Why "what the hell"? This is exactly what happened, and a logical consequence the moment IP addresses are classified as private data. Which it is in a system where it can be used to find the civil identity of the user, which is the case in Germany via Vorratsdatenspeicherung and the rampant misuse of the legal system.
Note how the decision contains the question of whether leaking the IP was necessary. They noted it is not necessary to serve the fonts via Google, it can happen without leaking the IP (I assume they mean self-hosting):
> Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
translated:
> Google fonts can be used by the defendant in a different way, so that a connection to the website does not make a connection to the Google server, thus without transmitting the IP address of the website visitor to Google.
Which is good news! It is a totally consistent decision with the current privacy rules and best practices: Do not save or leak private data if not necessary, always minimize data exposure as much as possible. The as much as possible part is very important - if there is no way to embed Youtube videos without leaking the address, then that's still possible to do. Sounds fair to me.
This case is about IP address exposure, not cookies. This would still happen. So everyone showing youtube videos would be affected unless users also start agreeing to IP exposure… this could probably be avoided by extending the sites terms.
I see quite a few web pages in Germany that do not load JavaScript or any other content from YouTube,Twitter, Facebook until you explicitly opt in. Basically, the content is replaced by a placeholder saying “click here to load external content from.” - it’s technically not very hard to do so, and I quite like it. I don’t need to be tracked by any of those entities everywhere I go. Tracking and creating profiles is one of the large problems of Facebook like buttons and similar.
> this could probably be avoided by extending the sites terms.
Reading the judgement, I don’t think so. Consent is required before exposing the IP address and is must be explicitly given. Terms can help in cases where there is a technical requirement, for example “if you want to watch this embedded video, you must consent to this”, but they won’t save you when you just embed.
> it’s technically not very hard to do so, and I quite like it
For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
> Consent is required before exposing the IP address and is must be explicitly given
There's the crux of the problem, it's difficult to know what to consent for without first displaying the website, so you implicitly give consent for "just the bare minimum", until you accept the rest. This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets) and for "most" end-users who just expect good defaults and don't want to sign a consent form every time they visit a website.
> > it’s technically not very hard to do so, and I quite like it
> For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
And yet, they’re still protected: They’ll click on the video when they want to watch the video, load the like button when they want to like, the tweet button when they want to tweet. And all the other times when they visit a website that offers any of this functionality, no data is transmitted to YouTube, Facebook, Twitter.
> This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets
There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent. You need to be careful when it comes to things like like-buttons etc. that get loaded from places that use them to create user profiles for non-consenting users. Yes, that’s hard. But the culprits are the entities that siphon up every bit of data. Direct your ire there.
> There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent.
And Google doesn't? (Honest questions)
On first look serving a font from Google and a stylesheet from Cloudflare seem very, very similar things.
The primary difference is that you usually have a contract with cloudflare that they host and serve your data on your behalf. A DPA would usually be part of the contract. Cloudflare also doesn’t mine the IP addresses that they gather as part of their operations to build advertising profiles.
AFAIK google fonts does not require any contract. Google could certainly offer a contract, a DPA, etc., assert that they are subject to the GDPR and waive processing of the data they gather from operating google fonts as a service.
I think these are the wrong solutions. What they're trying to do is to desperately hold on to doing "business as usual". Just now with a CYA fig leaf, and do I detect a hint of possibly a dash of malicious compliance?
What the EU actually wants to accomplish is to set a standard where people do business in a different (safer/higher quality/more ethical) way[1]; which many believe is both better for consumers and for business.
I wouldn't be surprised if a next round of regulations were to explicitly target (actual or perceived) malicious compliance.
My recommendation would be to find other ways of achieving your technical/advertising objectives that minimize the touching of peoples PII.
[1] This is not unusual, the EU originated as the European Economic [Community/Union], and the regulating of safety, quality and ethics standards between businesses and trading countries has been in their bailiwick for a long time (as behooves a trade treaty organization). Not all kinds of regulation are bad for commerce. This kind promotes fair competition and interoperability, while preventing races to the bottom and tragedies of the commons.
Strong disagree. This is more to me like Germany having jack all of a tech sector and trying their hardest to drag the rest of the world to their level.
When everybody would use it, and ISPs would sell access, that could help the users to regain control over their data, and make privacy on the internet finally first class.
