Get a warning about Google Fonts? At least normal internet users who happily surf the net don't have to worry at this point. In principle, the operators of websites that use Google Fonts are affected. But let's go through the whole thing step by step. Let's first look at what exactly happened in the recent past.

Google Fonts are fonts that the internet giant Google provides so that they can be used on websites, for example. These can either be embedded directly on the page or loaded from the Google server when you enter a page. The latter, in turn, has now become a problem.

In the last few weeks, a lawyer from Lower Austria has caused a stir because he has sent a number of letters (which cannot yet be quantified) to website operators whose websites are supposedly reloading exactly those fonts from the Google server ( according to the source code of the pages).

More specifically, the letters explain that there is clear evidence that the person being warned uses “Google Fonts” on his website and that this results in the IP address of the client in question being transferred to Alphabet (Google). The company Alphabet mentioned is located outside the EU and is therefore a so-called EU third country. Better: The letter now assumes that the behavior of the website warned against violates the General Data Protection Regulation (GDPR for short).

The media sometimes speak of tens of thousands of cease and desist declarations . A single judgment from Germany may have been the trigger for these letters. The Munich Regional Court determined some time ago that embedding Google Fonts on your own website, provided it runs directly via the Google server, violates the General Data Protection Regulation.

On this basis, the Lower Austrian lawyer (note: according to his own statements on behalf of a client) wrote to websites and demanded €190 as a settlement payment. This amount consists of 100 euros in compensation for the client and 90 euros “for legal prosecution”. We have been provided with a copy of such an original letter.

Homepage builders such as WIX or JIMDO, as well as templates for CMS systems (WordPress, Joomla, etc.), which usually use Google fonts by default, are particularly affected by the problem. Website operators often cannot choose whether they want to use these fonts or not. Google Fonts often “sneak”.

In principle, external services from third countries that are integrated into a website may only be accessed if the user manually accepts them when entering the site.

into the final result via the editor.

Why Google Fonts

Why is it about Google Fonts and what is the real problem? “In principle, external services from third countries, if they are integrated into a website, may only be accessed if they have been manually confirmed by a user who enters this site,” explains Web Developer and Online Marketing -Expert Alexander Webernig Mimikama. This means that nothing about third parties may be displayed on the website without this consent.

This is where the main problem lies, which is also written down in the GDPR. Regarding Webernig's discomfort: “If it had been possible in any way, the IP address should have been removed from the GDPR as particularly worthy of protection. The current case that is now breaking out in Austria is exactly the result of this.” According to Webernig, this could lead to further problems in the future, which we will discuss later in the article.

So Google Fonts is not the problem at all. It's about website operators loading content from EU third countries, i.e. outside the EU, without the visitors' consent. In order to work legally without any problems, external sources such as fonts or graphics would ideally only be made available locally from your own server. Alternatively, when you access a website, no content such as Google Fonts should initially be loaded, but only a basic standard font (Arial, Verdana, Times, etc.). Only after consent can the corresponding features be loaded. Before that, however, the website would look very tired.

The technical problem with the warnings

“As technicians, however, we recognized the problem a long time ago and tackled it a long time ago,” says Webernig. There are therefore various ways to work around the problem. Using Google Fonts as an example, this would be the local provision of the fonts on your own server. The reference in the source code would then not lead to Google in the USA, but would remain “at home”.

A second option would be “mapping”. Briefly and simply explained: Google Fonts are reloaded by the Google server, but not by the visitor, but by the site itself and then passed on to the visitor. The server in the USA would not receive the visitor's IP, but rather that of the website operator's server.

The crux of the matter is: It's not about Google Fonts at all, but about forwarding the requesting IP address to a server in a third country. In principle, it is not forbidden to log the IP address. A provider (note: provider of communication services, such as access to the Internet) or website owner who records statistics is not acting illegally. However, this must be announced BEFORE the capture and requires user consent.

If this does not happen or if data (such as the IP address) is processed before consent or declaration is given due to a technical error, this is a “loss of control”, which should not happen within the meaning of the GDPR. The GDPR requires that users have control over their data at all times.

It's basically about the "nature of the internet"

So when a visitor has an interest in a website and visits it, the IP is always transferred. It's just a question of what happens during this transfer. Is it purely logging on the server or is it forwarded. Alexander Webernig now has strong concerns. “Thinking further, it’s about the nature of the internet. About ping and pong.”

A data query must always have at least two addresses at the end. First the page that queries, then the page that sends. Inevitably, IP addresses need to be logged, at least in the short term. There is no other way. If courts now decide (like the judgment from Germany mentioned above) that IP addresses are personal data worthy of protection (which the Constitutional Court in Austria claims), establishing any connection on the Internet becomes problematic! Even the so-called “Recital 30” of the GDPR states that IP addresses constitute personal data:

(30) Natural persons may be assigned online identifiers such as IP addresses and cookie identifiers provided by their device or software applications and tools or protocols, or other identifiers such as radio frequency identifiers. This can leave traces which, particularly in combination with unique identifiers and other information received by the server, can be used to create profiles of natural persons and identify them.

https://dejure.org/gesetze/DSGVO/Erw%C3%A4gungsgr%C3%BCnde.html

And here we have arrived at the core problem, far from Google Fonts. And in a tangle of laws that sometimes don't get along. From a technical point of view, storing IP addresses at least for a short period of time is absolutely necessary. It is the basic building block of online communication. “In the end, it was not technicians but politicians who decided that the IP address ended up in the GDPR package. And that’s what comes out of it,” notes Webernig.

Google Fonts is one example of many problems that arise from this situation. Webernig sees a bleak future ahead for the industry: “And at this point we’re not even talking about the Italian form of the GDPR, which has yet to come into force! This topic will keep us busy for a very long time.” Here the IT expert refers to 6 other country-specific variants of the GDPR (international GDPR for (General Data Protection Regulation).

These regulations regulate even more strictly how certain information must be recorded and what can be passed on. Webernig sees the Italian version as very problematic because it is hardly possible for internationally operating companies to comply with all of these regulations.

How this will develop is still up in the air. Especially with regard to the present, as there is still no clear case law, as even the case from Munich mentioned does not apply in principle, but the courts have to decide on a case-by-case basis.

Google Fonts: Current case considered

This makes it all the more important to display correctly functioning consent banners and to block external services from third countries until the site visitor gives their consent manually. This can avoid many problems. Webernig emphasizes that many website operators take a close look at their online presence, or that the responsible companies (if they have been commissioned) should do this. “In the latter case, you should definitely ensure in writing that you have placed the order!” says Webernig, because that would regulate liability.

It is not yet clear whether a judgment will be in favor of the plaintiff in the current case in Austria. There are many other aspects to consider here, including the sheer volume of warnings sent out and how the warning came about. Were the websites accessed personally or automatically (with the help of a so-called crawler) to search for mentions of Google Fonts in the source code?

For exactly this analysis, we will continue the article and speak to lawyers who will, on the one hand, look at the specific and current case, but also provide an assessment of the general situation with regard to the IP transfer of websites and content to other EU countries .

This might also be of interest : Winnetou and Karl May not banned! Continue reading …




Note: This content reflects the current state of affairs at the time of publication
.
The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic.