So while I was updating my website, I was thinking about using JSdelivr for my blogs images, the slowest part of my website since it’s hosted on a VPS and not on Cloudflare Pages to avoid further internet centralization.
But I remembered that a court in Germany recently ruled that using Google Fonts is illegal, does this affect JSdelivr and other public CDNs? Apparently it does.
I’m not a lawyer, these are just my observations.
Data processing agreements with free CDNs
According to legalweb.io, in order to use a CDN you need to have an data processing agreement, which you don’t have with free CDNs, and the data needs to be processed within the EU or a country that is deemed to follow GDPR standards, which is certainly not the U.S.
So basically any CDN provider that you don’t have an Article 28 GDPR agreement with is illegal, any of the free CDNs like Jsdelivr are banned, that should include Bunny fonts!, which was created as a GDPR-friendly alternative to Google Fonts, but since you don’t have a DPA with them, it’s still probably illegal.
Legitimate interest and CDNs
In that LG München ruling on Google fonts, it was also mentioned that the website had no legitimate interest in using X fonts (presumably Google fonts), since the website admin could easily host the fonts themselves.
- Es liegt auch kein Rechtfertigungsgrund für den Eingriff in das allgemeine Persönlichkeitsrecht vor. Ein berechtigtes Interesse der Beklagten i.S.d. Art. 6 Abs. 1 f) DS-GVO, wie von ihr behauptet, liegt nicht vor, denn X. Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem X.-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an X. stattfindet.
What about other use cases like video hosting, which is much more bandwidth intensive and benefits a lot from CDNs? the answer won’t really matter as all your favourite streaming providers will have their own DPAs with their CDN providers, nobody’s giving you a free video CDN!
Looks like I’ll just stick to hosting my blog images on my free VPS (shout out to Oracle Free Tier), and if I really want to improve the speed of my blog, I should just move to a CDN host like Cloudflare pages.
EDIT: JSdelivr doesn’t seem to agree
JSdelivr hired a Law firm to look into this, they don’t seem to agree, but that doesn’t invalidate other opinions.
In conclusion, the ruling that has been so controversial recently does not seem to fully address the factual and technical circumstances of how jsDelivr works, and at this point as a single ruling should not lead to any real concerns about using CDN’s services. The arguments for extending to other online services a single ruling strongly emphasizing Google’s failure to adequately protect personal data are insufficient and lack substance. https://www.jsdelivr.com/blog/how-the-german-courts-ruling-on-google-fonts-affects-jsdelivr-and-why-it-is-safe-to-use/
Sources
No legitimate interest for using Google Fonts on websites, says German court