The browser is the user-agent, ie. an agent acting on behalf of the user. The browser chose to fetch the font, based on the orinal response. It could be configured not to.
You could also say that the user is opting in to loading a font from google when he actively sends the request to google. You could also say the user is opting in to storing cookies by accepting the file and writing it to his own disk, and sending the file back when the site asks for it. I think it is too late for these kinds of arguments in the EU though, and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions.
> You could also say that the user is opting in to loading a font from google when he actively sends the request to google.
Consent is not consent unless it's informed consent. If the user was not made aware of the request in a clear way before the request happened, he did not have a choice. If the person (and by person we mean the human being, not their browser) did not make the choice, then he did not consent. There's no "technically" about it, the question is only if the person knew what was happening and was given an opportunity to opt in.
So it is the responsibility of the website owner, to make sure that the user is informed about how his own browser works. Couldn't you make a case for shifting this responsibility to e.g. the browser vendor or the regulating bodies who decide on web standards?
The responsibility of the website owner is not to send users' personal data to third parties, OR to receive their users' informed consent to such sending BEFORE that sending occurs.
That's the law. It's enforced by courts.
Web standards aren't law. They aren't enforced. You can't sue anyone in W3C court for using non-standard CSS or forgetting to close a `<b>` with a `</b>`.
>not to send users' personal data to third parties
>receive their users' informed consent to such sending BEFORE that sending occurs.
Neither of these are what's actually happening in this case. According to this court's decision, the responsibility of the website owner is not to send instructions to the user's machine that might expose their personal data to third parties after the user's machine follows these instructions, OR receive informed consent before such instructions are sent. I'm not saying the GDPR doesn't apply here, but at least it's clearly a different situation.
For the purposes of this Regulation:
(1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
— Clause 26 of GPDR [0].
Whereas I would point out the directly or indirectly part, the latter of which happened here.
It hardly matters in the court of law what you "could also say".
The law is clear: you don't have to send your users' data to third parties, but if you decide to do it, you have to receive their informed consent first. In this case, the defendant chose to send personal data to a third party without receiving their informed consent.
The option of conforming with the law by not sending that data anywhere still stands, as does the option of receiving informed consent beforehand.
But technically, the user itself is sending his own data to the third party, and the original website is merely requesting the user to do so. You could interpret it like this: "To use this website, it's best if you have this font. You can get it from here: https://google.com/fonts/blah". It's not exactly the same case as a more obvious GDPR violation, where the website would collect information from the user, and then send it to a third party (e.g. selling user data to a data broker).
>It hardly matters in the court of law what you "could also say".
On the contrary, it's exactly what the court is there for.
> the original website is merely requesting the user to do so
... in a violation of GPDR, because user's informed consent was not received beforehand.
> it's exactly what the court is there for
I might have been more clear: it hardly matters what you or I could say — what does matter is only what the lawyers say. In this case, I assume that either A. the defendant's lawyers have brought this argument before the court, and the verdict still was what it was; or B. the defendant's lawyers have failed to bring this argument before the court.
The courts are not there to discuss arguments made in HN comments.
Technicalities don't matter. The user never consented to this data being shared with third parties, and there is no simple mechanism for the user to block them that is available to all website users. As other mentioned, GDPR also requires opt-in.
There is a case for third-party requests, and considering that some websites make tens and sometimes hundreds (eg Yahoo) of third-party requests, passing the burden of filtering those requests to the customer doesn't really scale.
The burden is fully on the website operator here. They wrote the software, and it's most certainly closed-source. Just as the burden of keeping my data safe on their backend is on them, the burden of keeping my data safe on my frontend is also on them.
> passing the burden of filtering those requests to the customer doesn't really scale
I think it scales better than forcing millions of website providers to engage in the legal fiction that they are an intermediary between the user and all external content providers that are embedded on their page
> all external content providers that are embedded on their page
All the embedding is being done by the people building the websites, so yes, they do have full control and therefore full responsibility.
Just because I don't perform a crime or violation myself, it doesn't automatically absolve me when I pay or ask someone to commit it.
> forcing millions of website providers
Millions? There are billions of website visitors, and most of those don't have any control or deep knowledge over their tools. There are only 3 significant browser technology suppliers at the moment, and none of them provides the hypothetical tools to users, only third parties, and those tools often break websites.
Website builders, however are significantly more technical and able to control their tech stack. If anything just hire another company. The burden should definitely be on them.
How many of these billions want or are even capable of understanding what they do when they click the "i accept" button? Legal complexities seem even further removed from public understanding than technical ones. This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away. But I'm not sure whether that will ever be possible.
I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so. That would be a good reason for antitrust action and public funding, since they should be public goods.
> How many of these billions want or are even capable of understanding what they do when they click the "i accept" button?
I don't see how this is relevant, but:
Again, whether those consent forms are understandable or not depends solely on how websites implement them. The fact they are confusing is purely because website operators want them to be.
These confusing forms are not a requirement of the GDPR. How they look and feel is up to the website hosting them. They go against the spirit and some go against the letter of the law.
The goal of GDPR is letting people answer to the question such as "Can I give your data to company X?". The fact that the internet became a cesspool of privacy violations doesn't change the original intent of the law.
> This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away.
The law already states that rejecting should be as easy as allowing. The fact websites don't make it means they're breaking the law, and I hope they get punished by it.
> I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so
We already have a Do-Not-Track header, but websites refused to obey it for more than 10 years, to the point they were removed from browsers.
Solutions were always there. It is websites that chose not to comply.
I know, which is why I said: "and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions."
Not in practice. It requires configuration that is non-trivial for most users and might not be available for them in all cases (eg: using a computer in a library).
In fact, I can't think of a solution that doesn't require third-party software/hardware/product and some computer expertise (AdBlock? Pi-Hole? VPN? Little Snitch? Hosts File?).
Ublock Origin in advanced mode can be set to block all third-party requests by default. I browse the internet that way, but it's definitely not for everyone.
I also browse the internet this way, but yeah. This solution is not available to people not using their own computers, people using certain browsers that don't have it, or just people that haven't heard of it.
