New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR compliance #1495

Closed
asadkn opened this Issue Mar 18, 2018 · 147 comments

Comments

Projects
None yet
@asadkn

asadkn commented Mar 18, 2018

Notice: Official Statement by Google Fonts made April 17, 2018

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

End Of Notice. Original question by @asadkn follows


There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.

I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)

  • you may need to ask for a consent from a visitor if Google is logging personal data
  • you're sending personal data to the processor who's not in the EU
  • Google as a processor might be performing profiling

My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

@aristath

This comment has been minimized.

aristath commented Mar 19, 2018

This is also a huge concern for us... We'd definitely be interested to know how google-fonts is planning to comply.
What kind of data is currently collected & stored?
What are the plans to make the service GDPR-compliant?
Surely asking for user-consent before rendering the fonts is not a viable solution, nor is downloading the fonts locally to then embed on a site using other methods.

@maximus80

This comment has been minimized.

maximus80 commented Mar 19, 2018

The main issue seems to be, that a direct connection between a Google Inc. server and the client (browser of a website visitor) is established, which means the user's IP address is sent to Google. This obviously happens on page load, which means there is no time for the user to explicitly consent with it before the page loads.
Does this have to be considered a privacy issue with regards to the new GDPR?
If so, any integration of Google fonts directly via Google would render websites pretty hard to use and ugly on first load.
Any insight on this, is highly appreciated.

@davelab6

This comment has been minimized.

Member

davelab6 commented Mar 19, 2018

Please be reassured that the Google Fonts team is working on GDPR compliance.

I can also point out an older FAQ entry, https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

@maximus80

This comment has been minimized.

maximus80 commented Mar 20, 2018

Thanks for the reply @davelab6!
I've seen the FAQ entry, unfortunately it doesn't really provide a full answer to the main questions above.
From your reply I take that the team is still working on GDPR compliance, so that the details are not fully hashed out. Once they are, it would be awesome if you could let us know here, so that we can implement needed adjustments on our part.
Thanks!

@dontcallmemark

This comment has been minimized.

dontcallmemark commented Mar 21, 2018

I'm currently investigating this for our company. I've found this (the section on international data transfers near the bottom) which suggests full compliance to me. Is that not the case?

https://privacy.google.com/businesses/compliance/#?modal_active=none

@aristath

This comment has been minimized.

aristath commented Mar 21, 2018

@limegreenmatt all it says there is that data transfers are secure. However it still doesn't say what kind of data is collected... For example collecting and processing the user's IP without the user's consent is against the GDPR. If the user does not consent then it doesn't matter how the data is collected/processed/transferred, it's still against the law.
Plus, that page is for businesses so I'm not even sure it even applies to google-fonts. There's just not enough info anywhere about what happens.

@asadkn

This comment has been minimized.

asadkn commented Mar 21, 2018

Technically speaking, logging of IP address is allowed for lawful basis without consent (note consent is only one of the lawful basis). But this is best left to Google lawyers if there's a "lawful basis" on how they're processing this data but I am guessing it will be point f.

In Recital 49 for Article 6, Point [f]:

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

This is what we need from Google. We need them to tell us they're using the data they log in a lawful basis - we need to know how they're using the data they log. Google's general privacy policy isn't enough in this case as it isn't specific to Google fonts.

@aristath

This comment has been minimized.

aristath commented Mar 21, 2018

@asadkn I agree 100% with that... though lawful basis in the context of that excerpt basically means things like logging the IP address in an access log for a limited period of time in order to prevent and diagnose attacks, or as part of an authorization to enter my account.
However in the context of google fonts, the accumulation of IPs which are then processed for statistical purposes can only be considered legal if the IPs are partially anonymized.
If the IPs are not anonymized (usually by replacing their last part with a 0 digit) then there is no legal basis for collecting them.

@dontcallmemark

This comment has been minimized.

dontcallmemark commented Mar 22, 2018

@davelab6 can you give us any kind of timeline as to when we can expect an update and/or resolution of this? As we provide our customers with access to Google Fonts as part of our WordPress themes, it's important for us to understand whether our customers are going to be impacted by this, and if we need to take any remedial action. Appreciate any insight you can give.

