By Dave McKay | February 6, 2022
Using Google Fonts on Websites Breaks GDPR
A ruling on Jan. 20, 2022 by the Germany’s Landgericht München’s third civil chamber in Munich found the website owner to be in breach of the GDPR.
Websites are able to make use of fonts provided by Google. Google makes these fonts available because they provide another string to its data collecting bow. When a person visits the website, the font is downloaded to their computer from Google so that the website is rendered accurately and as intended, with the correct typefaces.
But some data is collected buy Goopgle when this happens, including the IP address of the website visitor. This means some personally identifiable information is transmitted—with neither consent nor transparency—to Google.
The fine sent to the website owner is small at €100, but what is more interesting is the precedent that that this sets. The number of websites using Google fonts will be astronomical. And they don’t have to be in Europe to be affected by this ruling.
Wherever your website is located or hosted, if it is accessible by Europeans citizens it must obey the rules of GDPR and any other local data processing and privacy laws that apply, which was the case in this instance.
The ruling states:
“The unauthorized disclosure of the plaintiff’s dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB. The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data.”
The data subject is protected by the legislation of their own country, regardless of the geographical location of the website that shared their data.
Way back in July 2020 in a blog titled CJEU Invalidates EU-US Privacy Shield Agreement, I explained how the EU-U.S. Privacy Shield agreement, which allowed data to be transmitted out of the EU to participating US companies, was ruled invalid by the Court of the European Union (CJEU).
The Privacy Shield framework allowed personal data to be transmitted to servers located in the Unites States—as long as the rules laid down by GDPR regarding transparency, consent, and so on were adhered to. In this latest case, there is no framework to support the transmission of the data, nor were the data subjects made aware that this would happen, and consent was not obtained.
Source: The Register