from the getting-fined-the-odd-way dept
The European Union’s data privacy law, the GDPR (General Data Protection Regulation), has caused all sorts of problems since its debut. Its debut was itself a mess, something that immediately resulted in a whole lot of websites simply refusing to allow European users to connect with them.
Since it was unclear how to avoid running afoul of the law, it was easier to avoid potential fines by simply cutting European users out of the equation. For everyone else, it was being greeted with a new warning about cookies at nearly every website they visited — a small hassle to be sure, but a hassle nonetheless.
Then there were the truly unexpected consequences of the new law that imposed data-gathering and data-sharing restrictions on any business, whether they were internet-based or not. In some areas, GDPR was read as requiring retailers to notify purchasers of items when the items were returned — something that would make the exchange of unwanted Christmas gifts extremely awkward.
In another weird case, post offices in Ireland removed waste bins from their facilities because customers were throwing out unwanted mail and receipts, resulting the offices’ unintentional collection of personal data. When the waste bins went missing, customers resorted to throwing their trash on post office counters and floors, leaving it even more unregulated than it was when the waste bins were still in place.
Yet another side effect no one saw coming: the use of Google’s Font API was enough to get a website fined by a German court. (via Slashdot)
Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font.
The decision, by Landgericht München’s third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff’s IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe’s General Data Protection Regulation (GDPR).
The court says whether or not Google did anything with the forwarded IP address is beside the point. The fact is the website engaged in the unauthorized transmission of this IP address to Google by using its font API to access a font to render the text on the site. The court’s decision points out this can be avoided by self-hosting the font and notes that the website operator has chosen to do this going forward. That being said, the court still feels a fine is the only way to ensure future compliance with GDPR.
Risk of repetition is to be affirmed. It is undisputed that the plaintiff’s IP address was forwarded to Google when the plaintiff visited the defendant’s website. Previous unlawful impairments justify an actual assumption of the risk of repetition, which was not refuted by the defendant. The risk of repetition is not eliminated by the fact that the defendant now uses Google Fonts in such a way that the IP address of the website visitor is no longer disclosed to Google. The risk of repetition can only be eliminated by a declaration of discontinuance with a penalty.
The fine here may have been minimal, but the law allows a penalty of €250,000 ($286,000) per violation, which the court warns the website operator is not only possible, but probable, if the problem doesn’t go away. There’s also the (very slim) chance the improper use of Google Fonts could result in prison time, because that’s also a potential GDPR violation penalty.
While the solution here appears to be simple enough — self-host fonts — the reality of the situation is that this decision will lead to yet another pop-up asking for consent that will stand between site users and the content they’re trying to access, and that no one will read before clicking “accept.” It won’t make the web a better place and it won’t do much to limit the sharing of personal data with off-site entities. It will just make everything a little more annoying.