> So everyone showing youtube videos would be affected unless users also start agreeing to IP exposure
Yes, and that's a good thing! A web page should only communicate with the server i've reached, there should be zero third-party involved unless i explicitly consent.
That for example <img> tag can use an arbitrary URL is explained by the fact that back in the day storage/bandwidth was expensive. The same is true for video to this day, but i guess it's good that heavy-to-load content is click-to-play.
Are you sure about the „explicitly“ part? I think it in certain cases, implicit consent should be enough, e.g. when a payment processor is contacted from a website. Even if you were running your own payment gateway, the user of your shop should be aware that the website will have to share information with their bank or credit card company. I think sharing data with third parties should not be easier than offline, but also not harder. Or do you sign a consent form each time you swipe your CC?
You are correct. However me simply visiting a homepage (service) does not require communicating my data to third parties, and doing so is not in the legitimate interest of any of the first parties involved. In this case it would fall under the obligation of explicit content.
The GDPR does not require consent for everything. It allows processing data that’s required to provide the desired functionality and payment processors would be covered (IANAL, to take with a grain of salt) You’d still need to mention that in the pages privacy policy, but other than that you should be fine, as long as you have the proper paperwork in place (DPA,…) and the payment processor is themselves GDPR compliant.
I find that hard to understand.
What server have you reached? Many sites are designed to be hosted by many servers at the same time.
Sites hosted on Amazon are moved around depending on load and your location.
Often you'll get part of the site from server X other bits from server Y.. images and css from an asset server and api data from one of many app servers.
You are correct. I just don't think that's a reasonable state of affairs. If that was part of a p2p model (eg. torrent/IPFS) it could be considered a reasonable tradeoff to allow for more eco-friendly (shorter routes, no need for high-powered servers) retrieval scheme.
Hyperlinks are the foundation of the web. However, when we started loading resources (eg. images) from third parties due to high bandwidth/disk cost, we opened a Pandora's box which i believe does more harm than good.
IP information will still be sent to Google, and a notice would have to put up before.
Easiest way to deal with this is to self-host the videos. Most people over-estimate how popular their websites are, and for the ones who don't, getting a dedicated instance with unmetered bandwidth is trivial to get and setup for video-hosting.
It is not in any way trivial to self-host video these days.
In the past when video was a novelty and no one had any real expectation of performance or quality, it didn’t matter much because expectations were low.
But so much work has been done since on reliability/performance/network efficiency and very few products can provide that. Without that work, people will think your player is broken, you will waste mobile traffic, etc. Even Reddit can’t get it right and they are a top 10 website.
Unmetered is often means 1 Gbit. With 4K video that means less than 100 streams. It may work, but the moment the video is shared among friends the site can be in trouble.
Plus YouTube handles all re-encoding and adjust the quality based on the speed and device.
It is possible to do it with open-source components, but it requires a server farm and just not feasible using single cheap private server or VPS.
> and adjust the quality based on the speed and device.
Now if only browsers would implement native HLS and/or DASH support then every site could have this without having to package a bunch of JS with different quirks of reach site.
Of course, it is not really in Google's interest to help YouTube competitors so this is unlikely to happen for Chrome.
> Easiest way to deal with this is to self-host the videos.
For most videos, this would be a copyright violation. i.e. there are now two laws which prevent reasonable technological solutions, making it harder for most people to host and produce content - favoring the already heavily advantaged big companies.
Good. It's about time we took a hard damn look at the ludicrous mockery of common sense that copyright has made of things. Maybe people will start to appreciate the freedom to create once they realize that $industry has made it nogh impossible to do anything without getting sued.
The solution to bad law is not to ignore it, it's to follow it to the letter, every time. Only then will people sit up take notice, and weigh the tradeoffs. In particular, we've let industry run away with far too much of the public's right to do things.
The part I find hard to understand is how you decide whether it is a necessity to load external content.
For example, say I want to embed an instagram post on my website. You could argue that I should talk to the person who took the picture and get a license for the image so that I can host i on my own domain rather than loading the content for instagram. In practice this is obviously much, much more cumbersome than embedding the IG post and so would result in huge changes how websites work (by vastly reducing any externally loaded content).
