Before 2010, the display of fonts on websites and apps come with some difficulties: either there was only a small selection of fonts stored on each end device, or the text had to be placed in the image using an image editing programme. This led to long loading times as well as sub-optimal search results for the major search engine providers.
With Google Fonts, Google has supposedly found a "solution". Google Fonts are fonts which can be used by anyone under an Apache licence, they can be integrated directly in the website by means of a code snippet (so-called "dynamic variant"). Google offers an interactive library with more than 1,300 fonts which are often even available in different font styles (e.g. bold, italic, etc.). The fonts are free and may also be used commercially.
But: whenever a website where a code snippet is integrated in the HTML code of the web pages is called up, a server connection is established with Google LLC in the USA. Via this connection, the fonts are uploaded to the user in real time. In order for this to happen, the IP address of the website user must be captured and transmitted to Google - but it is precisely this IP address capturing which is problematic from a data protection perspective, as the Munich Regional Court (Case No. 3 O 17493/20) recently ruled with final effect in a damages case.
The operator of a website had dynamically integrated Google Fonts into her website without obtaining prior consent from each user. A user sued for injunctive relief and damages before the Munich Regional Court. The Munich Regional Court decided in favour of the plaintiff, ordered the website operator to refrain from using the dynamic variant of Google Fonts and awarded the plaintiff non-material damages in the amount of EUR 100. In a nutshell, the court argued that the goal of displaying fonts in the best possible way could have been achieved in a more data protection-compliant manner.
However, the Munich Regional Court did not deal with the question of data transfer to the USA which is relevant in practice. Since the Privacy Shield "case" ("Schrems II", ECJ C-311/18) at the latest, regular data transfers to the USA under Google services are hardly possible in a legally compliant way - not even with users’ consent. This issue not only affects Google Fonts, but also concerns Google Analytics, for example. This is another Google service which can currently no longer be used in a legally compliant manner given the decisions of several supervisory authorities - above all the Austrian Data Protection Authority (D155.027, 2021-0.586.257).
It is therefore important to note that the use of tools such as Google Fonts and Google Analytics may lead to penalties, claims for damages and actions for injunctive relief. In order to avoid negative consequences, it is important to check in advance if the services used are legally compliant. We will be happy to help you with this.
Links:
Regional Court of Munich, 3 O 17493/20 [LG München: 3 O 17493/20 of 20.01.2022 | GRUR-RS 2022, 612 BeckRS 2022, 612 REWIS RS 2022, 1892]
ECJ C-311/18, Schrems II [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62018CJ0311&from=de]
Data Protection Authority D155.027, 2021-0.586.257 [ https://www.dsb.gv.at/download-links/bekanntmachungen.html