The Austrian Data Protection Authority (DSB) recently made a significant decision that could have far-reaching implications for how companies handle data processing via Google Fonts.
On October 19, 2023, the DSB found Google LLC in violation of the General Data Protection Regulation (GDPR) due to a lack of transparency in their data processing practices related to Google Fonts.
The DSB’s investigation was prompted by inquiries it received concerning warning letters sent to numerous companies. These letters, sent by a lawyer, raised concerns about the integration of Google Fonts on company websites and sought to recognize a claim for damages. Many companies were asked to submit cease and desist declarations.
To get to the bottom of these issues, the DSB initiated an investigation into Google LLC’s data processing methods when it comes to Google Fonts.
The DSB’s investigation into Google Fonts and its data processing practices revealed important findings:
When Google Fonts are (re)loaded through a Google server, data is transmitted to either Google LLC or Google Ireland Limited. However, if the fonts are locally integrated on a server, data transfer does not follow this procedure.
Google did not fully meet its information obligation under Articles 12(1) and 13 of the GDPR. This is because IP addresses can, depending on the individual case, be considered personal data.
Based on these findings, the DSB concluded that these observations apply specifically to the Google Fonts product of Google LLC. Any changes to Google Fonts’ data processing practices following the completion of the investigation could potentially alter these conclusions.
This decision by the Austrian DSB serves as a reminder of the importance of transparency and compliance with GDPR regulations in the digital age. It also highlights the need for companies to review their data processing practices, especially when integrating third-party services like Google Fonts, to ensure they are in compliance with data protection laws. Failure to do so can result in legal consequences, as demonstrated by this case. Companies must stay vigilant and up to date with data protection regulations to protect both their users’ privacy and their own legal standing.