Google Fonts, an IP address, and the GDPR: must I now self-host all my web page resources?

The Register, and probably other places, are reporting about a Munich court's decision that the use of Google Fonts, hosted on a server operated by Google, led to an infringement of German data protection law.

This is an interesting decision, although, personally, I am not going to read too much into it. This is because:

  • it is a decision of one junior court, in response to a small claim.
  • it does not look as if the respondent - a website operator - put forward much in the way of argument about the GDPR position, or counter arguments.
  • the decision is very short, and what is there is hard to follow (but this might be a translation issue). There is no detailed consideration of the implications of the decision. (I am not sure that, had the case appeared before the small claims track of the county court in England and Wales, it would have been any different - this is not a criticism of the court.)
  • there is, to my mind, a degree of confusion/conflation of the ePrivacy directive, and the GDPR. It seems to be a decision mainly under the GDPR, but it also references aspects of the ePrivacy framework.

The gist of the decision

I am working off a Google translation (irony, eh), because my German is passable but probably less accurate than a translation. There is a risk though that, where I have found things odd/unusual, it's down to the translation rather than the decision.

However, the gist of the decision as I understand it is:

1) A dynamic IP address is personal data.

This is not a controversial position, given the CJEU's decision in Breyer, although personally I am not 100% convinced the logic in Breyer stacks up.

2) The website "forwarded" that IP address to Google, when the claimant accessed the respondent's website.

Obviously, from a technical point of view, the website operator did not "forward" the IP address to Google.

The website operator included a URI of Google's font server in its page and, when the claimant downloaded the page, their browser automatically rendered it, including following links to third party hosted resources.

However, and it is quite a big "however", the idea that the website operator is responsible for this is not new. Way back in 2010 (now I just sound old...), the Article 29 Working Party opined, in its guidance on online advertising, that:

the user's browser will transmit his/her IP address to the ad network provider which will proceed to send the cookie and tailored advertising. In this scenario, it is important to note that publishers do not transfer the IP address of the visitor to the ad network provider. Instead, it is the visitor's browser that automatically transfers such information to the ad network provider. However, this only happens because the publisher has set up its web site in such a way that the visitor to its own web site is automatically re-directed to the ad network provider web site. In other words, the publisher triggers the transfer of the IP address, which is the first necessary step that will allow the subsequent processing, carried out by the ad network provider for the purposes of serving tailored advertising.

Thus, even if, technically the data transfer of the IP address is carried out by the browser of the individual who visits the publisher web site, it is not the individual who triggers the transfer. The individual only intended to visit the publisher's web site. He did not intend to visit the ad network provider's web site.

So, while the language used by the court appears to me to be a bit suspect, the notion that the website operator is responsible for the implications of including references to third party remote resources in their webpages is of no surprise.

3) The "automatic transmission of the IP address by the respondent to Google" infringed German law.

As above.

4) The defendant could not rely on legitimate interests:

because Google Fonts can also be used by the defendant without a connection to a Google Server is established and the IP address of the website user is transmitted to Google.

In other words, nothing to do with the fact that it is Google, or that the international transfer rules might be engaged. The mere fact that the font was hosted on the server of a third party, when it could have been hosted by the website operator, was sufficient to be a breach of German law.

There was no discussion of whether Google was a controller or a processor, and whether this might have made a difference.

Curiously, the discussion relating to legitimate interests references the GDPR, as a lawful basis of processing of personal data. But the decision also references the ePrivacy framework, where "legitimate interests" is not relevant. (See below for more on this.)

5) The court held that:

The plaintiff was also not obliged to encrypt his own IP address before accessing the defendant's website.

I have no idea what this means in the context of an http request. One might encrypt the connection via TLS (and there is no information whether that happened or not), but encrypting an IP address makes no sense at all.

It is plausible that the judge had misunderstood the point about transfers, and worked on the basis that the site obtained the user's IP address and transferred it to Google, and so could have encrypted it before it transferred it.

