> Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google
So they're saying that because a user is allowed to self host the fonts, they should (and presumably then there is no legitimate reason anymore to 'transmit the IP address to google' ?)
Would Google Fonts then be in the clear if they deny you the right to selfhost so that the only way to use it is letting users fetch them from Google?
> Would Google Fonts then be in the clear if they deny you the right to selfhost so that the only way to use it is letting users fetch them from Google?
Google Fonts have always[1] used open source licenses, so you've always been able to self host. A change in the fonts API can't revoke that license.
The only real way they could do that would be to change the licensing terms (since the font has to be available for download either way, and if it's available you can always download it and then re-host yourself).
I would assume the courts would (correctly - IMO) treat that as a bad-faith effort on the part of Google, and proceed with that in mind. It would likely lead to banning the use of Google fonts entirely.
For the same reason you chose to use a CDN instead of self-hosting in the first place. It takes away a lot of the complexity.
I'm not proxy'ing and HTTP caching typefaces but I used to URL-import JavaScript packages from a CDN. Availability as well as response latency at times were abysmal. I didn't want to give up on the comfort though. Now I'm just routing and HTTP caching requests to cdn.my-website.com to cdn.that-popular-provider.com
Availability is tied to the my-website.com's availability - which is great. And response latency went way down. And I didn't have to compromise on just dropping arbitrary JavaScript with arbitrary dependencies on the server without going through all the node and npm hassle first.
So, the reason why you can selfhost is because Google Fonts is a repository of FOSS fonts[0]. Google can't strip away the open licensing to evade GDPR, because you can't actually cancel those licenses. They have no termination provision and allow redistribution, so it would still be possible to selfhost even if Google stripped the license. The courts would view the stripping of Free licensing on free fonts to be a subterfuge, and strike it down. Furthermore, if they did this, it would almost certainly violate SIL Open Font License and GPL+FE[1], as they both have copyleft provisions that forbid restrictive sublicensing and require derivative works to be made under the same license.
If we were talking about Adobe Fonts[2], which exists to license proprietary fonts, then the above wouldn't apply and you might have an argument. However, there is no particular reason why website developers could negotiate a self-hosting license for more money. If it's not a legitimate purpose under GDPR to use Google Fonts to save money on hosting costs, then it's probably not a legitimate purpose to use Adobe Fonts to save money on licensing costs.
The correct way for this to be fixed is not to evade GDPR; it's to get Congress to embrace it. Alternatively, someone in the EU with no ties to America[3] could host their own font service and negotiate licenses for premium font usage... but that's more of an interim solution than a long-term fix.
[0] I will only be talking about "font software" - i.e. the copyrightable aspects of the font files we use to render fonts on a computer. Font designs themselves are subject matter for patents, not copyrights.
[1] GPL with a clause clarifying that embedding the font into a document does not require putting the document under GPL.
[2] I had to stop myself from calling them TypeKit still
[3] The lynch-pin of Schrems II is the fact that Americans can be compelled by US intelligence agencies to collect EU data they have access to, so it needs to be 100% America-free.
I don't think it has anything to do with that. It is the transmission of an IP address to US jurisdiction. Hosting a web page on github pages would have this issue too... (?)
> Hosting a web page on github pages would have this issue too... (?)
No, because users are expected to know that visiting a webpage results in their IP address revealed. In that sense it becomes impossible to provide webpages to users if they first have to consent.
Google fonts is different, because if I'm ok with germanwebsite.de knowing my IP it does not mean that I'm also ok with Google knowing about it with the same action of clicking a link.
Yes, and that’s more a commentary on GitHub Pages also being a tracking service, not disproving anything about Google Fonts. Surely Microsoft doesn’t let those access logs just sit around collecting dust.
I wonder how much this is going to affect themes for popular CMSs. E.g. WordPress and others. A lot of the themes built for those platforms generally pull their fonts from Google Fonts. And, I know from experience that some of them don't provide the option to easily remove such a "feature".
Still, I agree that this is a bit of a silly measure.
