Blocking ads removes funding from us!
Researching and writing articles takes a lot of time. Operating our infrastructure costs money.
All of this is funded with advertising revenue.
We don't like advertising either - that's why we avoid annoying banners and pop-ups.
Please give us a chance and deactivate your adblocker!
Alternatively, you can support us here voluntarily.
>> The Best Amazon Black Friday Deals <

Language:  Deutsch English (Beta)

Follow us:

Google Fonts Data Breach: What to do? All information at a glance

Google Fonts
Image: Google
(Post picture: © 2022 Google)

A veritable wave of GDPR warnings is currently rolling over Austria regarding Google Fonts. Numerous website operators are currently receiving letters and e-mails with a warning from a data protection lawyer. What is it?

The General Data Protection Regulation came into force on May 25, 2018. Since then, companies, firms or associations have repeatedly been warned because of data protection violations. In most cases, out of reasonable suspicion. Things seem different in the current case of datenschutzanwalt.eu, Mr. Mag. Marcus Hohenecker. Thousands of website operators have been notified of a data breach with demands for a "settlement". Numerous readers and those affected have contacted us.

Disclaimer: The following article is not legal advice. The exact procedure in this case should always be clarified individually with a lawyer. Here we only give tips for further, technical procedures and share our research results.

Updates

Update on August 23, 16:15 p.m.: One day after the publication of this article, we would like to thank you for all the input and discussions under this article. We never thought that our article would be shared and discussed so much. The huge extent of this warning wave was completely unclear to us. We will continue to research and update the article with more information. For this we still need yours Support – let's get more details in the form of a comments below this article or by email to redaktion@techniknews.net.

Update on August 24, 13:05 p.m.: We have added more information to our article:

  • Strange screenshots
  • Strange domain names
  • Where do Google Fonts come from?
  • Ways to check for Google Fonts
  • Recommended WordPress plugin to remove Google Fonts
  • opinions
    • Mr. Attorney Mag. Fraiß
    • WKO
    • Bar Association of Lower Austria

Update on August 26, 14:15 p.m.: We have added a detailed statement from a law firm "Zauner Schachermayr Koller & Partner", RA Mag. Schopper, which specializes in data protection, among other things. Scroll directly to the statement

Update on August 28, 18:30 p.m.: Added the Strange Crawlers section

What is it about?

In the letter, the lawyer refers to an IP address of a client named Eva Z., who is said to have accessed the website in question at an unknown time. A screenshot of the affected website can also be found. So far so good. Specifically, the client is concerned with built-in “Google Fonts”, a CDN service from the American company that provides fonts for websites. The website operator is said to have "forwarded the client to a company of the US Alphabet Inc." group ("Google") without the consent of the client," according to the letter.

An affected website operator has provided us with further information and the letter. We have redacted the names, IP addresses, domain name and contents of the screenshot.

GDPR Data Protection Advocate Google Fonts Writing

Picture: TechnikNews/Screenshot

With the attached screenshot he wants to prove access to the website and a screenshot of the source code is supposed to prove the use of Google Fonts.

GDPR Data Protection Advocate Google Fonts Writing

Picture: TechnikNews/Screenshot

Affected in the five-digit range?

It is unclear how many people and website operators are actually affected. However, we can make an approximate assumption based on the number of hits on our article.

Information from August 22, 18:00 p.m.: Our article is very popular and has exceeded the 1.000 click mark just a few hours after publication - we suspect that the number of people affected is in the four-digit range. However, it seems to be exclusively about Austrian victims. We will continue to research this matter - please email our editorial team for further information to redaktion@techniknews.net.

Update on August 23, 13:20 p.m.: Due to the continued extremely high response and number of clicks on our article, we are increasing our estimate of those affected to a five-digit 10.000 range.

Is the embedding of Google Fonts allowed?

According to the lawyer, no. He relies on one Decision of the Regional Court of Munich, which upheld a lawsuit in the “Google Fonts” case. This case is "similar to the subject matter of the complaint," the lawyer said in the letter to those affected.

The status quo is different in Austria - where most website operators are based in this case - there has not yet been any judgment or case law from the data protection authority as to whether use is permitted or not. The dsb in Austria "cannot issue any statement as to whether the integration of Google Fonts on a website actually violates the GDPR," reads in a notice.

GDPR Data Protection Advocate Google Fonts Comparison

Picture: TechnikNews/Screenshot

For this reason, the lawyer demands a claim for damages of 100 euros and costs a further 90 euros for a “flat-rate legal prosecution”. A total of 190 euros is due, which should be paid within 14 days. All claims would thereby be "cleansed and settled".

Google sees it differently, according to its own Privacy Policy: Although a request from the user's browser to Google takes place, IP addresses would not protocolted. Furthermore, “the use of the Google Fonts API is not authenticated and the Google Fonts API does not set any cookies or protocollates them,” says Google.

inconsistencies

In the course of our research, we noticed some inconsistencies that we don't want to withhold. These are just doubts brought to us with technical analysis. The presumption of innocence always applies.