However, the judgment refers to the ability of the claimant - the website visitor - to encrypt their IP address, so perhaps not.


6) The fact that Google's server was in the USA did not help:

It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA.


Right now, just one decision, of a relatively junior court, on the basis of a case where is it not clear what arguments were made and on what points, where there appears to be confusion of two separate legal regimes? I can't get too excited. (And I say this as someone with a strong preference for self-hosting stuff.)

If this principle is followed by other courts, the implications could be significant.

(Spurious) claims for compensation?

There is already a bandwagon of (IMHO, spurious) GDPR-related claims, with some people seeking considerable compensation for what appear to me to be trivial or technical breaches, where the claimant cannot demonstrate any form of harm or damage, material or otherwise.

I think it is plausible that controllers will imminently face an influx of hopeful claimants relying on this case (even though it was before a German court), threatening essentially a shake-down: pay me a little to go away, else I'll bring a claim and waste your time and money even if you win.

So while I do not want to overplay the significance of this particular decision, I can see it being cited by would-be claimants outside Germany.

It might be sensible to:

  • identify use of third party hosted resources
  • determine which are likely to be of the highest risk (e.g. servers in the USA)
  • consider legitimate interests assessments, and what arguments you might make
  • think about international transfer aspects, if relevant
  • consider the ePrivacy implications (below)

Website operators might also want to put obligations on their web developers to identify the use of third party hosted resources, or even to minimise their use.

People who've just downloaded a website engine / content management system, and grabbed/bought a theme? I suspect that more due diligence is needed, beyond the technical requirements of the system. But I also suspect that there will be many people who have taken advantage of this kind of thing will be poorly placed to engage in the kind of legal analysis required, and possibly not even the technical analysis.

Implications for web developers?

Although this case was focussed on the website operator, I suspect many website operators rely on third parties to develop their website. They might not even know how their website operates, or the resources on which it relies.

While a website developer might not be within scope of a claim from a data subject directly, I wonder if decisions like this might lead to website development customers demanding more from their developers.

A warranty that the site complies with data protection and ePrivacy law (and, indeed, all applicable law)?

Specific information about third party hosted resources and international transfers, to enable the operator to make an informed decision?

Is there an opportunity for a "premium" all-locally-hosted offering? A need to disclaim liability for third party hosted resources, and the implications of them (i.e. an attempt to pass the buck back to the customer)?

Legitimate interests and third party remote resources

The court's decision on legitimate interests appears to indicate that, if a website operator can self-host something, they must do so.

Only if they cannot do it, could referencing a resource on a third party server be "necessary". (And even then, the website operator would need to be able to demonstrate it had met the other conditions for legitimate interests.)

I recognise that this principle is not consistent with the way much (but not all) web development / content distribution has worked for many years now.

I also recognise that this principle, if followed, could be a considerable pain for website operators. But does that mean that the law is out of step, or that it is the "wrong" decision? I am not convinced. There is a compelling argument that technology should be developed in line with the law, not that the law should be shaped around technology.

However, there is scope to argue about the availability of "legitimate interests" on the facts of any specific case.

One would need to:

  • identify each of the controller's interests (or someone else's - for example, arguments around environmental benefits or speed implications of use of CDNs (although one cannot consider the legitimate interests of the website user in question, oddly enough))
  • determine if those interests are "legitimate"
  • assess if the processing was necessary for each interest
  • carry out the balancing act

This is a fact-specific exercise. Perhaps, on the evidence before it, the court was justified in holding that, here, the test of "necessity" could not be met.

But this does not mean that, in all cases, a court would, or should, reach the same conclusion as the court here.

I also wonder whether there is scope for argument around the role of the third party. Would the court have reached the same decision if the third party was the website operator's processor?

The decision does not delve into this, and I can see scope for argument that, if the third party is a processor, and does not use information it receives for its own purposes (e.g. for profiling), that would affect the legitimate interests assessment.

If other courts adopted the same logic, and were ready to find that legitimate interests was not available? Well, that would get interesting.