In a similar vein, you could argue that serving cached content from another host is not strictly necessary. Why not just run your own caching servers? It's probably worse in most ways (my cache server << cloudflare's cache server), but if minimising the amount of content loaded from external hosts is your aim then it is feasible.
> For example, say I want to embed an instagram post on my website.
In that case, you could:
a) get a license (your suggestion),
b) link but not embed Instagram pages, or
c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.
And indeed, some websites use c) without any problem, they even integrate it into the cookie popup. BBC even steps it up: all of their Twitter citations are screencapped and linked instead of other websites just embedding Twitter (in their defense, they can say that this is to preserve the context in case that the user subsequently deleted the post).
> c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.
This is how we arrive at cookie popups and annoying "you're leaving our website" notifications. I posit that perhaps both of these could be a feature of HTTP protocol and the browsers - i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies, and another one notifying him that he's being redirected outside of the domain he's in, The user could then configure the browser to auto-accept or auto-deny such attempts, review all the consents he's given earlier etc. - all in all, it would result in much better UX.
Google has probably not proposed and implemented something like this in Chrome already only because it would actually improve privacy and that's obviously not in their interest. Which proves that de facto giving up Web standards to the commercial entity was never a good idea. If the EU was better at execution, they would mandate something like this as the law, instead of the current requirements which can be met by just spamming users with popups no one reads.
The "annoying" popups is also how you end up with businesses like plausible analytics that provide analytics, but don't require the popup, because they dont store the information that causes the popup to be required.
We were not better off 15 years ago. We were just blissfully unaware of the problem of large-scale PII collection that was already metastasizing in the shadows.
Imagine a kind of decision square. Rows are "consciously" and "unconsciously", Columns are PII collection, and privacy (no PII collection) .
This gives us a list of 4 possible scenarios (from least to most desirable).
1. unconscious privacy, 2. unconscious PII collection , 3. conscious PII collection, 4. conscious privacy
In detail (least to most desirable situation)
Box 1: Early internet everyone had unconscious privacy. No one was collecting PII, and no one was aware of it.
Box 2: Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.
Box 3: The goal of the GDPR, shine a light on the situation and make everyone conscious that there is a problem; and unveil the extent.
Box 4 (future): fix the underlying problem.
GDPR already addresses box 4 a little bit. Just by shining a light on these practices, some of the slightly shady bits at the edges are already solved.
Now that the situation is visible and known, we can take further political steps at mitigation.
> Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.
What's disheartening is that in physical stores, this already started happening in the '90s, mainly for analysis of loyalty programs' data.
> i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies
If you need to notify the user that he is "giving consent" then there is no consent.
> and another one notifying him that he's being redirected outside of the domain he's in
There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.
>> and another one notifying him that he's being redirected outside of the domain he's in
> There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.
You misunderstand this part, which is forgivable if you're outside Germany. This is about the mandatory "You're leaving X, we do not have control on their data collection or endorse this site's contents. Do you want to continue?" you'll see on German-language website because a court in Hamburg says that they're implicitly liable if they didn't state that.
c) is very popular among various German websites I frequent. Instead of the embedded content there is a blank area and you can consent with one click to send your data to $service which will then load the embedded content. Sometimes it also includes a direct link so you can open the embedded content in whichever way you like. I don't find this to intrusive or annoying, especially since the website can save your choice for later and can choose to never ask you again.
Or in Instagram’s case for me, you read the article and see a strange mess with empty holes today, because your IP address hasn’t logged into any Meta properties in the past year and so Instagram won’t serve you embeds anymore.
I agree that this is a big danger. When this thinking is taken too far you have an easy weapon in hand to destroy websites of your competition, the result would be having no websites in Germany anymore. But so far I've only seen clear-cut cases as this - that Google Fonts is not a valid option has been obvious since the DSGVO, maybe longer. So I refuse to be concerned and trust in a honest best effort approach (I host websites in Germany, there is always risk in that).
The website tried to rely on legitimate interest as the legal basis for processing the data, and that precisely requires a balancing test between the interests of the website host and the interests of the data subject.
If you want to make sure that you're not getting the balancing test wrong, you can always go for the legal basis of last resort: consent. Just ask the user whether you can load content from Instagram and only do it if they agree. In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
> In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
I don't think that's true. The cookie provision is misunderstood when you think you have to ask for consent for functional cookies. Follows from the GDPR, and there is no specific cookie law actually implemented in european countries. See also https://gdpr.eu/cookies/. Ah, but maybe I misunderstood and you are only talking about the cookie set by the embed?
It is not true that "functional" cookies are generally exempt from the consent requirement. What is concretely exempt are necessary cookies for a service that the user explicitly requested. This is not the case for cookies placed by Instagram embeds.
Sorry, but an opinion from 2012 has no chance to be relevant if it disagrees with the current GDPR interpretation I linked to. Note how it explains that the ePrivacy Regulation is not in effect. I do not see how there could be any basis to legislate cookie usage if it is not linked to private data/analytics, if this happens it will not survive the courts I think. I do understand that this cookie consent interpretation is common - one just has to look at those stupid cookie consent forms on private blogs - but it does not follow from real legislation.
However:
> This is not the case for cookies placed by Instagram embeds.
Yeah, I can see how this is complicated and how it fits the topic. It's not a third party cookie for the embed, but for the website it might be, and is it even a functional cookie? I doubt it. I'm not sure how those would be judged and what is a reasonable way to work with embeds. It's only certain that there is not a solution as easy as it was in this case, where self-hosting the fonts was possible.
You're making the mistake of thinking that the cookie consent requirements are somehow a consequence of GDPR. The cookie consent requirements exist separately from and additionally to GDPR as a consequence of the e-Privacy Directive. What GDPR changed in regard to cookie consent is what exactly constitutes "consent", as it updated the Data Protection Directive in that regard, but it did not change when consent for cookies is required.
Other than court judgments, the Article 29 Working Party opinion is the most authoritative opinion you will get on the interpretation of the e-Privacy Directive, which is the "real legislation" that you need to look at.
edit: Nobody claims that the e-Privacy Regulation is in effect, by the way -- of course it isn't, it hasn't even been passed. The cookie consent clause of the e-Privacy Directive is however in effect, and has been since 2009.
Also the e-Privacy Directive does exempt strictly necessary cookies from any consent requirements, or am I completely confused now?
Edit: No, I'm not. The GDPR page I linked states the situation that follows both from the GDPR and the e-Privacy Directive. It also fits to what is written in the directive itself.
Strictly necessary cookies for a service the user explicitly requested. And, importantly, this is true even if no personal data is involved and the process is therefore not covered by GDPR at all -- the cookie clause of e-Privacy Directive applies regardless.
Careful. That is an 100% unofficial site. It is not chartered or funded by the EU. The linked article is from “Richie Koch”an editor working on human rights stories who wrote the article on behalf of Proton VPN, which runs the GDPR.eu site as a content marketing scheme. The linked article is not the law and not official guidance, though it provides a reasonably good summary.
Everything sqrt2 says in the comments is entirely correct, as far as I can tell.
Fair point. And thanks. I think now that my position - while how it should be, consistent with the GDPR and repeated at multiple places - is possibly not in line with a court decision from 2019 or so, that interpreted the e-Privacy Directive in a wrong way imho, and at the very least might depends on local practice of how EU "law" is applied. So you two are probably right.
Ridiculous to govern non-privacy relevant tech usage like this. I still think that's illegal where I live. Regardless, let's hope the e-Privacy Regulation or future court decisions solve this.
The part that is tricky, is where we offload additional burden of knowledge and responsibility to the website providers.
When it is on the user to figure out whether they are allowed to use a product – and that means in fact any product – that one of the biggest companies in the world is allowed to offer in my country legally, we are in trouble.
Law is complex. Tech is complicated. Most people are not law or tech experts. Getting sound advice on both is expensive, and the trend to increasingly need more of both is worrisome.
This seems neither fair nor reasonable to me. Or particularly democratic.
I have to say that this is such an example of new technology being scary but the problems with old technology being ignored.
I'm still waiting for the ability to have mail received from someone or a company without giving such parties my name and physical address. This could very easily be implemented in many ways, but somehow does not exist.
There is no reason for a mail order company to know my full name and physical address to deliver anything to do, and I feel this sis far more compromising than an i.p. address.
It's an argument for, as I said, that people have a tendency of disproportionately focusing on the harmful effect of new things, all the while ignoring anything that is sufficiently old.
I find giving ulterior parties my name, and the physical location on the planet I live far more scary than being tracked by cookies without such cookies being able to be tied to such things.
This is not good news. This indeed very bad news. Especially for entrepreneurs in Germany who must constantly fear to be convicted for something as ridiculous as this.
Yes, but they have a contract with the VPN and the VPN has a data protection officer. Here they just send data to Google and Google has not made any promises to protect the data.
Not quite? Wouldn't the users browser have sent its own IP address to Google? That's different that "forwarding" it, and it may not even be enough for Google to connect the user to that site.
The web site did no such thing -- it served up a document that contained the reference. It is the end user that CHOSE to delegate interpretation of that document to a web browser (ad a counter example, look at how RMS browses the web). Yes this is less practical. But since the decision only deals with what is "possible", then logically it should be fully consistent.
Now from a practical standpoint, I'd like to see a privacy consent header which informs the web site of the privacy options the user has selected. Absence of that header or absence of specific selections will result in annoying popups like we have now.
It strikes me that this is exactly the same scenario, in reverse, that we have with people being convicted of "hacking" a website by entering a URL that wasn't supposed to be exposed. Things like "consent" and "authorization" are murky when we delegate our will to computer programs like browsers and servers.
If URL "hacking" is illegal, then we have decided as a society that persuading a piece of software to do something does not equate to informed consent on the part of the person operating it (and by extension that we're meant to make some sort of guess as to what they do intend).
I strongly disagree with this interpretation. In my view, a person maintaining infrastructure is a position of power and therefore should be held to specific standards in regards to how it treats users.
Users on the other hand are just people. Being a user on a service does not grant you power over other users (not out-of-the-box anyway). Sure you can scan for vulns and/or follow a public link to a top-secret document: in my view that's nothing wrong. Now reverse the situation: why should a remote server administrator dictate the computing performed on your machine?! Is it ethical for some website operators to start scanning your local network?
A service operator knows about threats, hopefully has counter-measures in place, and can always ban you (or specific requests) if it comes to that. A user is mostly helpless, especially when it comes to computations performed by a script you unconsciously downloaded and executed from a server. How many users are aware of what RCE even means and that a web browser with JS enabled is essentially RCE-as-a-service?
> it served up a document that contained the reference
A document that is expected to be executed by the receiving system. Might as well log in to your companies production server as root and send the completely meaningless string of letters "rm -rf / \n", not your fault if the receiving system actually executes it.
GDPR specifies a different interpretation of events, that takes precedence here: the user chose to visit GDPR-bound site A, and the law requires site A not to compel the user to visit any site B that is not bound by law or treaty to honor GDPR as well.
You’re not wrong that one could logically evolve your interpretation from circumstances, but GDPR’s authors chose not to accept your interpretation as sufficient, and went further than that.
I was thinking more along the lines of the "allow location" and "allow notifications" popups. The web site will ask you first, and if you say yes the browser then asks you in its own popup. Or you can tell the browser to always accept, or always allow on a per-site basis.
1) google won't know what site told the browser to do that.
2) this is probably more of a browser issue than a site issue.
3) the reason browsers dont complain about content coming from different domains is because the entire ad industry depends on that behavior. That may need to stop ;-)
Not all browsers send Referer headers. These days it's only useful for doing log analytics and hotlink protection from the browsers that do send the header.
This argument was tried in the Fashion ID case. A company had inserted Facebook Like buttons on the web page, and argued that it was not responsible for the ensuing disclosure of personal data (such as IP addresses or possible tracking cookies) to Facebook. See, it was the browser and not the website operator that disclosed the data, and the website operator never had access to the data in the browser in the first place!
The European Court of Justice did not buy this argument. By coding the website in a particular way, the website operator was responsible for causing the user's browser to act in a particular way, so it was the “data controller” for the collection an transmission of personal data by the Facebook Like button, though Facebook is of course jointly responsible for what their code does.
The underlying argument is that someone is a data controller and thus responsible for GDPR compliance when they determine the “purposes and means” of processing, alone or jointly with others. Embedding the code for the button was an exercise of this power to determine purposes and means. In contrast, the website operator is not a data controller for whatever Facebook does with the collected data on its servers, because it cannot control what FB does.
The given case from Munich is a very straightforward extension from the Fashion ID judgement, though the website operator didn't even claim that they weren't responsible. Instead, they argued that they had a “legitimate interest”in loading fonts from Google servers, which the court rejected. While I consider it probable that Google does not use data from Fonts servers for tracking, the judgement correctly points out that Google is well-known for tracking – but this doesn't matter anyway, since already the disclosure of personal data without a legal basis is a problem.
That seems on the surface to be a ridiculous argument.
I can go "bash < somefile" and I can go "csh < somefile" and I can go "cat < somefile". It's my choice to use bash, csh, or cat. somefile will have data in it, that data will be interpreted by MY choice of program to read the data. If I don't want the contents of somefile interpreted as commands I shouldn't be passing it to something that runs commands based on its content. replace somefile with `curl someURL` and nothing changes. If I don't want my computer to connecte to other computers based on what content comes back from `curl someURL` that's my responsibility.
Maybe a better example. It type `npm -i somepackage`. npm then looks in somepackage and sees dependencies and downloads them. By the same logic as the judgement npm or `somepackage` is responsible for leaking PPI based on the dependencies listed. Not the user for running npm in the first place.
The same with `apt update` and `apt upgrade` etc...
The ruling would apply in tons of places that seem like they'd make it hard for things to keep working.
If the CDN abides by GDPR laws and doesn't process user data then it is fine. But if the CDN you use process user data for its own gain rather than just serve the request then that goes against GDPR. It is your responsibility as a developer to ensure the services you use follow these laws.
If you don't have a contract stating that the other part will honor GDPR then we will assume that the other part will misuse all data sent to them, so you aren't allowed to send any data at all.
This was a static web address and not a CDN for this website, the company doesn't have a contract with Google about this and the user didn't go to Google.
Hundreds of thousands if not millions of mom and pop blogs are linking to images, fonts, scripts, etc from various sites. Are you really going to fine them all?
You're basically arguing any link to an image on imgur or flickr or wikimedia is should be fined.
> You're basically arguing any link to an image on imgur or flickr or wikimedia is should be fined.
Why do you think that? I would never agree that a link should carry any responsibility to the site owner, even if it linked to porn, warez or really illegal stuff.
I think there is not. You are not allowed to download the video and host it yourself, that would be a copyright violation. Am I missing a legally valid way?
Okay but let’s say you have permission to host the content — e.g: you actually own the video.
Do you still think it’s reasonable that it should be a legal requirement that to embed a video on your web page you must develop your own video delivery infrastructure?
You could just link to YouTube and not embed the video.
I think the important part is that this is an issue, only because companies like have had a surprising hard time not misusing every single bit of information sent their way. The result is that companies have forced governments to step in and now they are overregulating.
If you specify preload=yes or other take any steps whatsoever to promote preloading of the (non-GDPR) YouTube link, then you would definitely be responsible for the user’s IP leaking to a non-GDPR site, and risk owing fines under GDPR.
If you do not request preload behavior, then you’re just linking another site on the web, and users are considered to understand that links go to other sites, and that’s acceptable. A theoretical GDPR complaint would find that the user agent was responsible for the behavior, not you as site operator.
You pay for that content delivery by selling the users data to Google. Do you think that is fair that the user should pay for your video hosting with his data? If the user wants to see the video, sure, but that hasn't been made clear yet at this stage.
Well, it depends. If it's a short video that fits into your available traffic that you can just self-host with a video tag, why shouldn't you take that option? If it would be a huge burden like where you really would have to develop infrastructure despite that not being in your budget nor competence, then of course not.
I already agreed in a comment above that these questions wrongly answered by a pure privacy maximizing position carry a huge danger for the german web.
Note how the decision contains the question of whether leaking the IP was necessary. They noted it is not necessary to serve the fonts via Google, it can happen without leaking the IP (I assume they mean self-hosting):
> Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
translated:
> Google fonts can be used by the defendant in a different way, so that a connection to the website does not make a connection to the Google server, thus without transmitting the IP address of the website visitor to Google.
Which is good news! It is a totally consistent decision with the current privacy rules and best practices: Do not save or leak private data if not necessary, always minimize data exposure as much as possible. The as much as possible part is very important - if there is no way to embed Youtube videos without leaking the address, then that's still possible to do. Sounds fair to me.