@david-uc

This comment has been minimized.

david-uc commented Mar 26, 2018

any updates yet?

@zartgesotten

This comment has been minimized.

zartgesotten commented Mar 27, 2018

Also waiting for info on this. I don't want to self-host fonts for about 70 sites I'm managing.... PLEASE, Google, help us poor Europeans!!!

@fritzmg

This comment has been minimized.

fritzmg commented Mar 30, 2018

@clickwork-git those FAQ do not mention the GDPR at all. It does mention something about tracking though:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, see Google's Privacy Policy.

@aristath

This comment has been minimized.

aristath commented Mar 30, 2018

@clickwork-git according to numerous court decisions in the EU, an IP is considered identifiable user-data and should not be collected without the user's consent.
The only thing related to the GDPR on that page is this:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.

No matter how secure the storage of such data is, the point of the law is that no data should be collected without the user's explicit consent. Data collecting is no longer opt-out, it's opt-in. So if the IPs collected by Google are not partially anonymized for example by replacing the last part of the IP with a 0, then we can't use Google fonts.
It's not panic, it's a legitimate request for information about what kind of Data Google collects from visitors to our own sites - or our client sites. Google's mantra may be "don't be evil", but at the same time it is a company that has based its whole business on data collecting.
We need to know what happens so that we know how to proceed. And we need to know now so that we can take the appropriate measures and implement whatever we need to implement. If a response comes from Google 2 days before the GDPR goes officially in effect, then we don't have time to do what needs to be done.
The alternative for us would of course be to start implementing everything: opt-in for fonts, automate locally downloading fonts on client sites to use them from there without pinging google's servers and so on. But that's just a huge waste of resources for hundreds of companies like ours, that can be avoided if we just have an answer of what happens now and what will happen after May.

@asadkn

This comment has been minimized.

asadkn commented Mar 30, 2018

the point of the law is that no data should be collected without the user's explicit consent

IMHO, we should refrain from issuing this statement - there's enough FUD over the internet already. This statement is only partially true as I referred earlier to the other lawful basis. It gives the impression to novices that there won't be any basis of compliance at all, creating further panic. And since none of us are lawyers here, it'd best to not discuss it anyways. All we know is we need is an official reply from Google.

I agree with the urgency here. There are only 2 months left before this goes into effect. The least we need is an assurance there will be GDPR compliance.

To re-iterate, Google hasn't specified their privacy policy for Google Fonts on how they're using the data they log or if there's a lawful basis for it. We need this moving forward. Frankly, it doesn't really matter to us what legal basis their lawyers come up with, as long as they confirm GDPR compliance.

@kevingrabher

This comment has been minimized.

kevingrabher commented Apr 3, 2018

The FAQs do state

"The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently."

While that does leave a lot of room for speculation it does suggest compliance since it states that no data is recorded that is not needed for delivering the font (and I wouldn't see a reason for the IP being recorded to deliver the font..)

@maximus80

This comment has been minimized.

maximus80 commented Apr 3, 2018

The problem is, you have to be very certain about this, so speculation or the assumption of something doesn't really help here. As the fines are high, and statements like "I assumed our customers have their privacy ensured" won't be a viable excuse. That is where I see the biggest problem. Explicit and dedicated information is needed here.

@githubhero

This comment has been minimized.

githubhero commented Apr 9, 2018

I have a basic Wordpress website where the font is loaded this way:

<link rel='stylesheet' id='options_typography_Abel-css' href='https://fonts.googleapis.com/css?family=Abel' type='text/css' media='all' />

By doing so, I'm communicating to Google the IP of the user.

What if I substitute this direct call with a call done using PHP+curl (or other APIs to get data from a server) from the website server? This way Google would only get the IP of my server, not the users'.

Something like this:

<link rel='stylesheet' id='options_typography_Abel-css' href='proxy.php' type='text/css' media='all' />

From proxy.php, I call Google server and I return the CSS to the client.

@psinger

This comment has been minimized.

psinger commented Apr 11, 2018

Host the fonts locally, and the problem is gone.

@aristath

This comment has been minimized.

aristath commented Apr 11, 2018

Host the fonts locally, and the problem is gone.

