from get-a-fine-in-a-strange-way department
The European Union’s data protection law, GDPR (General Data Protection Regulation), has caused all sorts of problems since its inception. Its debut was in itself a mess, which immediately led to many websites simply refusing to allow European users to connect with them.
Since it was unclear how to avoid breaking the law, it was easier to avoid potential fines by simply excluding European users from the equation. For everyone else, it was greeted with a new cookie warning on almost every website they visited – a small problem, sure, but a problem nonetheless.
Then there were the truly unintended consequences of the new law that imposed data collection and sharing restrictions on any business, whether internet-based or not. In some regions, the GDPR was being interpreted as requiring retailers to notify shoppers of items when items were returned, which would make exchanging unwanted Christmas gifts extremely inconvenient.
In another bizarre case, post offices in Ireland removed bins from their facilities because customers were throwing unwanted mail and receipts away, resulting in the offices unwittingly collecting personal data. When the bins disappeared, customers had to throw their trash on post office counters and floors, which left them even more unregulated than they were when the bins were still in place.
Yet another side effect that no one saw coming: Using Google’s Font API was enough to get a website fined by a German court. (via Slashdot)
Earlier this month, a German court fined an unidentified website €100 ($110, £84) for breaching EU privacy law by importing a web font hosted by Google.
The decision, issued by the Third Civil Chamber of the Landgericht München in Munich, concluded that the website, by including the font hosted by Google-Fonts on its pages, had transmitted the IP address of the unidentified plaintiff to Google without authorization and without a legitimate reason to do so. And it violates the European General Data Protection Regulation (GDPR).
The court says whether or not Google did anything with the transmitted IP address is irrelevant. The fact is that the website engaged in the unauthorized transmission of this IP address to Google using its font API to access a font to render text on the site. The court ruling emphasizes that this can be avoided by self-hosting the font and notes that the website operator has chosen to do so in the future. That being said, the court still finds that a fine is the only way to ensure future GDPR compliance.
The risk of recurrence is to be confirmed. It is undisputed that the plaintiff’s IP address was transmitted to Google when the plaintiff visited the defendant’s website. Prior unlawful deficiencies support a real assumption of risk of recurrence, which has not been refuted by the defendant. The risk of repetition is not eliminated by the fact that the defendant now uses Google Fonts in such a way that the website visitor’s IP address is no longer disclosed to Google. The risk of recidivism can only be eliminated by a declaration of abandonment accompanied by a sanction.
The fine here may have been minimal, but the law allows for a €250,000 ($286,000) fine per violation, which the court warns the website operator is not only possible, but likely, if the problem does not go away. There’s also the (very slim) possibility that misuse of Google Fonts could result in jail time, as this is also a potential penalty for violating the GDPR.
While the solution here seems to be quite simple – self-hosted fonts – the reality of the situation is that this decision will lead to another pop-up asking for consent that will come between site users and the content they are trying to access it, and that no one will read before clicking “accept”. It won’t make the web a better place, and it won’t do much to limit the sharing of personal data with off-site entities. It will make everything a little more boring.
Thanks for reading this Techdirt post. With so much competing for everyone’s attention these days, we really appreciate your giving us your time. We work hard every day to deliver quality content to our community.
Techdirt is one of the few media that is still truly independent. We don’t have a giant corporation behind us, and we rely heavily on our community to support us, in a time when advertisers are less and less interested in sponsoring small independent sites – especially a site like ours that doesn’t does not want to throw punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements and increasingly annoying/intrusive advertisements, we have always kept Techdirt open and accessible to everyone. But to continue to do so, we need your support. We offer our readers a variety of ways to support us, from direct donations to special subscriptions and cool products – and every little bit counts. Thank you.
–The Techdirt team
Filed under: data protection, policies, gdpr, germany, ip addresses, privacy, sharing, web fonts