> because the request headers of the client are being logged and used to identify a session
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.