Google Fonts the GDPR and a Lawyer

This Blog Post was originally published on adagia.org.

It has been a while since the EU issued the GDPR (General Dara Protection Regulation). Since then, it has gotten way more complicated for web devs to work on websites because there are so many things you have to think about.

Since it is an EU-only regulation, a special agreement was filled with non-EU countries to continue their services called Privacy Shield. But that shield was broken a while back, and many websites were forced to discontinue using USA (or other counties) third-party SaaS.

For example, it isn't allowed to use Google Analytics anymore because that is processed by Alphabet and could "leak" out of the EU. Starting a few weeks back, a Lawyer from Lower Austria sent out warning notices with a fee of 190€ to businesses integrating Google Fonts. If you think about the web dev space, integrating Fonts (and Frameworks) via CDNs was typical work.

Well, in Munich, a court decided that using Google Fonts (via CDN) isn't in line with the GDPR, and IP addresses are transmitted to Google (without the users' consent). Somehow they also ruled that the IP Address is part of a person's "private" data. This, in my opinion, is complete bullshit as only companies get fixed IP addresses and an individual person probably gets a new one every day.

Of course, some of my freelance customers had Google Fonts integrated and got a letter (luckily, only two so far). I spent yesterday evening checking on my customers and seeing which ones used them.

But now comes the interesting part, it seems like the lawyer used an automated way to check if a website used Google Fonts and sent the warning notice to thousands of companies and even "normal" people only owning a simple website on wix.com or a personal blog. The GDPR demands that harm needs to have happened to allow a lawsuit. Well, who was harmed if a lawyer actively searches for "malicious" pages?

As it is with the internet, people started organizing themselves, and http://abmahnung.wtf/ happened. Now the "classic" media got a hold on the topic, and suddenly also, political figures (Austrian Federal Economic Chamber) checked if there was damage done to companies in Austria because of that mass sending.

Today I read that the Lawyer won't send out any new notices, but the old ones are still "valid". I wonder if that "hole" he found in the GDPR (as there is no supreme court judgement in Austria yet) will backfire on him.

Sure, the GDPR was an essential step in privacy in Europe, but sometimes such action made me question my career decisions. At least, I will mostly do backend work at my new employer, which means such issues probably won't touch me. Still, it ruined my evening yesterday.