A website operator might scrabble to find some other lawful basis. For example, an attempt to make use of remote third party resources part of the terms of use of the site, and so rely on necessity to perform a contract. It feels very much like a fudge, but that doesn't mean it is not arguable at the moment.

Could it lead to a push to self-hosting? Perhaps, but I suspect there is plenty of legal argument to be had first.

The international transfer aspect

It is unsurprising to me, following Schrems II, that courts in the EU are taking a dim view of the transfer of personal data to the USA, even if "just" an IP address and a request for a font.

I am a little more surprised that there was seemingly no consideration of whether the facts here established a "transfer" for Chapter V of the GDPR. But, again, perhaps that's due to the specific case, and its low value.

That said, I would not be surprised if the court would have held that there was a "transfer".

I am mindful of the EDPB's draft guidance, which says that the second of the three tests is whether:

[the exporter] discloses by transmission or otherwise makes personal data, subject to this processing, available to [the importer]

This suggests to me that a broad definition of "transfer" will be applied, and that is consistent with the general approach taken to the protection of fundamental rights.

I still have no idea what "encrypting an IP address" might mean, in the context of an http GET request. However, on the basis that one requires both a lawful mechanism for an international transfer and appropriate safeguards if those are not inherent in the transfer mechanism itself, the fact that "the Internet does not work this way" is not the most persuasive legal argument.

But what about {CDNs, email, messaging friends in the USA}?

I am loath to jump to conclusions. Each situation requires its own analysis.

What about the ePrivacy directive?

The decision is a slightly curious one, in that it references both the data protection framework, and the ePrivacy framework.

These are complementary, but different.

The data protection framework deals with the protection of personal data. The issue of legitimate interests, and international transfers, and whether or not an IP address is personal data, relate to the data protection framework.

The ePrivacy framework covers a range of things, but the relevant bit here is the sanctity of a user's terminal equipment. The gist of that rule is that a website operator can only obtain information from a user's terminal equipment, or store information on it, if:

  • doing so is strictly necessary to provide the service; or
  • the user has given their consent.

The judgment in this case refers to the ePrivacy framework, but discussion about legitimate interests, and necessity, is limited to:

A legitimate interest of the defendant within the meaning of Art. 6 Para. 1 f) DS-GVO

which is a reference to data protection law.

If the claim had been under the ePrivacy framework, the claimant would have needed to show:

  • the website operator obtained information from the user's terminal equipment, or stored information on the user's terminal equipment
  • that this was not "strictly necessary" for providing the service
  • they had not consented to this obtaining/storing

The issues of whether the information was "personal data", whether the site operator has GDPR "legitimate interests", or whether there is an impermissible international transfer, do not arise.

There are some fun facets here, but probably ones for another post another day:

  • is a non-standard font ever "strictly necessary" to provide the service? That seems doubtful. The same might be said about CSS generally.
    • But no court to date has, as far I know, got itself this involved in the minutiae of what a web page looks like, and to what extent design and layout is "strictly necessary". A judicial determination that a website must be plain html unless a visitor has consented would be difficult to reconcile with the purpose of this bit of the ePrivacy framework, in my view.
    • Here, the court has no issue with a self-hosted font, but rather the fact that it was hosted by a third party. Perhaps it was not asked to rule on this issue.
  • from an ePrivacy directive point of view, is the fact that the resource is hosted on a third party's server relevant legally? Does it matter whether it is self-hosted or not?
    • In the case of a storage-based claim, either the storage is necessary, or it is not. The question of where it is hosted does not obviously arise.
    • In the case of an obtaining-based claim, it might be more relevant.
      • This is because another party - here, Google - obtains the information, in addition to the website operator. That third party needs to satisfy the requirements of the ePrivacy directive in its own right. If it does not, it could face a claim.
      • A user might also have a claim against the website operator relating to the breach by the third party, because of the operator's relationship with the breaching third party. But this gets more complicated, and may bring in data protection law principles of joint controllership.