Strange logs

When website operators comb through their own server logs, inconsistencies are quickly noticed. During a "normal" visit to a website, the browser downloads all the content of the page called up, including CSS and JavaScript files, images and other integrated content. This raises doubts as to whether this is a real visit. Some tap on a "crawling bot" - in almost all cases the "client" only called up the start page and downloaded CSS files. No other files were downloaded. This is not the norm and is not normal user behavior.

212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET / HTTP/1.0" 200 9001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_cbe0024c9a9de47dff8672de7a3adb68.css HTTP/1.0" 200 592 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_6d2caf54273844cd8c34f6212d59e16a.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_7b4611d3af4903f2d9c0eb0fa3fc3be3.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_749ea91c94e3a245daea00ed4e6910f7.css?ver=1648978605 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_1dde4870e16bf363492509c1dc13b256.css?ver=1640895726 HTTP/1.0" 200 880 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:35:59 +0200] "GET /wp-content/cache/autoptimize/css/autoptimize_single_847de10f61f8996b4b9195e51466b53a.css?ver=1640895726 HTTP/1.0" 200 599 "https://[domainname].at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [05/Aug/2022:03:36:00 +0200] "GET /wp-content/assets/lib/font-awesome/webfonts/fa-regular-400.woff2 HTTP/1.0" 200 535 "https://[domainname].at/wp-content/cache/autoptimize/css/autoptimize_cbe0024c9a9de47dff8672de7a3adb68.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

For this reason, there is - from the website operator's point of view - the well-founded suspicion of a mass warning with the help of a crawler. Attached is another log file that another affected person made available to us, for whom the same procedure was used:

212.95.x.xxx - - [06/Aug/2022:07:09:29 +0200] "GET / HTTP/1.1" 301 312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:30 +0200] "GET / HTTP/2.0" 200 44364 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/widget-areas.min.css?ver=3.1.3 HTTP/2.0" 200 3447 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/font-icons.min.css?ver=3.1.3 HTTP/2.0" 200 3030 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/main.min.css?ver=3.1.3 HTTP/2.0" 200 19704 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/plugins/gutenberg/build/block-library/style.css?ver=13.8.1 HTTP/2.0" 200 92489 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:31 +0200] "GET /wp-content/themes/generatepress/assets/css/components/font-awesome.min.css?ver=4.7 HTTP/2.0" 200 31062 "https://www.*******************.at/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
212.95.x.xxx - - [06/Aug/2022:07:09:32 +0200] "GET /wp-content/themes/generatepress/assets/fonts/generatepress.woff2 HTTP/2.0" 200 1344 "https://www.*******************.at/wp-content/themes/generatepress/assets/css/components/font-icons.min.css?ver=3.1.3" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

favicon: In addition, a "normal" browser in the minimal version of a visit would at least show the favicon (icon of a website in the browser tab) Automatically request, which would be visible in the logs. In all known cases, however, this has not happened to us. Even if none is present, the browser would at least try. This would look like this in the logs:

xxx.xx.x.xxx - - [24/Aug/2022:13:32:32 +0200] "GET /favicon.ico HTTP/1.0" 404 602 "https://**************" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Edg/104.0.1293.63"

Strange crawlers

Update on August 28, 18:30 p.m.: We have another indication of the automatic implementation of the warning wave. Speaking of logs - a few days before the client's visit, an imprint crawler was at work on numerous logs that were sent to us. This might have been useful for creating the letters automatically. Why else should an imprint crawler be used? The following log entries stand out:

81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET /robots.txt HTTP/1.0" 200 536 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET / HTTP/1.0" 200 53461 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:44 +0200] "GET /impressum HTTP/1.0" 301 496 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"
81.209.xxx.xxx - - [27/Jul/2022:00:04:45 +0200] "GET /impressum/ HTTP/1.0" 200 30632 "-" "netEstate Impressumscrawler (+http://www.netestate.de/De/Loesungen/Impressumscrawler)"

Shortly after visiting the imprint crawler, the "Scrapy" tool appears in the logs. This is suitable for making screenshots and extracting content from websites. A rogue who thinks evil...