Not practical if what you're building is a WordPress theme for example - in which case users on their sites use whatever font they wish

@githubhero

This comment has been minimized.

githubhero commented Apr 11, 2018

@psinger You loose the benefits of the CDN (mainly performance), but of course another option is storing fonts locally (this is ok for the fonts, but non every single resource a website can link, anyway)

@psinger

This comment has been minimized.

psinger commented Apr 11, 2018

I agree, it's certainly not as convenient, but it is an option. If you develop a wordpress theme, just add an option to disable google fonts for the user of the theme. I am actually struggling currently with disabling google fonts in several wordpress themes / plugins, mostly it is not even possible.

@maximus80

This comment has been minimized.

maximus80 commented Apr 12, 2018

Well, the main purpose of Google fonts is, that they actually get used on websites. So, it is in the best interest of Google to do everything to make sure it will be possible in the future. Disabling them on a site or in a theme, or adding them locally, is only a work around, which might be ok for a single site, but not for WP themes with a larger user base. And it kinda also defeats the purpose of what Google offers.

@githubhero

This comment has been minimized.

githubhero commented Apr 12, 2018

Maybe we're going a little bit OT:

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

@mikka23

This comment has been minimized.

mikka23 commented Apr 13, 2018

@clickwork-git what an insightful post, thank you for sharing. It is much appreciated.

@dontcallmemark

This comment has been minimized.

dontcallmemark commented Apr 17, 2018

@davelab6 @m4rc1e when are we going to get an official response on this?

@davelab6

This comment has been minimized.

Member

davelab6 commented Apr 17, 2018

Here's an official statement:

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

@aristath

This comment has been minimized.

aristath commented Apr 17, 2018

@davelab6 we appreciate you taking the time to respond. However, please try to understand how this whole situation appears to everyone who doesn't work at Google, doesn't have any knowledge of how the company operates or what is going on behind a veil of complete silence.

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR

From our point of view it doesn't seem that Google is doing anything. There is no official announcement, no update, nothing. GDPR goes in effect in 37 days, which leaves 28 work days for all companies to implement whatever needs to be implemented.
Google-Fonts is an amazing service and none of us want to believe that something like not being 100% compliant with GDPR can even happen to it. But we can't be 100% certain, and without an official announcement from Google, we have been forced to start implementing all kinds of crazy stuff - just in case Google doesn't say anything before the deadline and we have to be covered.

Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

The problem we have is that no, there is not enough info on the FAQ page. If there was enough info on that page nobody would be asking for more info.
Here's what that page is telling us:

  • Requests are cookie-less
  • Fonts get cached
  • Google Fonts logs records of the CSS and the font file requests.

What that page is not telling us and is of concern for GDPR is this:

  • What data is contained in the font-file requests that get logged?
  • For how long is that data kept?
  • For what purpose is that data collected?

Without specific information we can't know if we need to ask for user consent, download the fonts server-side and not use the Google CDN, or just ignore everything and assume it's going to be alright. Which of course can't happen... we can't just assume that Google will be compliant in time.

I am sorry if this whole discussion seems a bit like over-reacting... We all have better things to do than post in this repository asking for info and discussing. But we've all come to depend on Google Fonts one way or the other and we don't have a lot of time left to do what needs to be done.

@githubhero

This comment has been minimized.

githubhero commented Jun 5, 2018

@david-uc I haven't tried but, yes, there are multiple requests before getting the font (this doesn't mean you can't do what you suggest, of course) :-)

@lenusch

This comment has been minimized.

lenusch commented Jun 5, 2018

Problem is: Wether the Law should Change / Not forcing an opt in or Google would make something awesome as always.

Exemple: 1 Site with Shop and some other plugins (WP Site) and some g. Map....
You have Font anyways /// Map loads fonts// Plugins load fonts // Shop also loads some Font.
Imagine you use different fonts for your CI.
And now Imagine 100 Customers + with no clue. It would be so much work i wont go to sleep anymore.

And imagine 1-2 years later / law changes again......

Regarding GDPR doesent has the Company who offers Service to EU has to take care of GDPR / guruantee correct using of Service. ?