After initial news of this ruling I inspected the theme on my rarely-updated Octopress-based site and found that it included third-party Google Fonts. Turns out most themes for static site generators do so.
I haven't fixed it yet, only because the effort/risk ratio was low (very little traffic), but I still plan to fix it.
As the operator of a US-based site (and a rookie), what is the easiest way for me to deal with this? I'm thinking:
- block EU traffic on a CDN level, or perhaps setting up a geoblock in nginx
- ban EU citizens in the T&C on my site
I'm not targeting European customers, so no need to worry about their rules. I just don't want to break a law inadvertently and get in trouble later.
EDIT: the EU has every right to legislate whatever privacy regulations they want. I just don't target EU citizens. But if an EU citizen comes to my site somehow, I'm currently breaking the law over there; I don't want this to ever happen.
The foreign entity does not forbid you to use any font at all, in any sense of the term. You are told by an assembly of elected representatives that you must treat their 450 million citizens' data with care and respect.
You are perfectly allowed to self-host the fonts, use regional providers... or event block the zone entirely.
Now, let's make a poll and see how many of those 450mln citizens care. Nobody ever considered cookies or online data when they engaged with the indirectly democratic process which appointed those representatives.
Those representatives are random politicians that can be bought by the dozen by large corporations.
This is obviously another regulatory step towards guaranteeing only large companies will have the legal expertise to be on the internet, stifling competition and killing small and independent providers.
Oh look, it turns out[0][1] Europeans generally know about GDPR's effects[2] and care about their privacy online. What a shocker. In fact, I bet if you ran a similar poll of "would Americans want privacy laws equivalent to the EU's", with a simple explanation of what that would entail, you'd probably get a pretty positive response to that, too.
The problem here isn't the EU. It's US Congress, and it's insistence on shitty laws like the CLOUD Act that make it legally impossible to comply with any reasonable foreign privacy law by mandating that tech companies break them in lieu of a proper legal treaty. Bonus points to various UK and Australian[3] laws that collectively ban strong encryption in those territories, though I know of no current GDPR court ruling about that yet.
[2] Oddly enough this only extends to knowledge of GDPR's effects. Nobody seems to remember that the law that gave them these new privacy rights is called "GDPR".
Actually they're told by the commission which is elected by nobody. The EU parliament doesn't make law (i.e. it's not really a parliament). It's the civil service that does that in the EU. Parliament just rubber stamps it.
You probably don't have to do anything. I am of the opinion that blocking EU traffic potentially increases your exposure to GDPR, but this is not settled law.
GDPR's territorial scope applies to international Controllers who are "targeting" EU residents. According to Recital 23, merely having a website doesn't qualify. There needs to be additional evidence that you are attempting to attract an EU audience. E.g. when selling goods, offering Euro as a currency.
Blocking EU traffic means that you are specifically envision EU residents visiting your site. And blocking traffic from them is a type of data processing. IANAL, don't take advice from randos on the Internet, but if you're just some website then blocking EU visitors might be more trouble than it's worth.
In either case, no DPA is going to give a shit about you.
Recital 23 elaborates on Article 3 2(a), which covers the offering of goods or services to people in the Union as a bases for applying GDPR.
There's also 2(b), which covers the monitoring of behavior as far as their behavior takes place within the Union. Recital 24 at https://gdpr-info.eu/recitals/no-24/ elaborates on that:
> The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
(line break added between sentences to make it easier to read).
Unlike 2(a), 2(b) doesn't require any attempt to attract an EU audience so is more easy to accidentally fall under.
That's probably simplest, but I want to cut this problem off at the root. Today they outlaw Google Fonts, tomorrow it's the next thing. I can't keep changing my site based on foreign legal opinions.
Well, if the OP insists on sharing their visitors data with 3rd parties, and doesn't want to adapt his site to fix the specific instances other countries outlaw... then yes, it's better for everybody if he keeps it caged into his own country.
There is probably no further action necessary. As long as you are not targeting people in Germany in particular, a German court would not open a case against you. Indications that you are specifically targeting people in Germany are if you use the German language or have more than the occasional visitors or customers from Germany. Of course, there is always a grey area as to where the real limits lie.