176.9.xx.xx - - [27/Jul/2022:00:04:47 +0200] "GET / HTTP/1.0" 301 516 "-" "Scrapy/2.4.1 (+https://scrapy.org)"
176.9.xx.xx - - [27/Jul/2022:00:04:47 +0200] "GET / HTTP/1.0" 200 8985 "-" "Scrapy/2.4.1 (+https://scrapy.org)"

The same IP address also shows up again a few days later:

176.9.xx.xx - - [03/Aug/2022:16:39:52 +0200] "GET / HTTP/1.0" 301 516 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/101.0.4951.64 Safari/537.36"
176.9.xx.xx - - [03/Aug/2022:16:39:53 +0200] "GET / HTTP/1.0" 200 9001 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/101.0.4951.64 Safari/537.36"

Strange screenshots

Update on August 24, 12:50 p.m.: We have received numerous letters from those affected in which the screenshot is meaningless. The images do not show any use of Google Fonts, neither embedding nor other features. Thus, here too, many of those affected are of the opinion that it had to be an automatic process. A real person would have correctly marked the relevant part. An example can be found below. We have blacked out relevant details that could point to the relevant website.

GDPR Data Protection Advocate source code

No use of Google Fonts is evident in the screenshot of the source code. (Picture: TechnikNews/Screenshot)

We are also aware of cases in which only the cookie banner that has not yet been confirmed is visible in the screenshot. Depending on the correct implementation, no data transmission took place at this point in time. Access to the client "Eva Z." was impossible without taking an action on the corresponding cookie banner.

GDPR Data Protection Advocate Cookie Banner

Picture: TechnikNews/Screenshot

Strange domain names

Some information was brought to us that, according to the letter, the domain name or the website accessed could not (any longer) be found in a search engine or similar. Companies often change their name or get a new domain. In most cases, the old domain, which is still known to some, remains online - only all visitors are then forwarded to the new website.

For example, we are aware of a case in which the "old" domain "xyz.at" (fictitious) was specified in the letter, but this was immediately forwarded to the new domain name "abc.at" (fictitious). The visit or the embedding of Google Fonts took place on the new page "abc.at", although the old domain "xyz.at" was mentioned in the letter. According to our data subject, it is Eva Z. but impossible to know what the old domain is. This can no longer be found anywhere and has not been known for years.

Strange transmission of the power of attorney

First of all, the power of attorney mentioned in the letter cannot be found directly in the cases known to us, but is referred to via a download link. Here one could argue that the page of the referring link, including the power of attorney, can be changed at any time - a written attachment to the rest of the letter would be unchangeable. To what extent this is legal, we cannot judge. This should be discussed with a lawyerprobecome.

Having said that, a public, unprotected, freely available download of an ID card and a signed power of attorney is not necessarily privacy-friendly...

GDPR Data Protection Advocate Legitimation Link

Picture: TechnikNews/Screenshot

Strange timing of the power of attorney

We have received numerous mails regarding this case - all received logs of the views were after August 4th protocolted. This is interesting insofar as the power of attorney from the client Eva Z. to the lawyer Mag. Hohenecker was signed on August 04th.

The client apparently knew in advance that she would make claims when she accessed websites where she was searching for Google Fonts. The power of attorney was signed exactly on August 04, 2022, at 23:01 p.m. – just a few hours later, on August 05, at 03:35 a.m., the first calls were made (see log above). Interesting approach.

In the course of our research, we also checked the digital signature, which is perfectly valid, definitely comes from Eva Z. and was signed at the time indicated. A verification of the signature is on the A Trust website is possible.

GDPR Data Protection Attorney Power of Attorney

Picture: TechnikNews/Screenshot

Technical: How should website operators proceed?

First and foremost, Google Fonts should be hosted locally. This means that it should no longer be integrated via Google, but loaded directly from your own server. So you are definitely on the safe side. If in doubt, a web agency should be commissioned. You can check for yourself whether Google Fonts are loaded on your own website.

Where do Google Fonts come from?

Google Fonts cannot be found “just like that” on your own website. The reasons that this embedding is present are as follows:

  • Development: In the development of the own website, the integration of Google Fonts was preferred instead of loading the fonts locally.
  • Theme: If a CMS like WordPress is used, the design ("theme") used could be equipped with Google Fonts by default instead of bringing the font directly with it.
  • Embeds: Does your own website use other elements from Google, such as Google AdSense (advertising), YouTube, Google Maps, Google reCAPTCHA? Google Fonts provide these directly. Preventing this is not possible.

Quick check for Google Fonts using an automated tool

Some websites offer a "Google Fonts Checker", which checks the website for the presence of Google Fonts. These tools are easy to use, but may not give a 100% guarantee that all incidents will be found. Due to the large rush, the checkers are currently partially overloaded.

Check for Google Fonts for technically "savvy" (100% guarantee of correct function)

  1. open browser
  2. Open developer tools: F12 or CTRL + Shift + I
  3. A window should now open on the right or below
  4. Click on "Network"/"Network" -> set the filter type to "Font".
  5. If the "Domain" tab is not displayed in the table: right-click on a heading -> tick Domain
  6. Go to your own website

Now there are two options:

  1. Entries with "fonts.gstatic.com" or "fonts.googleapis.com" now appear: Google Fonts are loaded by Google.
  2. Only entries with your own domain appear: the font is integrated locally, very good.
Google Fonts local

In this case, no Google font is integrated, but the font is loaded locally. (Picture: TechnikNews/Screenshot)

How to remove Google Fonts and host the font locally?

