Well said. Law is not a programming language, the fact that the website didn't _technically_ share the IP, but did it through the browser, is not relevant.

There was no trap, in my opinion, document clearly specifies that an additional resource, here a font, will help the website look as intended by the designer. It's visible and its effects are well known (it's part of a well understood specification) and can be blocked. Websites have a responsibility, absolutely, but this is just feels like going too far...

Let's say I'm dumb, and I run into the dagger that you're holding. The case is then investigated by the law enforcement. Who do you think they'll blame? Would I be deemed guilty, and would my crime be not having armor on?

> If I hold up a dagger and announce the fact, why would you run into the dagger anyway without protection? Put on some armor, dude.

That's really your position? If people get stabbed, it's their fault, everyone should just put on armor when they leave the house?

I'm curious to know whether DNS and your IP being in the the header of packets travelling through various different countries that can be sniffed is also considered as unwilful data sharing?

The website is arguing that they have a legitimate interest in downloading fonts from Google in client browser, but as the court correctly states the website can provide these fonts directly. There is no reason to infringe on the user privacy, so there is no legitimate interest. And therefore use of Google fonts was without a legal basis.

BTW - The website could have used a different legal basis out of 6 available, like consent. See: https://gdpr-info.eu/art-6-gdpr/

> I'm curious to know whether DNS and your IP being in the the header of packets travelling through various different countries that can be sniffed is also considered as unwilful data sharing?

Unless there is another way to achieve the same purpose there is a legitimate interest in processing that data for the purposes expected by the client i.e. providing internet service.

Would the same argument apply to using Strip or Paypal to accept credit card payments? The site could deal directly with a lower level payment processor which would reduce the number of third party entities that see the user's credit card.

Processing shall be lawful only if and to the extent that at least one of the following applies:

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

This legal basis is a lot more clear and a lot less stringent than point f) legitimate interest as it does not explicitly require you to establish "legitimacy" and balance it against vague "interests or fundamental rights and freedoms of the data subject".

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

See: https://gdpr-info.eu/art-6-gdpr/

There are 6 and only 6 possible legal basis: https://gdpr-info.eu/art-6-gdpr/

But most businesses will be choosing from:

- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

- processing is necessary for compliance with a legal obligation to which the controller is subject;

- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

You can do basically anything with things like IP addresses as long as you have valid consent from the client i.e. they need to actually know, or at at least be able to learn, what you are doing with their data and decide that it is ok. So, no guessing here, just be transparent, and assume no consent by default.

In case of ISP they have to process your personal data because it is necessary for the performance of a contract of providing the internet service. Also, no guessing here.

The legitimate interest clause is a "catch all" clause for anything that legislator did not think about, so it is very vague by design. You do not want to choose this as a legal basis for data processing if you do not want to deal with legal uncertainty. But if you do choose it, you should have strong arguments that you really need this legal basis.

If similar companies to yours are able to do exactly the same thing in a way that is less impactful on privacy then you can expect that courts will not grant you a legitimate interest.

You can also do legal tests do determine whether you have a legitimate interest:

- The purpose test (identify the legitimate interest);

- The necessity test (consider if the processing is necessary); and

- The balancing test (consider the individual’s interests).

See more detail here: https://ico.org.uk/for-organisations/guide-to-data-protectio...

Also, based on my observation if you are not doing anything really egregious and you are willing to cooperate with data protection agencies (DPA) you do not have to worry about anything. If DPA decides you are doing something wrong they will tell you about it. And if you just adjust, like start to host fonts on your servers, they will let it slide or give you a small slap on the wrists. The really high fines are reserved for malicious conduct or gross incompetence with actual harm already done to people.

It wouldn't break the internet. The internet was fine when the vast majority of sites hosted all their own content and didn't ask your browser to load crap from dozens of domains. It wasn't even that long ago. Honestly I think it was better.

Right now you're right, the internet works this way. But that doesn't make it right, or fair, or anything, it just is. And it's also no reason it couldn't work in a different way.

The IP has to be there for the return TCP packet, so under GDPR this falls under "strictly necessary" information.

If someone sniffs you, they now have your PII. They can't do anything with it that is not "strictly necessary" without your consent, otherwise they're also on violation of GDPR.

The only people trying to "break the internet through fear" are the doomsayers.

You can instead peer with the user's ISP, or install a machine into the user's network (something like a amazon echo / google home could work too) which establishes an encrypted tunnel to your main servers. Sure it would be more expensive to do this, but so would hosting your own copy of a font instead of using a CDN like Google Fonts. What's strictly necessary doesn't mean what's necessary in order for you to host the site cheaply.

Something being "strictly necessary" under GDPR also doesn't mean that each intermediate entity can do whatever they want with the IP address.

> which establishes an encrypted tunnel to your main servers

Grandparent was talking about "packets travelling through various different countries". This is just TCP/IP. Using a tunnel won't change this, intermediate routers will still see your IP. Your idea is no different from HTTPS.

If you don't want intermediate routers seeing your IP you have to lay 100% of the infrastructure between the customer's house and your website. Again, this is not how the internet works. And GDPR already covers potential privacy issues that might arise in this case.

The difference is that now your IP is what all the intermediate servers see instead of a user's private data (your user's IP address).

Nope. Your IP is also visible by each router in-between when using such a tunnel if the machine is in the user's network (in your Amazon Echo or Google Home). You need alternative infrastructure to bypass the internet.

Installing a machine directly in the ISP building is no different from Carrier-grade NAT that is already widespread. It also leaks some data about you that can be deanonymised. It is also extremely expensive.

Edge CDNs can help a bit, though.

But technically, the IP is not strictly necessary? I can imagine a feasable future where it could be replaced with an anonymised IP from a larger pool generated by your ISP, with TLS for the payload. This could be solved at the internet infrastructure layer, and not required by to be solved by website developers.

This is already a thing with NAT and Carrier-Grade NAT.

However if the IP + port + time trio, coupled with other information (such as browser, stack, timezone, behavior) can be used to de-anonymise the user, this also instantly becomes PII.

> This could be solved at the internet infrastructure layer, and not required by to be solved by website developers.

It could, but until we get there, website developers will have to deal with it.

The European Court of Justice constructed a hypothetical scenario to show that identification can reasonably be likely. Let's say the website was attacked by a hacker. In a logfile, you find the attacker's IP address and want to prosecute them. So you report the incident to whatever authority is responsible for such incidents, which then gets a court order so that the attacker's ISP discloses information about the IP address. As long as the ISP knows to whom that IP was allocated at the time, there is now a reasonably likely chain of events that leads to identification of the person behind the IP address.

In this case about Google Fonts, the court says that it's sufficient if the website operator or Google have the “abstract means” for identification, not whether they actually did this for this plaintiff's specific IP address.

A solution would be if the EU forbids ISPs from keeping such logs, but given repeated attempts at mass data retention laws for national security purposes and pressure from the IP industry^W^W film and music industry for copyright infringement prosecution purposes, that doesn't seem likely.