Wednesday, December 7 2022

Earlier this month, a German court fined an unidentified website €100 ($110, £84) for breaching EU privacy law by importing a web font hosted by Google.

The decision, issued by the Third Civil Chamber of the Landgericht München in Munich, concluded that the website, by including the font hosted by Google-Fonts on its pages, had transmitted the IP address of the unidentified plaintiff to Google without authorization and without a legitimate reason to do so. And it violates the European General Data Protection Regulation (GDPR).

That is, when the complainant visited the website, the page caused the user’s browser to retrieve a font from Google Fonts to use for text, which disclosed the IP address of the complainant. surfer to the American Internet giant. This type of dynamic linking is normal with Google Fonts; the problem here is that the visitor apparently did not allow their IP address to be shared. The website could have avoided this tragedy by self-hosting the font, if possible.

“The unauthorized disclosure of the plaintiff’s dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 paragraph 1 BGB,” the decision said. , as translated algorithmically. “The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data.”

The decision states that IP addresses represent personal data because it is theoretically possible to identify the person associated with an IP address, and it is irrelevant whether the website or Google actually did so.

Screenshot of Google Fonts

Google Fonts’ font picker… With sample text of our choosing in light of this case

“Defendant violated Plaintiff’s right to informational self-determination by transmitting the dynamic IP address to Google when Plaintiff accessed Defendant’s website,” the decision states.

The decision orders the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued misuse of Google. Fonts.

Google Fonts is widely deployed – the Google Fonts API is used by around 50 million websites. The API allows websites to style text with Google Fonts stored on remote servers – from Google or from a CDN – which are retrieved on page load. Google Fonts can be self-hosted to avoid breaking EU rules and the decision explicitly cites this possibility to assert that relying on Google Fonts hosted by Google is not tenable under the law.

The German court decision echoes two other recent rulings, one earlier in January by the Austrian data protection authority which found that the use of Google Analytics violated the law, and another in December of last year when another German court found that a Danish consent manager’s CookieBot program was sharing European IP addresses with US-based Akamai in violation of European data laws.

These data privacy judgments complicate how websites and apps can integrate remotely hosted content or services by requiring a legitimate purpose for doing so whether personal data is being transferred or legal consent.

They reflect the consequences of the decision of the Court of Justice of the EU in 2020 to annul the Privacy Shield data protection agreements which previously allowed American companies to exchange data with European partners in the framework of “standard contractual clauses”. The ruling is known as Schrems II because it originated in the 2011 lawsuit filed by Austrian privacy activist Max Schrems against Facebook in Ireland.

Google did not immediately respond to a request for comment. ®

Previous

How to create a website for free

Next

Best Cheap Website Builder Deals for February 2022

Check Also