WordPress

Joomla

TYPO3 and other websites

For other websites, we recommend using the Google Web Fonts Helper, which allows the fonts to be downloaded directly and integrated directly into the respective style sheet.

Legal: how to proceed?

We cannot offer further legal advice here, but only show the technical approach as already mentioned. In any case, it is a good idea to save evidence and check the server logs for the IP address. The payment of the settlement should not take place without further examination for the time being, without discussing the further procedure with a specialist.

Note: Below are statements and opinions from lawyers giving their assessment of how to proceed.

In principle, however, the request for information pursuant to Art definitely be answered within one month. Whether this is actually done or makes sense from a legal point of view should be clarified with your own lawyer.

According to the data protection authority, however, it should be checked beforehand whether the application is accompanied by a power of attorney, because this "is only valid if the lawyer submits a corresponding power of attorney from the person represented". A direct attachment was not included in the cases known to us — we cannot legally assess whether a link to it is sufficient or whether a digital, self-downloaded power of attorney must be accepted.

For entrepreneurs

Entrepreneurs who are members of the WKO should contact their respective chamber in the federal state. According to some reports from those affected, they have already become active, viewing and collecting all cases. Another joint approach by the chambers is likely to follow shortly.

lodge a complaint

If you see an unjustified cause behind the action, you can also lodge a complaint with the Lower Austrian Bar Association:

Helpful links & information

Attached is a list of links for further contact points with legal information and contact persons:

opinions

lawyers' opinions

“No compensation for bots”: Lawyer Mag. Schopper

We have the law firm “, which specializes in data protection law, among other thingsZauner Schachermayr Koller & Partners“ Graben 21, 4020 Linz, asked for an assessment.

Basically: According to the warning letters available to the law firm, it is said that the IP address of the website visitor was transmitted to the company located in the USA ("Google") without justification when the website was accessed. Basically, the alleged forwarding of the IP address to Google in the warning letters, with the integration of Google Fonts via Google Server, violates the GDPR, which also grants the right to damages in the event of data protection violations in Art. 82 GDPR. Without justification within the meaning of the GDPR (consent, etc.), this is inadmissible. In particular, since the USA - from the point of view of the GDPR - is not a safe third country because there is no adequacy decision within the meaning of Art. 45 GDPR. The previously existing agreements with the USA (“Safe Harbour” and “Privacy Shield”) were overturned by the European Court of Justice because the USA did not guarantee an adequate level of data protection.

Take seriously: Lawyer Mag. Schopper advises first of all to take the warning letter seriously and to provide information about the data processing (in the event that the alleged data was not processed/forwarded etc., to issue a so-called negative information). Not responding to the request for information at all can result in a lawsuit or complaint being filed with the data protection authority.

leave time: However, an answer does not have to be given immediately, there is a statutory deadline for the provision of information from a month. This deadline also gives you time and you should therefore wait, according to the lawyer, because "what information will still emerge in this matter" remains exciting. If it turns out that the websites were called up automatically via "bots" or "web crawlers" - i.e. not by a person - (which is currently suspected, but not certain), there would be no data protection violation, since then there would be no data breach person's rights may be violated. A right to information is then also questionable.

No case law in Austria yet: With regard to the damages levied, the claimant refers in the warning letters to a judgment of the Munich Regional Court. It should be noted that – as far as can be seen – there has not yet been any case law on a comparable case in Austria. Overall, however, it is more than questionable whether the emotional damage alleged in the warning letters ("discomfort" or "massively annoyed") actually exists; especially considering the sheer number of website views. It should be noted that the Supreme Court has so far ruled that compensation for emotional damage is only due if such damage has actually occurred. In addition, in the present context - exceptionally - it does not appear inadmissible to raise the objection of good faith against the claim for damages due to the huge number of website visits, according to the lawyer.

Step by step – The lawyer recommends proceeding as follows:

  1. The letter should be taken seriously. One should also take this as an opportunity to check whether one's own website is compliant with data protection: "This is also important because it is to be expected that such waves of data protection violation allegations will continue to come in the future and that there are often other data protection deficiencies on websites."
  2. In particular, you should specifically check whether Google Fonts is in use, whether data is being forwarded to the USA and whether the IP address specifically stated in the warning letter was actually processed and whether a transmission actually took place.
  3. Irrespective of this, one should fulfill the obligation to provide information according to Art. 15 GDPR and provide negative information in the event that no processing took place. As already explained above, you have a period of one month, which gives you time for further information gathering, which you should use.
  4. From the perspective of the law firm, the claim for damages and the claim for reimbursement of costs are not justified for the above reasons and could be disputed with good reasons. But this cannot be done with certainty proforecast, since the legal situation is not clear and the content of the individual cases can vary. You should therefore seek legal advice, which the law firm is happy to provide.

