Hesse: HBDI issues statement on use of Google Fonts
The Hessen data protection authority ('HBDI') issued, on 1 November 2022, a statement providing information on the use of Google Fonts. In particular, the HBDI outlined that, if Google Fonts are integrated online, the user's browser loads these fonts when the website is accessed and contacts Google's servers for this purpose. As a result, the HBDI explained, the user's personal data is transmitted to Google. Further to this, the HBDI stated that such data processing requires a legal basis under Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), also highlighting that if personal data is transferred to a third country, such as the US, the requirements applicable to third-country transfers must also be met, including the requirements established by the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') .
Therefore, the HBDI concluded that anyone who wants to use Google Fonts must ensure that all of these requirements are met and advised to save the fonts locally on a web server. Lastly, the HBDI pointed out that such conclusions apply to other font providers.
You can read the statement, only available in German, here.