I cant believe that i Must work all Night to only get rid of some requests (Not Sure what they doing because of Not transparent...) ....

I am annoyed - Sorry.

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 23, 2018

I took some time to better understand under what circumstances an IP Address could be considered "Personal Data" and wanted to share it here with the idea in mind that it could help others with their decisions on how to handle things. The following is my personal opinion only and it is not legal advice.

It was pointed out to me that this started from a lawsuit in Germany where a German citizen brought charges against Federal German Institutions to prevent websites run by those institutions from registering and storing his IP Addresses. The lawsuit was referred to the Court of Justice of the European Union. The ruling of the CJEU about an IP Address being "Personal Data" was in reference to that particular case against "Federal German Institutions" and therefore does NOT mean that an IP Address will always be considered "Personal Data". I have come to this opinion based on the following information.
(emphasis throughout is added by me)

The decision of the CJEU states:

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, IF that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

At the very bottom it also states the following:

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Which means it will be up to the National courts of the Member States to decide based on the CJEU's decision.

From this article on the twobirds website it states:

The court ruled that dynamic IP addresses MAY constitute ‘personal data’ even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual – but only under certain circumstances: The possibility to combine the data with this additional data must constitute a “means likely reasonably to be used to identify” the individual (the court assumed such means for Germany).

It's important to note the following, the court assumed such means for Germany, because the case was against Federal German Institutions and those institutions would have at their disposal the legal means to obtain the information from the Internet Service Provider necessary to identify the individual to whom the IP Address was assigned.

In this article by the law firm of Havel & Partners they came to the following conclusion:

what the court unfortunately did not, and indeed could not, specify more precisely, are the legal remedies on the basis of which it is possible to identify a particular person – these legal remedies may differ from one state to another and, therefore, to a large extent they will very much depend on the legislation and interpretation of national supervisory authorities and courts.

So they are saying it is up to the Member States to decide how they want to interpret the decision in relation to what "legal remedies" means.

Even the definition of "personal data" in Article 4(1) of the General Data Protection Regulation ("GDPR") does NOT clearly specify that an IP Address, whether Static or Dynamic, constitutes "Personal Data".

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Based on everything I have found, read, and understood, to me, and once more, this is NOT legal advice, it means that when a company, business, or a website operator ONLY collects an IP Address, whether Static or Dynamic, it is considered to be "Personal Data" but ONLY under certain circumstances where the company, business, or website operator has the legal means to obtain the additional data necessary to identify the individual.

Therefore, in my opinion, which again is NOT legal advice, while Google is a large company with deep pockets, it does not have any legal means, i.e. legal grounds, to obtain the necessary information from an Internet Service Provider in order to identify an individual from their IP Address when it comes to Google Fonts so an IP Address in this situation can NOT be considered "Personal Data". I have come to this conclusion because I can not think of a situation where a court would grant Google the additional data necessary to identify the individual owner of the IP Address when that IP Address is simply passed to them from a website operator.

I also believe the same holds true for other website operators where the only possible piece of identifiable information they have is an IP Address and no legal means exist "to obtain the necessary information from an Internet Service Provider in order to identify an individual from their IP Address."

This also doesn't mean the information, i.e. potential "personal data", in this case, an IP Address, should be stored longer than necessary.

My interpretation of things could be partially or completely inaccurate. If you feel they are, please take the time to comment with facts and links to back up your position so as to help myself and others understand your interpretation.

@plasmate

This comment has been minimized.

plasmate commented Jun 23, 2018

Therefore, in my opinion, which again is NOT legal advice, while Google is a large company with deep pockets, it does not have any legal means, i.e. legal grounds, to obtain the necessary information from an Internet Service Provider in order to identify an individual from their IP Address when it comes to Google Fonts so an IP Address in this situation can NOT be considered "Personal Data".

@N8Solutions what about when you are logged in any of the Google services as Gmail and every time that you have a new IP Google knows it and then can track you wherever you are on internet?

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 23, 2018

@mr-uli Please take notice that in the paragraph you quoted I said "when it comes to Google Fonts".
This thread is about the legality of using Google Fonts on your website because Google Fonts collects IP Addresses of visitors of sites that use Google Fonts. All other Google services, for the purpose of this discussion, are irrelevant.

