Weekly Privacy News Update – Episode 16

German court penalized a website for leaking a visitor’s IP address via Google Fonts

The unidentified website faced a EUR 100 fine from a German court for violating the General Data Protection Regulation (GDPR) by importing a Google-hosted web font. Landgericht München’s third civil chamber gave the ruling in Munich after it found out that the website, through the Google-Fonts-hosted font on its pages, passed the unidentified complainant’s IP address to Google without authorization and any legitimate reason for doing it; therefore violating the GDPR. When the complainant visited the website, the page made the user’s browser fetch a font from Google Fonts. This exposed the user’s IP address to the US internet giant. Although this type of hotlinking is typical with Google Fonts, the issue is that the complainant did not give permission for their IP address to be shared. The case could have been avoided if the website was self-hosting the font.

Source: The Register, Rewis.io

European Commission to introduce draft Data Act

The European Commission plans to release its draft Data Act on non-personal data on February 23, 2022. Leaked documents showed that the draft would include provisions on sharing data, conditions for access by public bodies, international data transfers, cloud switching, and interoperability. The act will regulate manufacturers of connected products, digital service providers, and users. The draft cited how the data generated across the EU is “increasing exponentially,” but the data is “concentrated in the hands of relatively few large companies.”

Source: IAPP, Euractiv

EDPB publishes opinion on Luxembourg certification plan

The European Data Protection Board (EDPB) published its initial opinion on certification schemes as a response to a submission from Luxembourg’s National Commission for Data Protection (CNPD) on its EU General Data Protection Regulation Certified Assurance Report-based Processing Activities (GDPR-CARPA). The GDPR-CARPA has requirements that certification bodies need to fulfill in order to be granted the accreditation by the CNPD. EDPB Chair Andrea Jelinek said that the opinion is “an important step towards greater GDPR compliance,” and noted  controllers and processors can “gain greater visibility and credibility” by submitting to such a certification system.

Source: IAPP, EDPB

Very Slim Chance for US Federal Privacy Law in 2022

The likelihood for federal privacy law in 2022 is “grim” despite bipartisan support in Congress, reports TechTarget. Electronic Frontier Foundation Senior Staff Attorney Lee Tien said the energy around privacy “has sort of flattened out” while several US states are creating their own laws. According to Resolute Strategic Services Executive Vice President Cory Simpson, the questions on enforcement and preemption of state laws are creating roadblocks for the creation of federal law.

Source: IAPP, TechTarget

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources