German court penalized a website for leaking a visitor’s IP address via Google Fonts
The unidentified website faced a EUR 100 fine from a German court for violating the General Data Protection Regulation (GDPR) by importing a Google-hosted web font. Landgericht München’s third civil chamber gave the ruling in Munich after it found out that the website, through the Google-Fonts-hosted font on its pages, passed the unidentified complainant’s IP address to Google without authorization and any legitimate reason for doing it; therefore violating the GDPR. When the complainant visited the website, the page made the user’s browser fetch a font from Google Fonts. This exposed the user’s IP address to the US internet giant. Although this type of hotlinking is typical with Google Fonts, the issue is that the complainant did not give permission for their IP address to be shared. The case could have been avoided if the website was self-hosting the font.
European Commission to introduce draft Data Act
The European Commission plans to release its draft Data Act on non-personal data on February 23, 2022. Leaked documents showed that the draft would include provisions on sharing data, conditions for access by public bodies, international data transfers, cloud switching, and interoperability. The act will regulate manufacturers of connected products, digital service providers, and users. The draft cited how the data generated across the EU is “increasing exponentially,” but the data is “concentrated in the hands of relatively few large companies.”
EDPB publishes opinion on Luxembourg certification plan
The European Data Protection Board (EDPB) published its initial opinion on certification schemes as a response to a submission from Luxembourg’s National Commission for Data Protection (CNPD) on its EU General Data Protection Regulation Certified Assurance Report-based Processing Activities (GDPR-CARPA). The GDPR-CARPA has requirements that certification bodies need to fulfill in order to be granted the accreditation by the CNPD. EDPB Chair Andrea Jelinek said that the opinion is “an important step towards greater GDPR compliance,” and noted controllers and processors can “gain greater visibility and credibility” by submitting to such a certification system.
Very Slim Chance for US Federal Privacy Law in 2022
The likelihood for federal privacy law in 2022 is “grim” despite bipartisan support in Congress, reports TechTarget. Electronic Frontier Foundation Senior Staff Attorney Lee Tien said the energy around privacy “has sort of flattened out” while several US states are creating their own laws. According to Resolute Strategic Services Executive Vice President Cory Simpson, the questions on enforcement and preemption of state laws are creating roadblocks for the creation of federal law.