Google Fonts Data Breach: What to do? All information at a glance

A veritable wave of GDPR warnings is currently rolling over Austria regarding Google Fonts. Numerous website operators are currently receiving letters and e-mails with a warning from a data protection lawyer. What is it?

The General Data Protection Regulation came into force on May 25, 2018. Since then, companies, firms or associations have repeatedly been warned because of data protection violations. In most cases, out of reasonable suspicion. Things seem different in the current case of datenschutzanwalt.eu, Mr. Mag. Marcus Hohenecker. Thousands of website operators have been notified of a data breach with demands for a "settlement". Numerous readers and those affected have contacted us.

Disclaimer: The following article is not legal advice. The exact procedure in this case should always be clarified individually with a lawyer. Here we only give tips for further, technical procedures and share our research results.

Updates

Update on August 23, 16:15 p.m.: One day after the publication of this article, we would like to thank you for all the input and discussions under this article. We never thought that our article would be shared and discussed so much. The huge extent of this warning wave was completely unclear to us. We will continue to research and update the article with more information. For this we still need yours Support – let's get more details in the form of a comments below this article Or by e-mail [email protected] Zuko financing.

Update on August 24, 13:05 p.m.: We have added more information to our article:

• Strange screenshots
• Strange domain names
• Where do Google Fonts come from?
• Ways to check for Google Fonts
• Recommended WordPress plugin to remove Google Fonts
• opinions
  • Mr. Attorney Mag. Fraiß
  • WKO
  • Bar Association of Lower Austria

Update on August 26, 14:15 p.m.: We have added a detailed statement from a law firm "Zauner Schachermayr Koller & Partner", RA Mag. Schopper, which specializes in data protection, among other things. Scroll directly to the statement

Update on August 28, 18:30 p.m.: Added the Strange Crawlers section

What is it about?

In the letter, the lawyer refers to an IP address of a client named Eva Z., who is said to have accessed the website in question at an unknown time. A screenshot of the affected website can also be found. So far so good. Specifically, the client is concerned with built-in “Google Fonts”, a CDN service from the American company that provides fonts for websites. The website operator is said to have "forwarded the client to a company of the US Alphabet Inc." group ("Google") without the consent of the client," according to the letter.

An affected website operator has provided us with further information and the letter. We have redacted the names, IP addresses, domain name and contents of the screenshot.

Picture: TechnikNews/Screenshot

With the attached screenshot he wants to prove access to the website and a screenshot of the source code is supposed to prove the use of Google Fonts.

Picture: TechnikNews/Screenshot

Affected in the five-digit range?

It is unclear how many people and website operators are actually affected. However, we can make an approximate assumption based on the number of hits on our article.

Information from August 22, 18:00 p.m.: Our article has been extremely popular, exceeding the 1.000-click mark just hours after publication. We estimate that the number of people affected is in the four-digit range. However, it appears that only Austrians are affected. We will continue to investigate this matter. For further information, please email our editorial team at [email protected] send.

Update on August 23, 13:20 p.m.: Due to the continued extremely high response and number of clicks on our article, we are increasing our estimate of those affected to a five-digit 10.000 range.

Is the embedding of Google Fonts allowed?

According to the lawyer, no. He relies on one Decision of the Regional Court of Munich, which upheld a lawsuit in the “Google Fonts” case. This case is "similar to the subject matter of the complaint," the lawyer said in the letter to those affected.

The status quo is different in Austria - where most website operators are based in this case - there has not yet been any judgment or case law from the data protection authority as to whether use is permitted or not. The dsb in Austria "cannot issue any statement as to whether the integration of Google Fonts on a website actually violates the GDPR," reads in a notice.

Picture: TechnikNews/Screenshot

For this reason, the lawyer demands a claim for damages of 100 euros and costs a further 90 euros for a “flat-rate legal prosecution”. A total of 190 euros is due, which should be paid within 14 days. All claims would thereby be "cleansed and settled".

