Can you someone translate? Does this mean that hot linking any static media or asset from a third party is against the law unless explicit approval from the user is first received?
If there are different means to host the asset and the hot linking would transfer data out of the EU (in particular to the US and to a giant marketing company) that might be problematic.
It has nothing to do with approval. This specific ruling is about the principle of data minimisation. If you process personal data you must do a risk assessment and make sure you only process no more data then strictly necessary. This applies even if you have consent. So in this case since you can host the fonts yourself to not share data (IP, time, browser agent, cookies) with Google you should.
"Can you someone translate?"
Here's my attempt at translating the first four paragraphs:
Dynamic IP addresses are a piece of PII (personally identifiable information) to the maintainer of a website. That's because the maintainer can identify the person using their IP with the suport of the ISP and the responsible authority.
The use of fonts services like Google Fonts is not protected by 'Art. 6 par. 1 S.1 GDPR' because the use of the same fonts is possible without connecting to the Google Fonts servers.
The visitor of a website is not responsible to conceal their IP (e.g. with a VPN).
The revelation of the visitor's IP to Google is a violation of visitor's rights. Given that Google is known to collect personal information to the discomfort of the user, the violation can be deemed so severe that it is justified to demand damages.
This means that embedding any resource from a non-GDPR destination URL is a violation of GDPR law unless explicit opt-in approval from the user is first received.
If you are subject to GDPR law, then the above applies to all sites owned and operated by you and your subsidiaries. If you are not subject to GDPR law, then the above does not apply.
Resources could be hosted by http:, https:, ftp:, or any other protocol. Resources could be .js, .gif, .html, or any other format.
If you’re asking “can I dynamically detect the user’s country of origin and enable GDPR protections only if I determine they’re in that country?”, no: the user has a right to legal protection if they are a citizen of a GDPR-protected country and are residing in a GDPR-bound country, regardless of what their IP address is.
> the user has a right to legal protection if they are a citizen of a GDPR-protected country and are residing in a GDPR-bound country, regardless of what their IP address is.
Nit pick: GDPR is written in terms of people "in the Union", not citizens.
If you have agreements in place with third party data processors to protect user privacy, this ruling does not prevent you from hot linking third party assets under that agreement. In effect, the third party acts as part of your infrastructure - just like you may already use a third party hosting provider, cloud database provider, auth provider, logging service, etc.
The GDPR constrains how PII is stored and processed. It doesn't stop you from using third party providers, but it does make you responsible for ensuring user privacy is protected, by delegation through binding privacy agreements and sufficient diligence.
Those types of agreements are already common. For example, if you're hosting on AWS providing service to users covered by GDPR, you should already have such an agreement. It's pretty straightforward. https://aws.amazon.com/compliance/gdpr-center/
Therefore if AWS offered a generic, third party font hosting or embedded video hosting service, you could hot link to that no problem.
Same with Cloudflare, Google Cloud, etc. as long as they provide the necessary agreements with you.
The problem with Google Fonts is there is no such agreement in place, you can't trust Google to not profile users statistically via font requests, and even if Google says they won't do that, you can't trust that their servers in the US won't be tapped by US authorities to monitor request logs, etc.
The data processing agreement with American companies is probably not enough because the USA doesn't sufficiently protect the users' privacy under the GDPR.
It's only possible to go this route if the country has the approval of the EU through the necessary legal frameworks. That's what Privacy Shield and its predecessor were, and both were deemed insufficient.
Your point about a data processing agreement is true, but I wouldn't rely on AWS/Cloudflare/Google until the EU and USA manage to get this stuff worked out.
I should have said adequate data processing agreements which comply with the GDPR. In practice the simplest way to do this would have third parties handling EU requests within EU boundaries, and not shipping analytics that contain PII outside controlled boundaries.
Some service providers appear to at least be addressing the issue, e.g. see the AWS link. Hetzner in Germany offers similar data processing agreements.
It would not be difficult for Cloudflare and Google to do the same. If you operate a CDN, almost by definition you have no problem hosting within the EU when sending content to users in the EU.