@ocdtrekkie

This comment has been minimized.

ocdtrekkie commented Jun 23, 2018

@N8Solutions The issue is that, due to the existence of Google services as a whole, which you can't, meaningfully, just ignore: Google has the necessary additional information to identify people based on IP address, and has a strong interest in doing so. The "legal means" they have is that they literally already have the necessary information.

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 23, 2018

@ocdtrekkie I understand, but if you are using Google Services and are signed in and using a Google Service then you are subject to the Terms of Service of the Google service that you are using.

If you see what I wrote above I alluded to this when I said:

when a company, business, or a website operator ONLY collects an IP Address, whether Static or Dynamic, it is considered to be "Personal Data" but ONLY under certain circumstances where the company, business, or website operator has the legal means to obtain the additional data necessary to identify the individual.

Regarding Google Fonts, From the Google Fonts FAQ:

What does using the Google Fonts API mean for the privacy of my users?

The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

The following is from Google's Privacy Policy:
In the Privacy Policy is this section.

Information we collect as you use our services

The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.

This link goes to the section in the Privacy Policy that discusses the information that Google collects which discusses the information collected when you are signed in to a Google service and when you are not signed in to a Google service. It says:

We want you to understand the types of information we collect as you use our services

The information Google collects, and how that information is used, depends on how you use our services and how you manage your privacy controls.

When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. This helps us do things like maintain your language preferences across browsing sessions.

When you’re signed in, we also collect information that we store with your Google Account, which we treat as personal information.

If you use a Google Service and want to see what information Google has collected you can view that information and delete it if you want to as described in the Privacy Policy here.

You can export a copy of your information or delete it from your Google Account at any time

If someone is using a Google service and they are logged in to that service then their activity is tracked by Google but by using the Google service they have already agreed to the Terms of Service of the particular Google service and Google treats the information collected as "Personal Information".

So for the purpose of this question in regards to using Google Fonts on a website there are 2 scenarios.

  1. If an individual is using a Google Service and they visit a website that uses Google Fonts their IP Address will be logged as part of their Personal Information that Google collects.

  2. If an individual is not logged in to any Google services then we refer back to the information collection section I referenced above that says:

When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. This helps us do things like maintain your language preferences across browsing sessions.

So in scenario 2 the information collected will include the IP Address and it goes back to my original opinion that when it comes to Google Fonts, an IP Address can NOT be considered "personal data" because the individual is not logged in to a Google service which is what I alluded to in my original post by saying:

when a company, business, or a website operator ONLY collects an IP Address

So, as mentioned above, if they are using a Google service they have agreed to the Terms of Service for the Google Service and their IP Address is tracked and added to their "Personal Information" which Google allows you to view and delete if you want. If you are not logged in to a Google service then they:

store the information we collect with unique identifiers tied to the browser, application, or device you’re using. This helps us do things like maintain your language preferences across browsing sessions.

I stand by my original opinion, which as I stated earlier, is not legal advice, that an IP Address collected by Google, in regards to Google Fonts is not considered to be "Personal Data". I'll specify further, so that it's clear, by adding, "When NOT logged in to a Google service" and if you are logged in to a Google service then it is a moot point as any personally identifiable information collected is governed by the Privacy Policy and Terms of Service for that specific Google service.

One final thing I'd like to add is that if Google were to query the data obtained via Google Fonts with the data obtained from the users of Google services then the personal information obtained, in this case the IP Address, would be considered "Personal Data" and linked to the users profile and would be classified as "Personal Data" and would then also be subject to Google's Privacy Policy and Terms of Service. On this matter it would be my opinion that by simply having an account with Google and using their services you have agreed to their Privacy Policy and Terms of Service so even if a user is not logged in to a Google service the Privacy Policy and Terms of Service would still apply in regards to any information obtained by Google through legal means available to them.

@davelab6 would you be so kind as to comment and provide your "personal" opinion on my comments to see if I missed the mark on something I've written here?

@horninc

This comment has been minimized.

horninc commented Jun 25, 2018

@N8Solutions First of all a really good comment incl. link to the case law.