Google sees it differently, according to its own Privacy Policy: Although a request from the user's browser to Google takes place, IP addresses would not protocolted. Furthermore, “the use of the Google Fonts API is not authenticated and the Google Fonts API does not set any cookies or protocollates them,” says Google.

inconsistencies

In the course of our research, we noticed some inconsistencies that we don't want to withhold. These are just doubts brought to us with technical analysis. The presumption of innocence always applies.

Strange logs

When website operators comb through their own server logs, inconsistencies are quickly noticed. During a "normal" visit to a website, the browser downloads all the content of the page called up, including CSS and JavaScript files, images and other integrated content. This raises doubts as to whether this is a real visit. Some tap on a "crawling bot" - in almost all cases the "client" only called up the start page and downloaded CSS files. No other files were downloaded. This is not the norm and is not normal user behavior.

212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET / HTTP/1.0" 200 9001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_cbe0024c9a9de47dff8672de7a3adb68.css HTTP/1.0" 200 592 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_6d2caf54273844cd8c34f6212d59e16a.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_7b4611d3af4903f2d9c0eb0fa3fc3be3.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_749ea91c94e3a245daea00ed4e6910f7.css?ver=1648978605 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_1dde4870e16bf363492509c1dc13b256.css?ver=1640895726 HTTP/1.0" 200 880 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_847de10f61f8996b4b9195e51466b53a.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:36:00 +0200] "GET /wp-content/assets/lib/font-awesome/webfonts/fa-regular-400.woff2 HTTP/1.0" 200 535 "https://[domainname].at/wp-content/cache/autoptimize/css/autoptimize_cbe0024c9a9de47dff8672de7a3adb68.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

For this reason, there is - from the website operator's point of view - the well-founded suspicion of a mass warning with the help of a crawler. Attached is another log file that another affected person made available to us, for whom the same procedure was used:

212.95.x.xxx - - [06/Aug/2022:07:09:29 +0200] "GET / HTTP/1.1" 301 312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:30 +0200] "GET / HTTP/2.0" 200 44364 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/widget-areas.min.css?ver=3.1.3 HTTP/2.0" 200 3447 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/font-icons.min.css?ver=3.1.3 HTTP/2.0" 200 3030 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/main.min.css?ver=3.1.3 HTTP/2.0" 200 19704 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/plugins/gutenberg/build/block-library/style.css?ver=13.8.1 HTTP/2.0" 200 92489 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/font-awesome.min.css?ver=4.7 HTTP/2.0" 200 31062 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:32 +0200] "GET /wp-content/themes/generatepress/assets/fonts/generatepress.woff2 HTTP/2.0" 200 1344 "https://www.*******************.at/wp-content/themes/generatepress/assets/css/components/font-icons.min.css?ver=3.1.3" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

favicon: In addition, a "normal" browser in the minimal version of a visit would at least show the favicon (icon of a website in the browser tab) Automatically request, which would be visible in the logs. In all known cases, however, this has not happened to us. Even if none is present, the browser would at least try. This would look like this in the logs:

xxx.xx.x.xxx - - [24/Aug/2022:13:32:32 +0200] "GET /favicon.ico HTTP/1.0" 404 602 "https://**************" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Edg/104.0.1293.63"

Strange crawlers

Update on August 28, 18:30 p.m.: We have another indication of the automatic implementation of the warning wave. Speaking of logs - a few days before the client's visit, an imprint crawler was at work on numerous logs that were sent to us. This might have been useful for creating the letters automatically. Why else should an imprint crawler be used? The following log entries stand out:

81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET /robots.txt HTTP/1.0" 200 536 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET / HTTP/1.0" 200 53461 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET /impressum HTTP/1.0" 301 496 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:45 +0200] "GET /impressum/ HTTP/1.0" 200 30632 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"

Shortly after visiting the imprint crawler, the "Scrapy" tool appears in the logs. This is suitable for making screenshots and extracting content from websites. A rogue who thinks evil...

