Data protection: The IP address under the protection of the DSGVO (Google Fonts ruling in Germany)

Data protection: The IP address under the protection of the DSGVO (Google Fonts ruling in Germany)

Under the case number 3 O 17493/20, the LG Munich ruled on January 20, 2022 on a case in which Google Fonts were used.

Specifically, the plaintiff demanded, among other things, EUR 100 in damages pursuant to Article 82 (1) of the GDPR. This is obviously a small symbolic amount, which should probably basically clarify the possibility of claims for damages.

In its ruling, the LG München states that the loss of control over one’s own personal data justifies such damages. As a so-called personal “data”, an IP address always counts as personal data, because the user can ultimately be identified via the IP address.

Accordingly, this ruling on Google Fonts not only affects Google Fonts, but is also likely to affect many other areas. For example, the integration of Javascript libraries and many other services provided by third-party providers.

Therefore, it is recommended not only to use a cookie request for cookies, but to design the cookie request in such a way that a connection to third-party servers is only established after a corresponding consent.

Alternatively, in many cases it is also a good idea to use self-hosted analytics services instead of third-party providers such as Google Analytics. Accordingly, the fonts of a website should not be loaded via Google Fonts at the users, but rather hosted directly on the own website. Subsequently, the source code of the website should be checked for any further violations, e.g. WordPress still performs a DNS prefetch for despite corresponding settings to the contrary. Such unwanted behavior must also be stopped, of course.

Do you need help in assessing whether your website is privacy-compliant or in implementing technical measures? Simply write to me via my contact form.

Excerpt from the judgment:

The plaintiff is entitled to a claim for damages under Article 82 (1) DS-GVO. The concept of damage within the meaning of Art. 82 DS-GVO is to be interpreted broadly according to recital 146 p. 3, the term “damage” is to be interpreted broadly. The interpretation should fully comply with the objectives of this Regulation, including the objective of sanction and prevention (BeckOK Datenschutzrecht, Wolff/Bring, 38th Edition, DS-GVO Art. 82, para. 24). Sufficient is like. Art. 82 (1) GDPR, non-material damage is also sufficient. Whether a materiality threshold must be reached or exceeded and so-called trivial damages must be excluded is disputed (see BVerfG NJW 2021, 1005, para. 20 with further references; Kohn ZD 2019, 498 (501); Paal MMR 2020, 14 (16)), but can be left open in this case. The defendant admits that prior to the modification of its website, it transmitted the plaintiff’s IP address to Google when he visited its website. The transmission of the IP address thus did not take place only once. In view of the plaintiff’s loss of control over a personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result, the associated encroachment on the general right of personality is so significant that a claim for damages is justified. It must also be taken into account that it is undisputed that the IP address was transmitted to a Google server in the USA, whereby an adequate level of data protection is not guaranteed there (cf. ECJ, Judgment of July 16, 2020 – C-311/18 (Facebook Ireland u. Schrems), NJW 2020, 2613) and that the liability arising from Article 82 (1) of the GDPR is intended to prevent further infringements in a preventive manner and to create an incentive for security measures.

No. 12 Judgment of the Regional Court of Munich of January 20, 2022 under Case No. 3 O 17493/20

Leave a Reply

Your email address will not be published. Required fields are marked *