It is true, that circumstances exist, and often exist, whereas IP address cannot be considered Personal Data. However, when you become a client of Google, in any of their services, including Google Fonts, you agree to the Terms and Conditions of Google.

That is a contract, and under EU law contract is a valid legal means. Your analysis, therefore, is not correct in its conclusion. This is further demonstrated and codified by art. 6 (1) (b) GDPR.

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 25, 2018

So others don't have to look it up, here is the link to art. 6 (1) (b) GDPR.
It states the following:

(b) processing is necessary for the performance of a contract to which the data subject is party OR in order to take steps at the request of the data subject prior to entering into a contract;

@horninc Thank you for the compliment. You have brought up a valid point as well however I think you may misunderstand Art. 6 (1) (b) of the GDPR. First, you wrote the following:

when you become a client of Google, in any of their services, including Google Fonts, you agree to the Terms and Conditions of Google.

That is a contract, and under EU law contract is a valid legal means.

The key words from what you wrote are "when you become a client" which means you need to have an account for a Google service which also means you agreed to their Terms of Service and Privacy Policy. So unless you are a client you are not in a contract with Google.

Art. 6 (1) (b) of the GDPR
Part 1 says:

processing is necessary for the performance of a contract to which the data subject is party

For the purpose of our discussion here this would be the Terms of Service & Privacy Policy that an individual would have agreed to if they are a Google client.

Part 2 says:

OR in order to take steps at the request of the data subject prior to entering into a contract

If the individual is already a client of a Google service then they are already in a "contract" with Google so the 2nd part does not apply and therefore the collection of their data is subjected to the Terms of Service and Privacy Policy for the Google service that they have already agreed to.
If they are not a client of a Google service then there is no contract therefore we should refer back to the privacy policy which states

When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using.
This tells us how Google handles information collected concerning those individuals who are non-Google clients. If they are not a Google client then no legal means exist for Google to be able to identify them which means the IP Address can not be considered personal data.

Back to Art. 6 of the GDPR, section (1) (a) says:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Again, for the purpose of our discussion here, if you are a Google client, then yes you are in a contract with Google, however, as a Google client you have already agreed to the Terms of Service and Privacy Policy which coincides to Art. 6 (1) (b).

This is why in my last reply I said the following:

One final thing I'd like to add is that if Google were to query the data obtained via Google Fonts with the data obtained from the users of Google services then the personal information obtained, in this case the IP Address, would be considered "Personal Data" and linked to the users profile and would be classified as "Personal Data" and would then also be subject to Google's Privacy Policy and Terms of Service. On this matter it would be my opinion that by simply having an account with Google and using their services you have agreed to their Privacy Policy and Terms of Service so even if a user is not logged in to a Google service the Privacy Policy and Terms of Service would still apply in regards to any information obtained by Google through legal means available to them.

I'm no lawyer but it would seem to me that by agreeing to Google's Terms of Service and Privacy Policy that any individual who is a client of Google services would be bound by them since they have already agreed to them thus making it a moot point for anyone who is a client of Google.

If that is the case, then the question here concerning Google Fonts, is more about individuals who are not clients of Google services that visit websites that utilize Google Fonts. In which case, if they are not a Google client, then Google does not have the legal means to identify the individuals from their IP Address alone.

Is there something somewhere that says that it is illegal for Google to query their databases so as to aggregate their data with the intention of identifying clients using their services when the clients are not logged in to the Google service?
If you have information pertaining to this I would appreciate you, or anyone else for that matter, providing a link to the information as I'm just as eager as the rest of you to get some concrete answers and better understand all of this.

I still feel confident in my opinion. To be specific that is:

  • If the IP Address collected by Google Fonts is that of a non-Google client then it does not constitute personal data.
  • If the IP Address collected by Google Fonts is that of an individual who is a Google client and the client is logged in to a Google service it is added to the clients personal information that Google has on the client and therefore constitutes personal data and is governed by the Terms of Service and Privacy Policy of the Google service that the client agreed to which is compliant with GDPR.
  • If the IP Address collected by Google Fonts is that of an individual who is a Google client and the client is not logged in to a Google service at the time the IP Address is collected it is not added to the clients personal information that Google maintains on the client. However, because the individual is a Google client, the legal means exist for Google to identify the individual and therefore may be considered personal data. However, because the individual is a Google client, they have agreed to the Terms of Service and Privacy Policy of the Google service they use, therefore, if Google was to aggregate their data from Google Fonts with other Google services in such a manner that it allowed them to identify the individual by their IP Address, according to Google's Terms of Service and Privacy Policy, it should be added to the personal information that Google maintains on the client in which case it is still governed by the Terms of Service and Privacy Policy of the Google service that the client agreed to which is compliant with GDPR.
@horninc

