Okay, so: German court decided on Jan. 20th 2022 that sites will need to host Google fonts locally.

Visitors are otherwise entitled to receive 100€ in recompensation for Google fonts transferring IP numbers to Google servers.
Google uses fonts to track users, especially if they are logged into only one other server, where stored personal data might identify them.

Court decision text in German (Landgericht München)


#google #tracking #fonts #liability #germany #funny


@xuv at last legislation reacts to centralisation under american law!

· · Web · 1 · 0 · 1

@frankiezafe What's the regulation about? You can't pull anything from a third party that you don't own anymore? The new rule is to host everything yourself?

@xuv no you can use EU services with enough security/privacy procedures and consent from users but you can't use american services that records your IP address without your consent, and also because they are subject to FISA law so are unable to protect EU citizen data by principle (Schrem I & II court decisions)
this is super broad and will probably only start to roll now in courts all over EU ... (see noyb.eu )

@Olm_e @frankiezafe You can or you have to? And since when an IP address is a personal identifiable information?

@xuv you can or you can selfhost ;)
IP address are since long time part of personal data like your street adress etc ... (in EU at least)

@xuv mmm... apparently first time from "Scarlet Extended v SABAM, November 24, 2011" decision where it is said that IP addresses are personal data ;) @frankiezafe

@Olm_e Ha. Bel exemple. Tu te rallie à une vision du web des gestionnaires de droits d'auteur. @frankiezafe

@xuv heuu ... ??? je me rallie à rien du tout moi ... ? 🤔 @frankiezafe

@xuv je ne comprends vraiment pas cette réaction 🤔 ... d'autant que c'est Scarlet qui se défendait d'une injonction de la SABAM, et que cet argument vient justement contrer la vision du web des "gestionnaires de droits" ... eur-lex.europa.eu/legal-conten

@Olm_e @frankiezafe Ma remarque est due au fait que les premiers à avoir poussé l'idée que l' IP permet d'identifier une personne sont bien les gestionnaires de droits.

L'EU dit que l'IP est bien PII uniquement dans certains cas particuliers. Et ces cas particuliers sont quand l'entité qui collecte l'adresse IP collecte également d'autres données sur l'utilisateur (ce qui est le cas ici de Scarlet).

Donc, une IP, en soi, n'est pas PII. Ni en Europe, ni aux US.

@xuv heu oui enfin, c'est le principe de l'adresse, on peut relier une donnée à une personne, mais pas spécialement univoquement identifier cette personne par cette donnée ... l'IP fait donc partie des donnée personnelles, mais ne devrait pas permettre d’incriminer uniquement sur cette base par exemple (cas adopi) les "ayants droits" voudraient que si.

donc une IP, qui n'est jamais "en soi", est bien une donnée personnelle en Europe (y a eut d'autres jugements après scarlet/sabam)

@xuv donc oui j'ai bien le droit de faire un fichier avec toutes les IP du monde et rien d'autre, mais dès qu'il s'agit de logs, il faut des précautions ... @frankiezafe

@xuv ben alors ton nom, prénom, adresse etc pris séparément non plus ;) @frankiezafe

And since when an IP address is a personal identifiable information?

This follows from GDPR Chapter 1: General provisions, Article 4: Definitions (emphasis mine):

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Suppose you reply to an email, thus establishing a link between your identity and your ip address. This allows anyone who collects ip addresses from your recent and/or future browsing to attribute even more data to you.

How many of your contacts use gmail? 50%, 80%, or more? And how many sites rely on Google for maps, ads, analytics, API's, fonts, or hosting? 80%, 90% or more?

This is just one example of how ip addresses fall into the identifiable category.

@xuv @Olm_e @frankiezafe

@xuv @frankiezafe To be more specific, the court rule states that the use-case of font loading doesn't constitute the a "legitimate interest" according to Article 6 lit. 1f GDPR especially due to the American Laws like CloudAct.

The website owner has to educate the user about the potential risk of such laws when their IP address is transfered to US companies. Given that it's possible to load the website without these fonts the owner is supposed to request consent according to Article 6 lit 1a.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!