having put in place a mechanism to let people refuse cookies as easily as accepting them. Read the DPA press release (in French) here .

Portugal: The Portuguese Supervisory Authority fines the Portuguese National Statistics Institute (INE) 4.3 million EUR

The Portuguese data protection authority (‘CNPD’) published, on 12 December 2022, its decision in case No. 2022/1072, in which it imposed 4.3 million EUR on the National Institute of Statistics, for violations of Articles 9(1), 12, 13, 28(1), 28(6), 28(7), 35(1), 35(2), 35(3)(b), 44, and 46(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), following an investigation. Read full article on EDPB here.

Poland: Processing the personal data by a processor must be documented

The Polish SA imposed an administrative fine of PLN 2.500 (538 EUR) on the Sułkowice Cultural Centre. The reason for the decision was the controller’s use of a processor without written contract and lack of verification whether the processor provides sufficient guarantees to implement appropriate technical measures. Read full article on EDPB here.