This comment has been minimized.

horninc commented Jun 27, 2018

@N8Solutions Yes, but assuming you are correct the legal analysis does not end there. From art 6. you also need to test for alignment with principles from art. 5 and the one that is stressed most in this thread since the beginning is transparency and purpose limitation.

@aristath

This comment has been minimized.

aristath commented Jun 27, 2018

That German court decision is not the only one... Here's a more recent one, this time from a French court: https://www.courdecassation.fr/jurisprudence_2/premiere_chambre_civile_568/1184_3_35424.html

This might be easier to read/translate: https://www.nextinpact.com/news/102009-pour-cour-cassation-l-adresse-ip-est-bien-donnee-personnelle.htm

@clickwork-git

This comment has been minimized.

clickwork-git commented Jun 27, 2018

Interesting... I didn't know the French court decision. But it does not really help.

[...] les adresses IP, qui permettent d’identifier indirectement une personne physique, sont des données à caractère personnel [...]

This can be translated either with "IP adresses, that always allow" or "IP addresses, in the case they allow".

Also the German court decision is open for some interpretation:

Der EuGH habe bestätigt, dass die Speicherung nur europarechtskonform sei, wenn sie erfolgt, "um die generelle Funktionsfähigkeit der Dienste zu gewährleisten" – also beispielsweise, um Angriffe effektiv abzuwehren. Dabei bedürfe es allerdings "einer Abwägung mit dem Interesse und den Grundrechten und -freiheiten der Nutzer".

https://www.heise.de/newsticker/meldung/BGH-bestaetigt-Dynamische-IP-Adressen-sind-personenbezogene-Daten-3714967.html

@horninc

This comment has been minimized.

horninc commented Jun 27, 2018

This is analyzed in Borgesius F, 'The Breyer Case of the Court of Justice of the European Union: IP Addresses and the Personal Data Definition.' (2017) 3(1) Eur Data Prot L Rev 130.

I would like to note that both opinions expressed here regarding the Breyer case and also Cassation decision (ECLI:FR:CCASS:2016:C101184) are pre-GDPR, and the decision is made on the basis of Directive 95/46/EC and is no longer authoritative post 25th of May.

I am at work today so I do not have time right now to look more into detail, but I think its not reasonable at this stage to claim that IP address is not personal data irrespective of data subject either being Googles "client" or simply a "visitor".

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 27, 2018

Great discussion everyone! Now we're getting somewhere!

@horninc beat me to it. I was just about to post this with references.

I have noticed that some of these articles are referencing
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data but it is No longer in force, Date of end of validity: 24/05/2018; Repealed by 32016R0679 (GDPR)

I wouldn't be so quick to say that judgements decided off of Directive 95/46/EC are now invalid. I would think that the cases would stand until new judgements have happened.

@clickwork-git

This comment has been minimized.

clickwork-git commented Jun 27, 2018

Now we're getting somewhere!

Without a court decision regarding the Google Webfonts API the discussion will go on and on... And there will be no decision in the next three or four years.

The Beyer case gives no technical details. This means every case is a new case. And personally I think the EU is not really interested in an ultimate decision. The understanding of the GDPR in Germany is not the same as for example in Latvia.

@N8Solutions

This comment has been minimized.

N8Solutions commented Jun 27, 2018

@clickwork-git I agree with you. I believe it would be highly unlikely that any court would rule directly on an issue so specific as the Google Webfonts API. Instead, if any complaint were to be made, that the ruling would be something similar like that of the Breyer case where it was left open to implementation by the member states.

In the Breyer decision, the ECJ said:

The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

So they have left it open to the Member States to decide how to implement their decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment