How the German court’s ruling on Google Fonts affects jsDelivr and why it is safe to use

After the court ruling against Google Fonts, some of our users got understandably worried about the implications of that ruling and how it affects jsDelivr. For this reason, we hired an experienced law firm here in Krakow, Poland where jsDelivr’s HQ is. We asked them to review what happened and provide a simple explanation of what it all means for our users.

Here is what Oleksandr Skoblenko, the founder and managing partner of R&S Partners law firm (https://rspartners.pl/en/) had to say:

On 20 January 2022, a court in Munich ruled that the owner of a website using Google Fonts was in breach of the GDPR by transferring the IP addresses of its website users to Google. According to the German court, the transfer of IP addresses (which are explicitly recognized under the GDPR as personal data) took place in a manner incompatible with the GDPR, i.e. without the consent of the entity to which the IP relates and without meeting the prerequisite of the existence of a legitimate legal interest on the part of the website owner. The owner of the website was ordered to pay damages of EUR 100 to the user (in the case of further infringements, the amount of damages is to reach EUR 250,000 or 6 months of imprisonment for each subsequent infringement).

The cited ruling has stirred up anxiety on the web, provoking a discussion on the possibility and risk of similar legal assessments for other providers of website improvement services and web developers. It is difficult to prejudge how the further interpretation of the GDPR on the ground of the web services market will turn out, but it should be noted that there are no grounds for panic and abandonment of CDN usage due to the mentioned ruling of the German court.

First of all, it should be noted that we are dealing with a single ruling by one of the national German courts. Each court in each EU member state is competent to assess GDPR compliance on its own, and the German ruling does not imply the creation of a uniform line of case law even exclusively within Germany, let alone across the EU. The case of each website, each party using a particular service and even each potential complaining user will require separate analysis.

It should be stressed that there are a number of factors that allow a different assessment of the services provided by jsDelivr than is the case with the Google Fonts ruling.

GDPR allows, in Article 6, the processing of data in case of the occurrence of circumstances indicated in this provision. Among the number of indicated possibilities, the prior consent to the processing of personal data by the subject to the processing (Article 6(1), sentence 1, letter a GDPR) and the existence of a substantial legal interest on the part of the processor in Article 6(1), sentence 1, letter f GDPR are of particular importance.

The German court emphasizes in the ruling that the use of Google Fonts does not benefit from the exemption in Article 6(1) sentence 1 letter f GDPR because it is possible to use the fonts without the user connecting to Google's servers. The court does not consider in principle other aspects of this provision.

In the case of jsDelivr, the situation is slightly different. First, the lack of global distribution of servers within the jsDelivr CDN would cause a significant drop in the quality and speed of the service, and the effective functioning of the service is not possible if a user downloads the data to a local server. Even if it was technically possible, in practice it would be expensive, complex, and burdensome for the user, and using the service itself would become pointless. The processing of personal data (IP Addresses) is therefore essential to be able to provide a service that allows web developers and website owners to benefit from the global infrastructure and other advanced features of jsDelivr that improve the functioning of the websites that use it.

The processing of IP addresses is essential for jsDelivr to be able to send the required data to the user from the jsDelivr servers. In addition, the data is processed solely for statistical purposes to determine the countries of origin of the users, which is important for the expansion of the CDN infrastructure by locating servers in areas of the world where they are in particular demand. This processing, therefore, has full economic justification and its purpose is legitimate. jsDelivr does not process IP addresses for purposes such as marketing or reselling them to others. Nor does it store it long-term. Instead, the data is aggregated as soon as possible, often within hours, and then deleted.

This processing is necessary for the functioning of the service - without IP processing it would be impossible to transmit your request between multiple servers and transfer the data required for a website to operate back to your computer. The scope of the data processed - IP address or location data - also seems justified in relation to the objective of providing the user with an efficiently operating website. Moreover, the important factual interest of CDN users relates to the fact that CDN services affect the quality of the functioning of a website, and not only the aesthetic value in the form of fonts, as is the case with Google Fonts.

In this ruling, it is also notable that the court refers to the transfer of data specifically to Google as being known for incidents of personal data breaches. This ruling cannot, therefore, be transposed to all websites - it seems not insignificant that the ruling emphasizes precisely this relationship. jsDelivr seeks to work with entities that provide an adequate level of data protection.

Additionally, it is worth noting that using jsDelivr’s CDN services minimizes the risk of attacks on websites and their users by making sure files loaded from jsDelivr are up-to-date and loaded using an encrypted connection from the same region as the user, making MITM attacks by foreign powers less likely. For example, EU users will connect to EU-hosted servers and avoid traversing foreign networks that could in theory be malicious and try to modify the contents of the data, read it, or spy on the user. These attacks could pose a much greater risk to the personal data administered by specific websites than the transmission of IP by them for the purpose of the CDN services and for statistical purposes.

To further minimize the risks, we propose that jsDelivr’s users extend their privacy policies to inform them that data such as IP address, place, or date of access are processed for statistical purposes and to ensure the smooth and secure operation of the website, and that they are passed on to third-party service providers. The user's consent to the privacy policy is an additional (though not exhaustive) aspect of the safeguard.

In conclusion, the ruling that has been so controversial recently does not seem to fully address the factual and technical circumstances of how jsDelivr works, and at this point as a single ruling should not lead to any real concerns about using CDN's services. The arguments for extending to other online services a single ruling strongly emphasizing Google's failure to adequately protect personal data are insufficient and lack substance.