176.9.xx.xx - - [27/Jul/2022:00:04:47 +0200] "GET / HTTP/1.0" 301 516 "-" "Scrapy/2.4.1 (+https://scrapy.org)"
176.9.xx.xx - - [27/Jul/2022:00:04:47 +0200] "GET / HTTP/1.0" 200 8985 "-" "Scrapy/2.4.1 (+https://scrapy.org)"

The same IP address also shows up again a few days later:

176.9.xx.xx - - [03/Aug/2022:16:39:52 +0200] "GET / HTTP/1.0" 301 516 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/101.0.4951.64 Safari/537.36"
176.9.xx.xx - - [03/Aug/2022:16:39:53 +0200] "GET / HTTP/1.0" 200 9001 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/101.0.4951.64 Safari/537.36"

Strange screenshots

Update on August 24, 12:50 p.m.: We have received numerous letters from those affected in which the screenshot is meaningless. The images do not show any use of Google Fonts, neither embedding nor other features. Thus, here too, many of those affected are of the opinion that it had to be an automatic process. A real person would have correctly marked the relevant part. An example can be found below. We have blacked out relevant details that could point to the relevant website.

No use of Google Fonts is evident in the screenshot of the source code. (Picture: TechnikNews/Screenshot)

We are also aware of cases in which only the cookie banner that has not yet been confirmed is visible in the screenshot. Depending on the correct implementation, no data transmission took place at this point in time. Access to the client "Eva Z." was impossible without taking an action on the corresponding cookie banner.

Picture: TechnikNews/Screenshot

Strange domain names

Some information was brought to us that, according to the letter, the domain name or the website accessed could not (any longer) be found in a search engine or similar. Companies often change their name or get a new domain. In most cases, the old domain, which is still known to some, remains online - only all visitors are then forwarded to the new website.

For example, we are aware of a case in which the "old" domain "xyz.at" (fictitious) was specified in the letter, but this was immediately forwarded to the new domain name "abc.at" (fictitious). The visit or the embedding of Google Fonts took place on the new page "abc.at", although the old domain "xyz.at" was mentioned in the letter. According to our data subject, it is Eva Z. but impossible to know what the old domain is. This can no longer be found anywhere and has not been known for years.

Strange transmission of the power of attorney

First of all, the power of attorney mentioned in the letter cannot be found directly in the cases known to us, but is referred to via a download link. Here one could argue that the page of the referring link, including the power of attorney, can be changed at any time - a written attachment to the rest of the letter would be unchangeable. To what extent this is legal, we cannot judge. This should be discussed with a lawyerprobecome.

Having said that, a public, unprotected, freely available download of an ID card and a signed power of attorney is not necessarily privacy-friendly...

Picture: TechnikNews/Screenshot

Strange timing of the power of attorney

We have received numerous mails regarding this case - all received logs of the views were after August 4th protocolted. This is interesting insofar as the power of attorney from the client Eva Z. to the lawyer Mag. Hohenecker was signed on August 04th.

The client apparently knew in advance that she would make claims when she accessed websites where she was searching for Google Fonts. The power of attorney was signed exactly on August 04, 2022, at 23:01 p.m. – just a few hours later, on August 05, at 03:35 a.m., the first calls were made (see log above). Interesting approach.

In the course of our research, we also checked the digital signature, which is perfectly valid, definitely comes from Eva Z. and was signed at the time indicated. A verification of the signature is on the A Trust website is possible.

Picture: TechnikNews/Screenshot

Technical: How should website operators proceed?

First and foremost, Google Fonts should be hosted locally. This means that it should no longer be integrated via Google, but loaded directly from your own server. So you are definitely on the safe side. If in doubt, a web agency should be commissioned. You can check for yourself whether Google Fonts are loaded on your own website.

Where do Google Fonts come from?

Google Fonts cannot be found “just like that” on your own website. The reasons that this embedding is present are as follows:

• Development: In the development of the own website, the integration of Google Fonts was preferred instead of loading the fonts locally.
• Theme: If a CMS like WordPress is used, the design ("theme") used could be equipped with Google Fonts by default instead of bringing the font directly with it.
• Embeds: Does your own website use other elements from Google, such as Google AdSense (advertising), YouTube, Google Maps, Google reCAPTCHA? Google Fonts provide these directly. Preventing this is not possible.