"All's well that ends well": Lawyer Mag. Thomas Fraiß

The lawyer Mag. Thomas Fraiß from Vienna writes on his blogthat things could be over. Also "Der Standard' reports this. He had information that "Mr. Hohenecker or Ms. Z. would not take any further steps". Nevertheless, he recommends that "from a technical point of view, it should be ensured that the affected websites are in a GDPR-compliant state".

“Supposedly, Mr. Hohenecker or Ms. Z. will not take any further steps. Those affected do not have to do anything in legal terms for the time being. From a technical point of view, it should nevertheless be ensured that the affected websites are in a GDPR-compliant state. In my opinion, the amounts already paid to Ms. Z. should be repaid, which would be particularly relevant in the event of investigations by the public prosecutor's office."

However, Mr. Fraiß has not yet received a written justification for the alleged trend reversal by the lawyer Hohenecker and the client Eva Z.

"Dispute the claim": Attorney Mag. Markus Dörfler

Attorney Mag. Dörfler from the law firm "Höhne, In der Maur & Partner Rechtsanwälte GmbH & Co KG" recommends in the blog, "To dispute the claim, but to fulfill the right to information in accordance with Art. 15 GDPR." The client also has no right to compensation, since the transfer of IP addresses to US services is not Prorepresent:

"Contrary to what was stated in the letter from Attorney Hohenecker, from our point of view Ms. Zajaczkowska is not entitled to compensation, since the disclosure of the IP address to US services is not prohibited per se and the processing was not unlawful. In the absence of illegality, Ms. Zajaczkowska is also not entitled to compensation. The question of the admissibility of the transfer of personal data to US services is currently being hotly debated, but no final decision has yet been made."

Answer pending: Lawyer Mag. Hohenecker or client Eva Z.

We also asked the lawyer in this case, Mag. Hohenecker, and his client Eva Z. for a statement, including in detail the "inconsistencies". However, there is still no answer.

Data transfer to the USA contrary to GDPR: WKO

Numerous companies have turned to the WKO. The basic tenor of the chamber is that the "data transfer of personal data to the USA is in violation of the GDPR". However, this is only the case if "no additional measures have been implemented (e.g. encryption, pseudonymization, obtaining consent or similar)"

The recommended procedure of the WKO is as follows (we quote from an e-mail):

  1. The lawyer should be contacted if the deadline cannot be met. 1-2 weeks to check the matter with an external IT is legitimate. Any allegations by the lawyer that this was done within minutes need not be further addressed.
  2. It is essential to check whether
    1. Google Fonts is in use and
    2. data is transferred to the USA
    3. and whether the IP address specified in the letter was processed in any way (log files, or similar)
  3. In any case, the request for information in the letter (Article 15 GDPR) should be answered independently:
    1. If the IP address is not processed, a negative report can be issued
    2. If the IP address is processed, full data information must be provided

Sample answers can be requested directly from the WKO, please contact the relevant chamber in the federal state directly.

No clear verdict: Austrian data protection authority dsb

In the meantime, the Austrian data protection authority has issued a statement on your own website released. In short, it is also recommended there to respond to the request for information, but is not responsible for "claims for damages and therefore cannot comment on the specific claim for damages made with regard to Google Fonts".

According to the dsb, it is generally unclear whether embedding Google Fonts violates the GDPR. Here the authority itself has no clear verdict:

"The data protection authority has not conducted any investigations against Google for Google Fonts at the current time. The data protection authority can therefore not give an opinion on whether the integration of Google Fonts on a website actually violates the GDPR.

So as a layman you now know: nothing. The legal situation in Austria is not clear - and even the highest authority for data protection matters itself does not have a clear statement.

Not pleased: Bar Association of Lower Austria

The way food is RAKNEA has now commented on the “Google Fonts” cause on its own website. A statement on the home page states that there would have been less severe means:

"In general, however, mass warnings of this kind should not be the first remedy that a lawyer takes in such a case. There would certainly be more lenient means of accessing GDPRProproblems of websites and the rights of individual visitors."

In addition, "due to the chosen procedure and the numerous complaints, an official investigation has been initiated". It is also “quite understandable that due to the masses of letters sent, there are doubts as to whether a single person can actually have personally visited so many websites in such a short time. However, the legally relevant and individual assessment of these cases is the sole responsibility of the courts."

Even if you are not happy about it, because "no one in the Bar Association is happy about such mass warnings from lawyers and the public discussion associated with them", you see no need to intervene here at the moment:

"According to the wording of this letter of formal notice, Mag. Hohenecker represented the interests of his client and did not violate the law. Even if we do not welcome mass warnings of this kind, an intervention against Mag. Hohenecker in the context of professional supervision is therefore not necessary from today's perspective. Further information on the facts, which we are currently collecting, can of course lead to a changed assessment.

contribute more

It is a well-known fact that you learn more together. We keep going, but need support from those affected.

