> It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website.
In this context, "It is undisputed" does not mean "It is a truth universally acknowledged by everyone", but rather "there is no dispute between the defendant and the plaintiff that this happened; in the light of that non-disagreement, the court is not required to decide whether that happened or not, and will accept that as a fact".
So in this case, the defendant (as well as the plaintiff, of course) agreed that "the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website". If there was a place to bring forward this "agency argument", this was the place; however the defendant seems to have chosen not to bring it forward.
It may be because the defendant's lawyers are unprofessional and forgot; it may also be because they are professional and so they knew this argument would not hold.
The plaintiff's browser did what the defendant's code ordered it to do.
If the defendant's code violated GPDR (which seems to be the court's conclusion) by sending the plaintiff's browser somewhere, it's a defendant's problem, not plaintiff's.
Yeah, that's exactly the agency argument. It's not as if the plaintiff's browser is actually under control of the defendant, a user agent is not forced to follow the instructions that are contained in a website it requested on behalf of its user.
I don't think forcing each and every single website provider to implement their own consent forms is the right approach to regulating this. User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not). But requiring ever more complex, explicit and custom opt-in consent forms for various provider, third party and user jurisdiction combinations is just inane.
Consent forms are not required, just host the font. They are also way more expensive and complicated to implement than self-hosting fonts. Asking for consent over usage of third-party fonts borders on pettiness from the website owner.
> User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not).
The burden of respecting privacy choices in every single other case (data in the backend, data shared with partner, paper data) is already with the website. Every non-privacy-respecting implementation in the frontend is made by website owners.
Keep in mind that sometimes websites don't work with blocking other stuff, or are more difficult to use when blocking fonts (Google Material). So this is not even a practical suggestion.
There are two options to do what's required by the law: either A. not sending users' personal data to third parties; or B. receive informed consent from the users before sending their personal data to third parties.
If the option B seems unwanted for some reason (any reason), there is still option A. Implementing a different solution (that breaks the law) has consequences.
"Your honor, the victims of my ransomware attack decided to use a modern CPU to run my code. The attack would not have succeeded have the victims used Z-80, so there's no one to blame but the victims themselves."
> a user agent is not forced to follow the instructions
Luckily! A large german media corporation called "Springer" has for years, and is still, unsuccessfully trying to get the courts and politicians to rule that users can not manipulate web content and must run it as intended, as changing it would violate copyright and is a sabotage of their program. And i bet they aren't the only ones globally. Also: how many devices are locked down and can only run code as it is provided by trusted third parties? Try installing an ad-blocker on a smart-tv or a playstation.
Website have no authority over the browsers accessing them. They can't order. Just state information. "There's a font over here" not "you have to go access this font over here".
That browsers by default tend to follow links to resources automatically doesn't change that. It's still the agent the user has chosen to represent them when talking to the website making the decision not the website.
If a legal body want to make the call that users shouldn't be responsible for choosing what their browsers automatically do or don't do on their behalf that's fine. But it's absurd to do it by making it the website creators problem. It's the browser that's choosing to do things without asking the person it represents for explicit permission. It's the browser sending the information to the third party. Put it on the browsers!
We've got a handful of choices for browsers. They all gratuitously send every bit of information they can get their hands on to every website they can. Just straight up informational security Judas'. And GDPR blames websites? It's crazy to me.
or too under-powered in relation to the powerful organizations that take advantage of them, or too overworked by all the tasks and details of their lives to deal adequately with all the things it might be beneficial for them to deal with, but are not strictly necessary for getting through the day.
No. It is so that they don't have deal with developers tricks and misdirections and intentionally misleading uis and so on. It is also so that they are not required to learn tons of obscure and otherwise useless knowledge to function reasonably.
None of that makes them stupid. Just like, when I am in grocery store I can be sure all food there is reasonably safe, even if I don't know anything about them. I am not expected to research them all personally for dangerous substances else "I am stupid for poisoning myself".
When talking about UX, there's this bad habit of using people's mothers or grandmothers as examples, because they are 'too stupid' to understand the UI that was built. Aside from the obvious problems, this also implicitly removes blame from the designer/implementor of the interface.
I always prefer to reframe it as someone with a very important, intelligence requiring job, say vaccine reasearcher, who doesn't have time to deal with your shitty UI when they want to print a document.
The browser is the user-agent, ie. an agent acting on behalf of the user. The browser chose to fetch the font, based on the orinal response. It could be configured not to.
You could also say that the user is opting in to loading a font from google when he actively sends the request to google. You could also say the user is opting in to storing cookies by accepting the file and writing it to his own disk, and sending the file back when the site asks for it. I think it is too late for these kinds of arguments in the EU though, and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions.
> You could also say that the user is opting in to loading a font from google when he actively sends the request to google.
Consent is not consent unless it's informed consent. If the user was not made aware of the request in a clear way before the request happened, he did not have a choice. If the person (and by person we mean the human being, not their browser) did not make the choice, then he did not consent. There's no "technically" about it, the question is only if the person knew what was happening and was given an opportunity to opt in.
So it is the responsibility of the website owner, to make sure that the user is informed about how his own browser works. Couldn't you make a case for shifting this responsibility to e.g. the browser vendor or the regulating bodies who decide on web standards?
It hardly matters in the court of law what you "could also say".
The law is clear: you don't have to send your users' data to third parties, but if you decide to do it, you have to receive their informed consent first. In this case, the defendant chose to send personal data to a third party without receiving their informed consent.
The option of conforming with the law by not sending that data anywhere still stands, as does the option of receiving informed consent beforehand.
But technically, the user itself is sending his own data to the third party, and the original website is merely requesting the user to do so. You could interpret it like this: "To use this website, it's best if you have this font. You can get it from here: https://google.com/fonts/blah". It's not exactly the same case as a more obvious GDPR violation, where the website would collect information from the user, and then send it to a third party (e.g. selling user data to a data broker).
>It hardly matters in the court of law what you "could also say".
On the contrary, it's exactly what the court is there for.
I know, which is why I said: "and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions."
Not in practice. It requires configuration that is non-trivial for most users and might not be available for them in all cases (eg: using a computer in a library).
In fact, I can't think of a solution that doesn't require third-party software/hardware/product and some computer expertise (AdBlock? Pi-Hole? VPN? Little Snitch? Hosts File?).
Ublock Origin in advanced mode can be set to block all third-party requests by default. I browse the internet that way, but it's definitely not for everyone.
I also browse the internet this way, but yeah. This solution is not available to people not using their own computers, people using certain browsers that don't have it, or just people that haven't heard of it.
> It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website.
In this context, "It is undisputed" does not mean "It is a truth universally acknowledged by everyone", but rather "there is no dispute between the defendant and the plaintiff that this happened; in the light of that non-disagreement, the court is not required to decide whether that happened or not, and will accept that as a fact".
So in this case, the defendant (as well as the plaintiff, of course) agreed that "the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website". If there was a place to bring forward this "agency argument", this was the place; however the defendant seems to have chosen not to bring it forward.
It may be because the defendant's lawyers are unprofessional and forgot; it may also be because they are professional and so they knew this argument would not hold.
P.S. see also https://news.ycombinator.com/item?id=30139489