Article 3(2) of the GDPR provides that “this Regulation applies to the processing of personal data of
data subjects who are in the Union by a controller or processor not established in the Union, where the
processing activities are related to: (a) the offering of goods or services, irrespective of whether a
payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of
their behaviour as far as their behaviour takes place within the Union.”
The application of the “targeting criterion” towards data subjects who are in the Union, as per Article
3(2), can be triggered by two distinct and alternative types of activities carried out by a controller or
processor not established in the Union. In addition to being applicable only to a controller or processor
not established in the Union, the targeting criteria largely focus on what the “processing activities” are
“related to”, which is to be considered on a case-by-case basis.
In assessing the conditions for the application of the criteria, the EDPB therefore recommends a
twofold approach, in order to determine first that the processing relates to personal data of data
subjects who are in the Union, and second whether it relates to the offering of goods or services or to
the monitoring of data subjects’ behaviour in the Union.
[Then some examples are given. A U.S. company providing a personalized travel app for tourists visiting London, Paris and Rome falls within the scope of the GDPR. But ...]
The EDPB also wishes to underline that the fact of processing personal data of an individual in the
Union alone is not sufficient to trigger the application of the GDPR to processing activities of a
controller or processor not established in the Union. The element of "targeting" individuals in the EU,
either by offering goods or services to them or by monitoring their behaviour (as further clarified
below), must always be present in addition.
Example 9: A U.S. citizen is travelling through Europe during his holidays. While in Europe, he
downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at
the U.S. market. The collection of the U.S. tourist's personal data via the app by the U.S. company is
not subject to the GDPR.
> Indications that you are specifically targeting people in Germany are if you use the German language or…
How would you distinguish that from targeting people not in Germany who happen to speak German? That is a rather large group—in the US alone an estimated ~1.2 million Americans speak German at home and might prefer a German-language site while having nothing to do with the EU.
If a site is neither hosted in the EU nor operated by an EU citizen or organization then the GDPR (and all other EU law) should not apply. If an EU citizen or resident interacts with such a site they are choosing to provide whatever personal information may be collected to an entity outside EU jurisdiction of their own accord. Claiming jurisdiction over foreign entities just because they communicated with your own citizens or residents is insane. Can you imagine the outcry if this were the US (or for that matter NK) attempting to enforce their own laws—"national security letters", for example—on sites hosted in and operated from the EU?
My intention when using the term "indication" was not to say that it is a sufficient condition. In German I would have used the word "Hinweis", which has a connotation of vagueness. I was not aware that "indication" seems to be more like a synonym for "proof". Please take it to my credit that English is not my native language. What is the best word to use when something is to some degree an indication, but not strictly?
Maybe, though the ruling mostly revolves around website subresources that are not particularly burdensome to self-host.
It could be the case that replacing your iframes with an image that says "click to watch this video on YouTube" might be OK; because then it wouldn't be a subresource, and users would actually have a choice as to whether or not to watch the YouTube video and have Google be able to log that. This is something that PeerTube already does for it's embeds, because P2P is a privacy nightmare[0].
Or, the courts might demand all web video in the EU be hosted by people bound by GDPR and US subpoena-proof; and if that costs way too much then it's not their problem. That would also fatally imperil PeerTube and LBRY, as the CIA/NSA/FBI wouldn't need to subpoena Google anymore. They could just watch the video and get your data that way.
[0] As many thousands of people who have gotten sued for using BitTorrent can concur.
Wouldn’t the logic of this apply to literally 100% of all inclusions of materials from a site not owned by the site owner of the main site (including any user-submitted links in sites that host user-generated content), since those will produce a request to the external site which will then “transfer” the IP address?
Did the GDPR just accidentally outlaw the entire WWW except strictly-siloed single-organization websites?
You can't embed material that's loaded from servers that'll strack you, correct.