  • Send us more information: We are further investigating this case. Please send additional, useful information (server logs, cover letter, other) to redaktion@techniknews. Net.
  • Write a comment: Have you been warned? Are you an association, company or private person? Comment below this article to help other readers.

We'll update this article regularly with more information.

Recommendations for you

>> The Best Amazon Black Friday Deals <

David Wurm

Do that TechnikNews-Ding together with a great team for several years. Works in the background on the server infrastructure and is also responsible for everything editorial. Is fascinated by current technology and likes to blog about everything digital. In his free time, he can often be found developing websites, taking photos or making radio.

David has already written 894 articles and left 372 comments.

Web | Facebook | Twitter | Insta | YouTube
notification settings
notifications about
guest
Your name, which will be shown publicly.
We will not publish your email address.
170 Comments
latest
oldest Best
Inline feedback
View all comments
Dominik Lenne

I have now replaced the YouTube video in the iframe with an image with a data protection notice.
When you click, the actual video is only loaded.

Dominik Lenne

Hello, as you write correctly, embedded youtube videos also pull google fonts from the google server. Many websites have embedded YouTube videos. Are there already warnings about this? What should I do? Always replace embed with image link? Show the consent page *before* the actual page even loads (since the request is made on load, not when watching the video)?
Thanks for tips!

Klemm

What about CDNs for images (such as: Imgix)? Does anyone have any info/experience? Thanks & LG!

Jojo

Hello, everyone! Thanks a lot for this! I have an alternative Google Fonts Checker: https://devotion-it.de/online-marketing/google-fonts-checker/
This also shows the fonts used.
Best regards, Jojo

Hobby IT snooper

Everything – really EVERYTHING is there (in the log files)

> Eva's IP address (212.95.5.190) 15 hits in 3 seconds
> Access of the netEstate crawler (81.209.177.xxx)
> Access to the scrapy crawler (176.9.20.xxx)

w14201c

The basis of the argument of the esteemed colleague is the judgment of the ECJ on October 19.10.2016, 582, C-14/49, as he writes himself. Only it is not quoted completely and correctly: In the original text, the judgment clearly restricts the conditions under which the IP address is personal data. See paragraph XNUMX, which is also quoted in the warning. There is a clear "... if he has legal means ...". You have this as a site operator or as “Fa. Google” certainly not. The reference judgment is therefore about a completely different situation and thus the factual and legal basis for the argumentation in the warnings is omitted. The link to the original text: https://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=DE

Photography

My website http://www.thomassalvato.at was also affected. The website was made with WIX. Lt. A local integration of the fonts is not possible with WIX. However, I have a corresponding entry regarding Google Fonts in my data regulations.
Eva Z.'s IP address was not in the log files. This was checked by the IT of the website operator.

Lawyer

Interesting: According to his website, the lawyer completed his law degree in 16 semesters, with a minimum duration of 8 semesters. He "used up" 4 law firms for his legal training, which is unusual. I draw my own conclusions from this and threw his letter in the dustbin. In the meantime, it seems largely certain that his actions were illegal. Such an amateurish action is not worth paying attention to.

Rudiger Schultz

Google Fonts on other Google Proproducts (MAPS)

In such cases, it is not enough to simply deactivate all “own” calls to GoogleFonts (fonts.gstatic.com or fonts.googleapis.com). You also have to add something to your own GoogleMaps Javascript application.
Here is the link to it (it helped me a lot for our Proprojects):

https://cameronjonesweb.com.au/blog/fix-google-maps-including-overriding-roboto-fonts/#comment-15925

Grigory

Hello!

How can I prevent Google Maps from downloading the fonts.gstatic.com or fonts.googleapis.com fonts?

With kind regards,

Georg

A customer received TWO letters, each from client Eva, each for the same website, once from 12.08. AND once from 17.08. BUT each with a different IP.

I have no idea why the lady goes to one side twice, resulting in discomfort. So maybe it wasn't a real person who called up the pages. Where can I report this, that's wonderful proof, or am I seeing it wrong?

BananaJoe

This is not proof, but an indication.

Michael S

I am not affected myself, but have been following this warning for a few days
On various pages it is recommended to comply with the information. Only the letter is not accompanied by a power of attorney. This can only be accessed via a link. And here are the following Proproblems:

  1. The content of this page can be changed at any time.
  2. According to statements by those affected, there is an error during the signature verification (yellow exclamation mark)

So before I give someone information, I have to be 100% sure that the rightful person is also requesting this information.

So I'm going into the next GDPR trap, if you simply give the applicant information.
Or am I misunderstanding something in this context?

BananaJoe

I have pointed out to Mr. RA for a customer that the IP without a time stamp of access does not allow me to make a clear assignment to his client. He should please let me know when his client accessed my customer's website.