Quick check for Google Fonts using an automated tool

Some websites offer a "Google Fonts Checker", which checks the website for the presence of Google Fonts. These tools are easy to use, but may not give a 100% guarantee that all incidents will be found. Due to the large rush, the checkers are currently partially overloaded.

• safe3.de – Google Fonts Checker
• 54gradsoftware.de – Google Fonts Checker
• website-bereinigung.de – Google Fonts Checker
• ccm19.de – Google Fonts Checker

Check for Google Fonts for technically "savvy" (100% guarantee of correct function)

1. open browser
2. Open developer tools: F12 or CTRL + Shift + I
3. A window should now open on the right or below
4. Click on "Network"/"Network" -> set the filter type to "Font".
5. If the "Domain" tab is not displayed in the table: right-click on a heading -> tick Domain
6. Go to your own website

Now there are two options:

1. Entries with "fonts.gstatic.com" or "fonts.googleapis.com" now appear: Google Fonts are loaded by Google.
2. Only entries with your own domain appear: the font is integrated locally, very good.

In this case, no Google font is integrated, but the font is loaded locally. (Picture: TechnikNews/Screenshot)

How to remove Google Fonts and host the font locally?

WordPress

• Simplest plugin, works for most websites: OMGF | GDPR Compliant, Faster Google Fonts. Easy.
• Manual fix:
  • kopfundstift.de – This is how you integrate Google Fonts locally: GDPR-compliant with WordPress
  • egm.at – Integrate Google Fonts GDPR-safe into WordPress

Joomla

• allerseiten.de – Integrate Google Fonts DSGVO-compliant (local) into your Joomla websites

TYPO3 and other websites

For other websites, we recommend using the Google Web Fonts Helper, which allows the fonts to be downloaded directly and integrated directly into the respective style sheet.

Legal: how to proceed?

We cannot offer further legal advice here, but only show the technical approach as already mentioned. In any case, it is a good idea to save evidence and check the server logs for the IP address. The payment of the settlement should not take place without further examination for the time being, without discussing the further procedure with a specialist.

Note: Below are statements and opinions from lawyers giving their assessment of how to proceed.

In principle, however, the request for information pursuant to Art definitely be answered within one month. Whether this is actually done or makes sense from a legal point of view should be clarified with your own lawyer.

According to the data protection authority, however, it should be checked beforehand whether the application is accompanied by a power of attorney, because this "is only valid if the lawyer submits a corresponding power of attorney from the person represented". A direct attachment was not included in the cases known to us — we cannot legally assess whether a link to it is sufficient or whether a digital, self-downloaded power of attorney must be accepted.

For entrepreneurs

Entrepreneurs who are members of the WKO should contact their respective chamber in the federal state. According to some reports from those affected, they have already become active, viewing and collecting all cases. Another joint approach by the chambers is likely to follow shortly.

lodge a complaint

If you see an unjustified cause behind the action, you can also lodge a complaint with the Lower Austrian Bar Association:

• raknoe.at – Bar Association of Lower Austria

Helpful links & information

Attached is a list of links for further contact points with legal information and contact persons:

• dsb.gv.at - Information from the data protection authority on the subject of warnings because of Google Fonts
• digisociety.ngo – Google Font rip-off
• abmahnung.wtf – Information portal against the current Google Fonts warning wave
• dataprotect.at – Google Web Fonts warnings / proceedings
• wbs-law.de – Wave of warnings because of Google web fonts: You can react correctly with our sample letter!
• reddit.com/r/Austria – Warning: Eva Z. / Causa Datenschutzanwalt.eu
• wko.at – Warnings because of Google Fonts

opinions

lawyers' opinions

“No compensation for bots”: Lawyer Mag. Schopper

We have the law firm “, which specializes in data protection law, among other thingsZauner Schachermayr Koller & Partners“ Graben 21, 4020 Linz, asked for an assessment.