Which is why many German news sites hide all twitter/facebook embeds and instead show a placeholder. Only once you click "embed content from ..." on that placeholder will the actual embed be loaded.
Links to other websites aren't the problem. You cant embed material (images, scripts, fonts, video, etc) from any external site at all, because the IP address is always conveyed to that third party because that's how the Internet works. Thus you must host it yourself or not at all.
This isn't just about whether you perceive the third party as a scary big tech "tracker" website or not
If you follow this line of thought, you can eg. run your services for say a learning platform yourself than using SaaS like Thinkific. Or self-host WordPress instead of using WordPress.com - This is a huge disadvantage for business based in Europe, especially small ones. On paper any businesses with users in Europe should follow this, but in practice nobody is bothered except domestic businesses.
argh, this isn't some new info, this story is from the same time as the rest of them at the end of January. Didn't we talk about this somewhere already?
Remember how when GDPR was first introduced, how everyone claimed that all this talk about how it would radically change how websites are hosted is FUD?
Well it looks like GDPR has banned CDNs.
Have fun paying more for bandwidth or hosting with European companies that now have less competition and can charge you more.
I wonder how the court views Apple's iCloud Relay. If every browser used such a feature (where your IP is essentially elided), then would that not solve such IP related GDPR issues? Of course Apple knows your IP address, but no third party does.
I don't see what difference Apple's pseudo-VPNs would make. I don't think it's worth the effort for websites to recognize Apple's IP addresses and to enable GDPR-violating resources by default. Apple wouldn't want that, end users wouldn't want that, and the engineers working on websites wouldn't want that. Apple might eventually sell some of their IP space and you can get hit with a lawsuit and a fine if someone reuses that IP address and your mechanism messes up.
It's easier to just comply with the GDPR and self-host your files, especially with something as simple as Google Fonts.
That already happened. Cookiebot (Danish) was fined for using Akamai CDN.
Note that it's not all CDNs, fonts, etc. It's ones that are subject to the CLOUD Act in the United States. Non-American companies, or even US companies which are not subject to the CLOUD Act, might be OK.
It's not just American companies, though; African, Australian, Canadian, Mexican and Russian companies have the exact same restrictions. The general rule is "privacy enforcement and protections must be as good or better than the EU's".
It's possible for a country to get certification from the EU that the privacy protections of said country are strong enough. When that happens (see the failed Privacy Shield and friends for an example), you can let companies from those countries process PII if there are significant protections built into the contract (say, a huge fine to you if they mess up and leak the data of your customers, as the EU cannot impose their own fines as easily).
From what I can tell, the contracts and DPAs most American cloud providers eagerly send you are good enough to satisfy this constraint if the companies weren't subject to American law.
I see where you're coming from, but that's not quite true.
GDPR basically puts international transfers into two buckets: Adequacy Decision, and Other. Adequacy decision means the other country's laws are "good enough," and your obligations are literally just to put the words "Adequacy Decision" in your privacy policy somewhere.
Other means you need to take "additional safeguards" to ensure data privacy is protected. This is a bit of a bother, but eminently feasible. The "standard" way to do this is put additional terms in the contracts you sign with third parties (and only use third parties where you have signed contracts).
The situation with the United States is unique: the EU have ruled that no possible safeguards are good enough. US law enforcement's needs override any contract you can sign, so it is legally literally not possible for an American company to safeguard data. This makes data transfers to the US substantially more restricted than data transfers to any other third-party country.
I'm not aware of any other country outside of Europe that competes in the tech space and doesn't have laws similar to the CLOUD act. There's been a ruling on the conflict with American law, yes, but I doubt most other jurisdictions would pass the requirements.
Everybody wants full control over the data stored in their jurisdiction but nobody wants their citizens' data to leak to other governments.
"Via warrant or subpoena" You want American companies to ignore court orders. This isn't about privacy protections. You want EU data to be immune from court orders.
What the EU wants is to permit for adequate privacy regulations so that American businesses can operate with the necessary privacy guarantees without breaking the law.
The USA would not accept their American companies to become subject to European subpoenas and courts, but does enforce these requirements when the situation is reversed. Obviously the EU doesn't like that.