Peter Solc

PS-TRAINING GmbH received a warning today. Supposedly, Mrs. Eva Z. was on the web address stress.at (a domain that is redirected to the main page solc.at)
I will have the logs checked, report this to the wko and will probably file a complaint with the RAKNOE after legal advice.
Peter Solc (Managing Director)

Ann

I can't find the IP address or other addresses in my log files, but only up to 7.8. Everything else has already been deleted, since I read that many attacks took place from August 5.8th, it is of course possible that it happened before that, but the missing date makes things more difficult on purpose. I will write negative information and that's it, because myself if the lady was on my website, her data is already deleted anyway..

Johanna

Dear affected person, I am happy to provide you with the statement of the legal department of the Upper Austrian Medical Association - please do not refer to it directly if you use it, thank you. Kind regards and good luck to all of you, Johanna Referring to the legal letter from attorney Mag. Marcus Hohenecker in the “Google Fonts data protection violation” case, we can comment as follows: In the pane, a data protection violation – caused by the use of a Google service – is recorded and the existence of a claim for damages totaling €190,00 (including costs). The actual existence of a violation of data protection regulations depends on the technical background of your respective homepage: If the IP addresses are actually transmitted to Google, then there would be a violation of the provisions of the GDPR, unless the consent of the homepage user was obtained beforehand became! Please clarify this with the creator of your homepage. Even if the alleged data protection violation should have occurred on your homepage, it is currently disputed whether a claim for damages exists at all in such a case. In Germany there is a lower court decision on this, which affirms a claim for damages; there are currently no court decisions on this in Austria. Proceedings are currently pending before the ECJ, in the context of which the prerequisites for such a claim for damages are to be clarified; a decision by the ECJ will probably only be available in a few months. The decision as to whether you will comply with the request for payment and accept the settlement or simply comply with the request for information (see below in this text) and a cease and desist declaration (declaration that your homepage has been redesigned and that no personal data will be transmitted to Google in the future without the consent of the person concerned ) is at your personal discretion. We consider the risk of an actual lawsuit and/or a complaint to the data protection authority to be low. It is strongly recommended that you redesign your homepage or have it redesigned by your homepage creator in such a way that there is no longer or can be no data transmission without consent. In general, we advise against using GoogleProducts on homepages, since data transmissions very often occur on these. It is also important that you – if you decide against the timely payment – ​​comply with the request for information in accordance with Art. 15 GDPR within one month (after receipt of the letter of formal notice) and submit a cease-and-desist declaration. Make sure that all points of the request for information attached to the letter from the lawyer are dealt with. A copy of the processed data must also be sent. If you do not have any data or if you do not know the person, a blank report (notification that no personal data of the person concerned is being processed) must be given. Send the answer to the request for information and the declaration of discontinuance by post to Mag. Hohenecker. If your website was created by a third-party company, you may have recourse claims against them, which you may have to claim in court. If you have legal expenses insurance, we recommend that you contact them. Summary of the steps to be taken if you decide not to pay on time: • Contact the website designer (to determine whether data is actually being transmitted) •... Continue reading ...

heeheeee

…. it is noticeable that customers whose domains are on the same host all received the letter and customers whose domains are on a different host have so far been spared...... so the surfing behavior of the dear lady is very noticeable in this respect, since between the websites yes there is no connection, except that they are just on the same host…. in order to establish a connection you have to search specifically for it... or just use a service that indexes the domains by host....

Roman Chlada

Important for users of WIX.com and similar platforms:

The Munich judgment is justified by the fact that it would be possible to integrate Google Fonts locally without any difficulties. This is probably correct if you work directly with the html code. It also doesn't seem to be difficult with Joomla or WordPress.

However, it is not possible if the website was created using a platform such as WIX.com. In this case, the html code remains the property of the platform and you are completely dependent on the automated functions and options of the platform.

Of course, local integration of Google Fonts does not occur because nobody outside of the German-speaking world is bothered by it.

On such platforms, there should be no other way to avoid using Google Fonts than to find out for yourself which of the available fonts are Google Fonts and which are not (they are of course not marked as such in any way). If you find one that is not a Google Font, you can change the fonts accordingly, which also changes the appearance of the website.

There is no guarantee that the platform will not switch entirely to Google Fonts at a later date and replace the other fonts with equivalents.

The Munich judgment is not applicable in this case because the damage, which is not damage, cannot be remedied in one go.

Looser

The lawyer in question was a top candidate for the Pirate Party and appeared several times on Oe24.TV as a vehement opponent of compulsory vaccination. Maybe he needs money again for founding a new party and for the election campaign since the Pirate Party has disappeared into oblivion.

Alois

Unfortunately, I am not an IT expert and I have a technical question:
In my letter, only the screenshot of the source code is visible. Now if someone just looks at the source code (e.g. view-source:https://....), without having previously visited the page normally, are the Google fonts loaded at all?

