Skip to main content
  1. Dispatches/

GDPR Rulings Making Waves in 2022

·500 words·3 mins
Articles privacy
Daniel Andrlik
Author
Daniel Andrlik
Daniel Andrlik lives in the suburbs of Philadelphia. By day he manages product teams. The rest of the time he is a podcast host and producer, writer of speculative fiction, a rabid reader, and a programmer.

A few GDPR rulings have recently been handed down that are going to be causing major shakeups across a number of sites and services. This year’s off to a wild start.

To begin with, the Transparency & Consent Framework developed and maintained by IAB Europe was found unlawful. This framework for consent in data tracking and advertising is used extensively by large vendors like Google, Amazon, and Microsoft for EU users, and is heavily used throughout internet sites serving Europeans.

All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.

Irish Council for Civil Liberties

If that weren’t enough, on January 13, the Austrian Data Protection Authority determined that Google Analytics violates the GDPR due to the international transfer of data that does not protect said data from U.S. government surveillance.

“The decision casts a dark cloud over any conceivable method of legally transferring data between the continents,” Tene said, adding it will have “far-reaching implications.” “In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future.”

Just days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020. The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.

NOYB’s Max Schrems believes “more decisions on the use of U.S. providers” are expected in the coming months, “as other cases are also due for a decision.”

Jennifer Bryant, Austrian DPA’s Google Analytics decision could have ‘far-reaching implications’

In a similar theme, a German court ruled that use of Google Fonts also violates the GDPR. The site that was sued for using the fonts is not identified publicly, but given the initial low fine €1001, we can assume it’s relatively small.

That is to say, when the plaintiff visited the website, the page made the user’s browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen’s IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn’t give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

Thomas Claburn, The Register, Website fined by German court for leaking vistor’s IP address via Google Fonts

There’s a lot of legal things to sort through here, and I am certainly not a lawyer, but it certainly seems that using a third-party CDN to serve up fonts, common javascript/css libraries, etc. is going to run you afoul of the GDPR.

  1. Subsequent violations are more steep, €250,000 for each future incident. ↩︎

Related

Mandatory HTTPS for everyone
·310 words·2 mins
Articles meta encryption networking security privacy
These days, encryption is more important than ever. You don’t need to look any farther than the national news for reasons why. Even small sites that don’t provide user accounts should consider it.
Ars Technica Now Knows Where You've Been
·178 words·1 min
Articles politics privacy
Ars Technica has successfully completed a public records request that allowed them to acquire 4.6 million records from the Oakland Police Department’s automated License Plate Reader (LPR) system. Using their custom built visualization tool, they are able to extrapolate a shocking amount of information about the travel patterns of individual vehicles.
Doctorow on Talking to Children About Surveillance
·180 words·1 min
Articles politics nsa surveillance privacy security
Great article from Cory Doctorow on the conversations he’s had with his six year old daughter about mass surveillance. What’s particularly revealing is which concepts she intuitively grasps from her own experience with technology, and how that aligns with research done on the online habits of children.