Nobody wants American companies to break the law, the EU just wants American law to be better. America disagrees, and there's nothing wrong with that, but that obviously has an impact on the economic viability of the European market for American companies.
court orders the targeted persons have no legal recourse against. That's one of the key points that killed the recognition of US law as adequate: That you can be targeted by surveillance that has no effective legal oversight into if you are a valid target, and you have no legal recourse against this.
You're asking for legal protection that you don't force onto your own court system. Does your court system inform criminals they are being wiretapped during an active investigation?
It is not silly to protect the personal information of citizens. Whats silly is how the web is entangled with violating privacy and ownership of data, and it is considered as the just and normal thing to do.
This ruling basically does say that embedding any third-party resources in your page is a GDPR violation. It is silly, and I'm not sure why you're getting downvoted. This ruling can't be allowed to stand.
Sounds like a great ruling from a security and user perspective. Just changes a design paradigm. If it kills a business model that's based on intrusive user-tracking and the user being totally unable to know who has their data and who their computer should vs shouldn't be connecting to - great.
Trying to figure out from traffic analysis alone these days whether a website is malicious or not is an absolute nightmare as every single site pulls in 20 or 30 externally-hosted resources for totally impenetrable purposes.
Let's migrate to an easily understandable model where sites host 100% of their own resources. If that means the site engine has to run CI behind the scenes and pull in those resources, great, it centralises responsibility.
> If it kills a business model that's based on intrusive user-tracking and the user being totally unable to know who has their data and who their computer should vs shouldn't be connecting to - great.
What are you talking about? You can always block whatever you want, and we're not talking about "intrusive user-tracking" here but literally just an IP address. You can have the opinion that websites shouldn't use third-party resources, but legislating that requirement is beyond ridiculous.
There are countless good reasons for using third-party resources on websites, and disallowing it will absolutely make the web a worse place regardless of any "privacy" benefits it could have.
How about for video? This effectively kills the ability for a small website to pay for video hosting services from a well scaled video CDN. This effect can be generalized: At some point the only organizations with the resources to comply with the GDPR are in fact the big tech companies.
Sadly, no. Cookiebot was fined for using Akamai CDN, even though the court accepted the CDN servers were located in the EU and operated by Akamai's EU subsidiary. The EU court ruled that the American CLOUD Act still claims to have jurisdiction.
You're right, but that's because exchanging data with the EU subsidiary isn't accepted by the GDPR. Like I said, a GDPR-compliant CDN is permitted. The problem is that this precludes most, if not all, American CDNs.
But given that many governments now grant themselves similar legal powers to inspect data held by corporations under national security legislation, in some cases including data held abroad but by a corporation within their reach, that is roughly equivalent to saying that only CDNs operated entirely within the jurisdiction of EU member states are allowed (because the GDPR conveniently allows similar intrusive behaviour if it's an EU member state that's doing it).
I wonder where the line is drawn? If you set up AWS CloudFront, does that count as third party? Or is this taking us back to colo / in-house data centers?
So far, the line that has been drawn by the courts is "is the IP address visible to a company subject to the CLOUD Act in the United States?" AWS CloudFront would meet that definition: Amazon is covered by the CLOUD Act, and the visitor's IP address is visible when using that service.
Sites are perfectly allowed to do just that... of course doing that they deprive themselves of an enormous, rich and growing market, a market that will surely be tackled by regional companies more respectful of their customers.
This is amazing. It reads as if the EU constructing PII as property. If so, what an interesting legal construction. Site operators would do well to avoid violating the NAP.
GDPR very explicitly does not treat personal data as property. That's generally a model being pushed by people trying to make it easier to sell personal data, not by the pro-privacy side.
> Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google
So they're saying that because a user is allowed to self host the fonts, they should (and presumably then there is no legitimate reason anymore to 'transmit the IP address to google' ?)
Would Google Fonts then be in the clear if they deny you the right to selfhost so that the only way to use it is letting users fetch them from Google?