PS: Thank you very much for reporting on this page!

Martin

Not really, because view-source only loads text content into the browser.

Johann

I too received the lawyer's letter last week and stupidly opened it.
The address was not my name but the title of my website and an incomplete address. Unfortunately, the postman knows me well, otherwise I wouldn't have gotten the letter.
I immediately contacted the WKO's legal service and they advised me to react to the letter (deadline extension).
However, after reading the posts here, I'm unsure if it was wise to respond to the letter.
I had actually integrated Google Fonts (via a WP template, YouTube embedding, Google Captcha).

StenM2020

Article in the Krone – you should also leave appropriate comments here: https://www.krone.at/2790403

Eugen

I also wrote to 6 customers this week from the warning lawyer. And there are more every day….

Heike

New letters continue to be sent?!

Werner

I also got the letter today, but it is about a website that is not mine at all. A brazen attempt at rip-off. Apart from that, the lawyer tells me the IP address of his client in the letter - is that compliant with data protection, since it is not about my website, she (allegedly) visited it?

sunny

I run a web agency myself and some of my clients are already affected. Today I will file a complaint with the public prosecutor's office against the client named in the letter.

Myst111

On what grounds or what criminal offense?

Helmut

suspicion of Process fraud; if an automated search was used (which, given the evidence, must be assumed.

Maria Sailer

Can you join the lawsuit?

Myst111

According to the motto "The spirits I called" I will ask the sites Hohenecker.at and Datenschutzanwalt.eu which of my data will be processed. Perhaps others here are also interested in knowing what Mag. Hohenecker stores about us and thus also learns how much effort such a data collection causes, especially if it sometimes demands 100 or 1.000 from him ;-).

Georg

Perhaps this has already been mentioned here, so please forgive me if I repeat it: I just read it in its data protection declaration on hochecker.at:1.4. One ProThere is also no logging of access (e.g. the IP address). The IP address is only processed by the respective web server for the provision of the website, without us having access to this information.

Christian

I think I checked that he's at world4you. In any case, it is stored for 2 weeks and every website operator has access to it.

https://www.world4you.com/faq/de/dsgvo/faq.wie-lange-werden-webserver-logfiles-gespeichert.html

Johanna

unfortunately I also got this letter, then I did the self-test of the WKO for my site and the google fonts don't seem to be integrated locally. I'm overwhelmed by various troubleshooting videos and suggestions, I'm not really trained in wordpress. give up now, will contact the WKO in the morning.
after my provider is also world4you, it seems that I can't check if Eva was on my side.
I don't think it's right that two people cause so much trouble.

Yomi

Which self test? Don't know anything about the WKO. Please link!

Matthew A

install the plugin mentioned in the article above. works uncomplicated and without much setup.

otherwise post your email address. I or someone else here would be happy to help.

Greetings from the night shift

Ann

I'm also with world4you - unfortunately they won't help you any further! I don't know which dates either provider saves, they just replied to me that it will be deleted after 14 days, so I probably wouldn't be able to find the IP address anymore..

Max

world4you has already reacted and published this

https://www.world4you.com/faq/de/top-themen/faq.abmahnung-wegen-google-fonts-wo-finde-ich-die-logfiles.html

there is also (at least on a wordpress site) the possibility to look at the stats, log in to the admin site and then click https://meine.url/stats gehen

Claudia

https://de.wordpress.org/plugins/disable-remove-google-fonts/ - Hi Johanna - I'm also totally tech-silly - but I managed to do it in WordPress - maybe you can too.

Stay cool

The letter was delivered without proof. Without a registered letter, you may not have received the letter at all. If a registered letter comes, just don't accept it. Then this lawyer will stop with this nonsense.

Ann

Does anyone have experience of how to find out which data is stored on which person and for what purpose? Unfortunately, my hoster world4you does not help me here..

quarter

At world4you you get access to the log files via FTP. everything is very simply and clearly documented in the my.world4you portal

Searching the logs didn't show the IP address I gave, so the "lady" wasn't even on my website

Pete

The question is whether she was on the website between the 4.8 (=date of the power of attorney) and the date of the attorney's letter. Unfortunately, maybe intentionally, there is no date in the letter when she was on the website. I can't find any IP in the log files either, but I can only check this retrospectively up to 7.8.

Ann

ok thanks for the answer.. world4you deletes the data every 14 days, so I think the IP address would no longer be available either..

mankra

Apparently, the only warning currently being given is because of Google Fonts.
Is the integration of scripts, images, libraries via CDN outside the EU also illegal according to the GDPR?

Max

That depends on what they send along... I don't think you can give a general answer to that.

Stefan

I agree with that. If it's just about the IP address, then pictures and JavaScripts leave that anyway.
That means things like bootstrap or material design or jQuery would probably also be something for this scam.