Basically: According to the warning letters available to the law firm, it is said that the IP address of the website visitor was transmitted to the company located in the USA ("Google") without justification when the website was accessed. Basically, the alleged forwarding of the IP address to Google in the warning letters, with the integration of Google Fonts via Google Server, violates the GDPR, which also grants the right to damages in the event of data protection violations in Art. 82 GDPR. Without justification within the meaning of the GDPR (consent, etc.), this is inadmissible. In particular, since the USA - from the point of view of the GDPR - is not a safe third country because there is no adequacy decision within the meaning of Art. 45 GDPR. The previously existing agreements with the USA (“Safe Harbour” and “Privacy Shield”) were overturned by the European Court of Justice because the USA did not guarantee an adequate level of data protection.

Take seriously: Lawyer Mag. Schopper advises first of all to take the warning letter seriously and to provide information about the data processing (in the event that the alleged data was not processed/forwarded etc., to issue a so-called negative information). Not responding to the request for information at all can result in a lawsuit or complaint being filed with the data protection authority.

leave time: However, an answer does not have to be given immediately, there is a statutory deadline for the provision of information from a month. This deadline also gives you time and you should therefore wait, according to the lawyer, because "what information will still emerge in this matter" remains exciting. If it turns out that the websites were called up automatically via "bots" or "web crawlers" - i.e. not by a person - (which is currently suspected, but not certain), there would be no data protection violation, since then there would be no data breach person's rights may be violated. A right to information is then also questionable.

No case law in Austria yet: With regard to the damages levied, the claimant refers in the warning letters to a judgment of the Munich Regional Court. It should be noted that – as far as can be seen – there has not yet been any case law on a comparable case in Austria. Overall, however, it is more than questionable whether the emotional damage alleged in the warning letters ("discomfort" or "massively annoyed") actually exists; especially considering the sheer number of website views. It should be noted that the Supreme Court has so far ruled that compensation for emotional damage is only due if such damage has actually occurred. In addition, in the present context - exceptionally - it does not appear inadmissible to raise the objection of good faith against the claim for damages due to the huge number of website visits, according to the lawyer.

Step by step – The lawyer recommends proceeding as follows:

1. The letter should be taken seriously. One should also take this as an opportunity to check whether one's own website is compliant with data protection: "This is also important because it is to be expected that such waves of data protection violation allegations will continue to come in the future and that there are often other data protection deficiencies on websites."
2. In particular, you should specifically check whether Google Fonts is in use, whether data is being forwarded to the USA and whether the IP address specifically stated in the warning letter was actually processed and whether a transmission actually took place.
3. Irrespective of this, one should fulfill the obligation to provide information according to Art. 15 GDPR and provide negative information in the event that no processing took place. As already explained above, you have a period of one month, which gives you time for further information gathering, which you should use.
4. From the perspective of the law firm, the claim for damages and the claim for reimbursement of costs are not justified for the above reasons and could be disputed with good reasons. But this cannot be done with certainty proforecast, since the legal situation is not clear and the content of the individual cases can vary. You should therefore seek legal advice, which the law firm is happy to provide.

"All's well that ends well": Lawyer Mag. Thomas Fraiß

The lawyer Mag. Thomas Fraiß from Vienna writes on his blogthat things could be over. Also "Der Standard' reports this. He had information that "Mr. Hohenecker or Ms. Z. would not take any further steps". Nevertheless, he recommends that "from a technical point of view, it should be ensured that the affected websites are in a GDPR-compliant state".

However, Mr. Fraiß has not yet received a written justification for the alleged trend reversal by the lawyer Hohenecker and the client Eva Z.

"Dispute the claim": Attorney Mag. Markus Dörfler

Attorney Mag. Dörfler from the law firm "Höhne, In der Maur & Partner Rechtsanwälte GmbH & Co KG" recommends in the blog, "to dispute the claim, but to fulfill the right to information in accordance with Art. 15 GDPR." The client also has no claim to damages, since the transfer of IP addresses to US services does not pose a problem:

"Contrary to what was stated in the letter from Attorney Hohenecker, from our point of view Ms. Zajaczkowska is not entitled to compensation, since the disclosure of the IP address to US services is not prohibited per se and the processing was not unlawful. In the absence of illegality, Ms. Zajaczkowska is also not entitled to compensation. The question of the admissibility of the transfer of personal data to US services is currently being hotly debated, but no final decision has yet been made."

