The Munich Regional Court in its Judgment from 20.01.2022 ruled that the disclosure of the dynamic IP address to Google when using Google Fonts without the consent of the person concerned justifies a claim for damages (in the present case in the amount of €100). A legitimate interest had not been sufficient here.
The facts
The defendant operates a website. On this website, it used Google Fonts in such a way that the IP addresses of the website visitors are transmitted to Google each time the website is called up. No consent was obtained from the visitor for this transmission. In addition, the use of Google Fonts is also possible without the disclosure of the IP address to Google, as the defendant has since adapted its website.
The plaintiff is one of the website visitors affected, whose IP address was repeatedly transmitted to Google by visiting the website. He therefore sued for injunctive relief and damages.
The verdict
The Munich Regional Court finally ordered the defendant to cease and desist, to provide information, and to pay Compensation for damages (Art. 82 GDPR) to the plaintiff. If a case is reported in which the defendant defies the cease-and-desist order, the court will impose an administrative fine of up to €250,000. The damages payable to the plaintiff were set at €100 plus interest.
The ruling establishes a violation of the general right of personality in the form of the right to informational self-determination. In this context, the court also had to examine some issues relevant to data protection law.
Dynamic IP address as personal data
The website operator recorded and passed on the dynamic IP address of each visitor. According to the court, this dynamic IP address can be used "with the help of third parties, namely the competent authority and the Internet access provider, to determine the person in question". The court ultimately based its decision on this abstract identifiability of the person. Whether the website operator or Google had the concrete possibility to actually determine the person behind the IP address was irrelevant.
Accordingly, for the website operator, this is a personal data in the sense of Art. 4 No. 1 DSGVO.
Justification of the processing of personal data
Consent of the website visitor pursuant to Art. 6 I lit. a DSGVO was not given.
Another consideration would be a legitimate interest of the website operator within the meaning of Art. 6 I lit. f DSGVO. However, since Google Fonts can also be used without a connection to the Google server each time the website is called up, the court rejects this.
Obligations of the website visitor?
The court also addressed the question of whether the plaintiff himself, as a website visitor, should have encrypted his IP address before visiting (e.g., via VPN). In this context, the court states that the purpose of data protection law is precisely to protect "natural persons from impairment in the processing of their personal data". If the data subject were to be obligated in such a manner, this would simply reverse the purpose of data protection law.
Determination of the damage according to Art. 82 I GDPR
The court, referring to recital 146 p. 3 of the GDPR, the court applied a broad interpretation of the concept of damage. The objectives of sanction and prevention were to be considered above all in the determination.
The court did not have to take a position on the problem of the materiality threshold in relation to Art. 82 GDPR, as the transmission of the IP address in the present case took place several times and there was thus a significant loss of control by the plaintiff. It was also taken into account that Google is an American company that cannot guarantee an adequate level of data protection there.
The amount of damages (€100) was measured according to the severity and duration of the infringement.
Conclusion
Data protection violations are not always obvious in practice. Any disclosure of the IP address of website visitors constitutes a processing of personal data that must be justified.
Given the widespread use of Google Funds, this data protection vulnerability affects a vast number of websites.
Let our experts show you how to make your website and other services privacy-compliant!