GDPR Rulings Making Waves in 2022

A few GDPR rulings have recently been handed down that are going to be causing major shakeups across a number of sites and services. This year’s off to a wild start.

To begin with, the Transparency & Consent Framework developed and maintained by IAB Europe was found unlawful. This framework for consent in data tracking and advertising is used extensively by large vendors like Google, Amazon, and Microsoft for EU users, and is heavily used throughout internet sites serving Europeans.

All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.

— Irish Council for Civil Liberties

If that weren’t enough, on January 13, the Austrian Data Protection Authority determined that Google Analytics violates the GDPR due to the international transfer of data that does not protect said data from U.S. government surveillance.

“The decision casts a dark cloud over any conceivable method of legally transferring data between the continents,” Tene said, adding it will have “far-reaching implications.” “In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future.”

Just days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020. The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.

NOYB’s Max Schrems believes “more decisions on the use of U.S. providers” are expected in the coming months, “as other cases are also due for a decision.”

— Jennifer Bryant, Austrian DPA’s Google Analytics decision could have ‘far-reaching implications’

In a similar theme, a German court ruled that use of Google Fonts also violates the GDPR. The site that was sued for using the fonts is not identified publicly, but given the initial low fine €100¹, we can assume it’s relatively small.

That is to say, when the plaintiff visited the website, the page made the user’s browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen’s IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn’t give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

— Thomas Claburn, The Register, Website fined by German court for leaking vistor’s IP address via Google Fonts

There’s a lot of legal things to sort through here, and I am certainly not a lawyer, but it certainly seems that using a third-party CDN to serve up fonts, common javascript/css libraries, etc. is going to run you afoul of the GDPR.