Answer pending: Lawyer Mag. Hohenecker or client Eva Z.

We also asked the lawyer in this case, Mag. Hohenecker, and his client Eva Z. for a statement, including in detail the "inconsistencies". However, there is still no answer.

Data transfer to the USA contrary to GDPR: WKO

Numerous companies have turned to the WKO. The basic tenor of the chamber is that the "data transfer of personal data to the USA is in violation of the GDPR". However, this is only the case if "no additional measures have been implemented (e.g. encryption, pseudonymization, obtaining consent or similar)"

The recommended procedure of the WKO is as follows (we quote from an e-mail):

1. The lawyer should be contacted if the deadline cannot be met. 1-2 weeks to check the matter with an external IT is legitimate. Any allegations by the lawyer that this was done within minutes need not be further addressed.
2. It is essential to check whether
   1. Google Fonts is in use and
   2. data is transferred to the USA
   3. and whether the IP address specified in the letter was processed in any way (log files, or similar)
3. In any case, the request for information in the letter (Article 15 GDPR) should be answered independently:
   1. If the IP address is not processed, a negative report can be issued
   2. If the IP address is processed, full data information must be provided

Sample answers can be requested directly from the WKO, please contact the relevant chamber in the federal state directly.

No clear verdict: Austrian data protection authority dsb

In the meantime, the Austrian data protection authority has issued a statement on your own website released. In short, it is also recommended there to respond to the request for information, but is not responsible for "claims for damages and therefore cannot comment on the specific claim for damages made with regard to Google Fonts".

According to the dsb, it is generally unclear whether embedding Google Fonts violates the GDPR. Here the authority itself has no clear verdict:

"The data protection authority has not conducted any investigations against Google for Google Fonts at the current time. The data protection authority can therefore not give an opinion on whether the integration of Google Fonts on a website actually violates the GDPR.

So as a layman you now know: nothing. The legal situation in Austria is not clear - and even the highest authority for data protection matters itself does not have a clear statement.

Not pleased: Bar Association of Lower Austria

The way food is RAKNEA has now commented on the “Google Fonts” cause on its own website. A statement on the home page states that there would have been less severe means:

"In general, however, mass warnings of this kind should not be the first measure taken by a lawyer in such a case. There are certainly milder means of pointing out GDPR problems on websites and the rights of individual visitors."

In addition, "due to the chosen procedure and the numerous complaints, an official investigation has been initiated". It is also “quite understandable that due to the masses of letters sent, there are doubts as to whether a single person can actually have personally visited so many websites in such a short time. However, the legally relevant and individual assessment of these cases is the sole responsibility of the courts."

Even if you are not happy about it, because "no one in the Bar Association is happy about such mass warnings from lawyers and the public discussion associated with them", you see no need to intervene here at the moment:

"According to the wording of this letter of formal notice, Mag. Hohenecker represented the interests of his client and did not violate the law. Even if we do not welcome mass warnings of this kind, an intervention against Mag. Hohenecker in the context of professional supervision is therefore not necessary from today's perspective. Further information on the facts, which we are currently collecting, can of course lead to a changed assessment.

contribute more

It is a well-known fact that you learn more together. We keep going, but need support from those affected.

• Send us more information: We are continuing to investigate this case. Please send any additional useful information (server logs, cover letters, etc.) to [email protected].
• Write a comment: Have you been warned? Are you an association, company or private person? Comment below this article to help other readers.

We'll update this article regularly with more information.

Recommendations for you

• Google Fonts: “Data protection lawyer” and client Eva Z. in close relationship?
• On our own behalf: We are becoming more transparent and GDPR-compliant
• Apple employees sometimes listen to conversations with Siri
• Google now lets you automatically delete your personal data