Google Fonts fined for website privacy by German court • The Register
Earlier this month, a German court fined an unidentified website €100 ($110, £84) for breaching EU privacy law by importing a web font hosted by Google.
the decision, by the third civil chamber of the Landgericht München in Munich, found that the website, by including the font hosted by Google-Fonts on its pages, had transmitted the IP address of the unidentified applicant to Google without authorization and without legitimate reason to do. And it violates the European General Data Protection Regulation (GDPR).
That is, when the complainant visited the website, the page caused the user’s browser to retrieve a font from Google Fonts to use for text, which disclosed the IP address of the complainant. surfer to the American Internet giant. This type of dynamic linking is normal with Google Fonts; the problem here is that the visitor apparently did not allow their IP address to be shared. The website could have avoided this tragedy by self-hosting the font, if possible.
“Defendant’s unauthorized disclosure of Plaintiff’s dynamic IP address to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination under § 823 Para. 1 BGB“, said the decision, as translated algorithmically. “The right to informational self-determination includes the right of the individual to disclose and determine the use of his personal data.
The decision states that IP addresses represent personal data because it is theoretically possible to identify the person associated with an IP address, and it is irrelevant whether the website or Google actually did so.
“Defendant violated Plaintiff’s right to informational self-determination by transmitting the dynamic IP address to Google when Plaintiff accessed Defendant’s website,” the decision states.
The decision orders the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued misuse of Google. Fonts.
Google Fonts is widely deployed – the Google Fonts API is used by about 50 million websites. The API allows websites to style text with Google Fonts stored on remote servers – from Google or from a CDN – which are retrieved on page load. Google Fonts can be self-hosted to avoid breaking EU rules and the decision explicitly cites this possibility to assert that relying on Google Fonts hosted by Google is not defensible under the law.
The German court decision echoes two other recent rulings, one earlier in January by the Austrian data protection authority which found that the use of Google Analytics violated the law, and another in December of last year when another German court found that a Danish consent manager’s CookieBot program was sharing European IP addresses with US-based Akamai in violation of European data laws.
These data privacy judgments complicate how websites and apps can integrate remotely hosted content or services by requiring a legitimate purpose for doing so whether personal data is being transferred or legal consent.
They reflect the consequences of the decision of the Court of Justice of the EU in 2020 to annul the Privacy Shield data protection agreements which previously allowed American companies to exchange data with European partners in the framework of “standard contractual clauses”. The decision is known as Schrems II because it originated in the 2011 lawsuit filed by Austrian privacy activist Max Schrems against Facebook in Ireland.
Google did not immediately respond to a request for comment. ®