Threatening letter under data protection law - What to do?

Following the decision of the LG Munich on compensation for pain and suffering due to immaterial damage resulting from the use of Google Fonts on a website, an increasing number of threatening letters under data protection law can now be found. The authors send data protection law responsible parties who operate a website with Google Fonts without local integration a letter in which they demand compensation for pain and suffering according to the GDPR. If the demand is not met, the author is prepared to sue for the amount.

The recipients of such letters are often completely overwhelmed by the situation. Here you can find out what is really behind such letters and how you should deal with them.

Basis: Judgment of the LG Munich

The LG Munich decided a few months ago following case: A website operator used Google Fonts without hosting this on its own server. As a result, the IP address of all website visitors was transmitted to Google's American servers. This was also not covered by a corresponding consent of the website visitors about such a third country transfer. This was a violation of the GDPR.

Das LG München gab dem Kläger in seiner Forderung nach Schadensersatz (Art. 82 DSGVO) Recht und sprach ihm 100 € zu (AZ 3 O 17493). Das Gericht begründete die Entscheidung unter anderem damit, dass der Kläger die Kontrolle über seine personal data verloren habe.

Threatening letters under data protection law: Contents

In Folge dieses Urteils erhalten immer mehr Betreiber von Websites, die Google Fonts nicht lokal eingebunden nutzen, datenschutzrechtliche Drohbriefe. Darin beschreibt der Verfasser meist die datenschutzrechtliche Situation und verweist auf das Urteil des LG München. Im Anschluss fordert der Verfasser den Verantwortlichen auf, ebenfalls 100 € Schadensersatz an ihn zu zahlen. Unterschwellig droht der Verfasser dann damit, den Fall ansonsten vor Gericht zu bringen.

This approach does not seem to be an isolated case. Threatening letters with such content can currently be observed en masse.

Procedure of the authors

Der Inhalt dieser datenschutzrechtlichen Drohbriefe legt nahe, dass die Verfasser den datenschutzrechtlichen Schadensersatz als Einkommensquelle für sich nutzen wollen. Sie scheinen gezielt nach Websites zu suchen, die Google Fonts nicht lokal eingebunden verwenden. Dann sichern sie wahrscheinlich entsprechende Beweise, wie ihre IP-Adresse beim Besuch der Website übermittelt wird und kontaktieren dann den im Impressum hinterlegten Verantwortlichen.

Data protection assessment of such threatening letters

Addressees of such threatening letters under data protection law are faced with the big question of whether they should respond to such letters with a payment or whether the letter is "much ado about nothing".

First and foremost, it should be noted that the actions of the website operators concerned in any case constitute a violation of the GDPR. It is only questionable how the courts would decide and whether the case is actually the same as the one in which the LG Munich last decided.

Contributory negligence of the author of the threatening letters

Even though the concept of damage under the GDPR is still controversial, it is at least questionable in these cases whether contributory negligence exists. According to Section 254 I BGB, damages are to be reduced in accordance with contributory negligence if the injured party is jointly responsible for the occurrence of the damage.

Im Falle der Drohbriefe hat der potentielle Geschädigte die Websites gerade aufgerufen, weil er die Übermittlung der personal data aufzeichnen wollte. Damit hat er den Schadenseintritt eigenverantwortlich herbeigeführt.

In addition, the injured party has a duty to mitigate damages (§ 254 II BGB), which he also violates with this action. The author has virtually provoked the occurrence of the damage.

According to unanimous opinion, these standards of national law are also applicable to the GDPR in a supplementary manner.

In view of these facts, it seems very unlikely that the authors of such letters would be proven right in legal proceedings. However, the case law on Art. 82 GDPR is still in flux, so that no conclusive assessment is possible.

Control over personal data

Das LG München hat seine Entscheidung gerade darauf gestützt, dass der Kläger die Kontrolle über seine personal data verloren hat, als er die Website aufrief und die IP-Adresse übermittelt wurde. Ruft der Website-Besucher die Website aber gerade auf, weil er diese Übermittlung nachweisen will, liegt ein solcher Kontrollverlust augenscheinlich nicht mehr vor. Es ist davon auszugehen, dass dies vor Gericht ebenfalls do erkannt werden würde.

Conclusion

In any case, the use of Google Fonts without local integration is a violation of the GDPR. Threatening letters that refer to the targeted causation of damage under data protection law probably have little potential to become an acute danger.

The real danger lies rather in the design of the website. Any design that does not comply with data protection must be eliminated immediately.

Do you need support in finding and eliminating data protection violations, e.g. on your website? Our team of experts will be happy to help you!