Damages due to unlawful integration of Google Fonts – Guide beyond the individual case

In the case in question, the website operator used Google Fonts in the online version. Google Fonts is used to avoid display problems on homepages. Instead of only using the fonts stored locally on the respective end device, which can differ depending on the end device, a connection to Google is established when a homepage is called up and the Google fonts are used for display on the respective end device. Not only are the fonts transmitted to the user, but, as with many Google services, the user’s IP address is also transmitted to Google in the USA.

It is important, not only in the specific court decision, that Google Fonts can also be installed locally on the server of the website operator and that no IP addresses or other personal data are transmitted to Google in this integration form.

According to the court, the transmission of the IP address to Google represents a violation of the plaintiff’s right to informational self-determination. The plaintiff had not consented to this type of data processing within the meaning of Art. 6 (1) (a) of the German Data Protection Act (DSGVO) and Section 13 (2) of the German Telemedia Act (TMG), old version. The legal basis of Art. 6 para. 1 lit. f. DSGVO was classified by the court as applicable here. Contrary to the view of the defendant, there was no legitimate interest in the data transfer. The court justified this precisely with the possibility of operating Google Fonts locally without data transfer.

The fact that many Google products can only be used with the consent of the home page user under data protection law needs to be repeated regularly, but is not really new for people involved in data protection. More interesting are the court’s comments on the plaintiff’s claim for damages. The claim is based on Article 82 of the GDPR and the court interprets recital 146 as meaning that the term “damage” must be interpreted broadly.

In its decision, the court also refers to the legal question of whether damage must exceed a materiality threshold and whether there can thus be no claim for damages for so-called minor damage. According to the court, this question was not relevant to the decision, as the discomfort caused by the transmission of the IP address to Google was so substantial that a claim for damages in the amount of €100.00 was justified. The court justifies this, among other things, by stating that Google is known to collect data about its users.

This statement in particular is extremely relevant for data protection practice. It is often argued that the disclosure of IP addresses is not associated with any real disadvantages for the persons concerned and therefore constitutes a venial misconduct. However, this viewpoint is now no longer tenable, especially in the case of data being passed on to Google.

At first glance, damages in the amount of €100.00 do not seem spectacular and the defendant company will probably be able to cope with them.

However, when considering the ruling in an internal risk analysis, this should not lead to hasty conclusions.

On the one hand, the court’s comments on the exclusion of minor damages may also become relevant in other areas in which there is supposedly a completely insignificant impairment of the affected parties.

On the other hand, it must be borne in mind that in the case of illegal homepage configurations, there can quickly be thousands of injured parties and the claims for damages can therefore add up.  The further development of class actions in data protection law will also be relevant in this context.

Another interesting legal question in the area of data protection-compliant operation of a homepage was unfortunately not clarified by the ruling. Namely, the question of whether the export of data to the USA can be legitimized by the user’s declaration of consent via the cookie banner and thus compensate for the omission of the Privacy Shield, at least in the area of the homepage. The Regional Court of Munich states on the subject of third country export that the IP addresses would indisputably be transmitted to Google’s servers in the USA. In the specific case, however, no consent was obtained from the plaintiff. Therefore, the court could not rule on the possible effectiveness of a declaration of consent in the context of data export.

If you have any questions regarding data protection or information security, please do not hesitate to contact your team at aigner business solutions GmbH. Simply use our contact form for this purpose.

You can also reach us by telephone at the following numbers:

Hutthurm headquarters – Tel.: +49 (0) 8505 91927 – 0
Munich branch office – Tel.: +49 (0) 8941 32943 – 0