Threatening letter under data protection law - What to do?

Following the decision of the LG Munich on compensation for pain and suffering due to immaterial damage resulting from the use of Google Fonts on a website, an increasing number of threatening letters under data protection law can now be found. The authors send data protection law responsible parties who operate a website with Google Fonts without local integration a letter in which they demand compensation for pain and suffering according to the GDPR. If the demand is not met, the author is prepared to sue for the amount.

The recipients of such letters are often completely overwhelmed by the situation. Here you can find out what is really behind such letters and how you should deal with them.

Basis: Judgment of the LG Munich

The LG Munich decided a few months ago following case: A website operator used Google Fonts without hosting this on its own server. As a result, the IP address of all website visitors was transmitted to Google's American servers. This was also not covered by a corresponding consent of the website visitors about such a third country transfer. This was a violation of the GDPR.

The Munich Regional Court upheld the plaintiff's claim for damages (Art. 82 GDPR) and awarded him €100 (AZ 3 O 17493). The court based its decision, among other things, on the fact that the plaintiff had lost control over his personal data.

Threatening letters under data protection law: Contents

As a result of this ruling, more and more operators of websites that do not use Google Fonts locally are receiving threatening letters under data protection law. In these letters, the author usually describes the data protection situation and refers to the ruling of the Munich Regional Court. Subsequently, the author demands that the responsible party also pay him €100 in damages. Subliminally, the author then threatens to take the case to court otherwise.

This approach does not seem to be an isolated case. Threatening letters with such content can currently be observed en masse.

Procedure of the authors

The content of these privacy-related threatening letters suggests that the authors want to use the privacy-related damages as a source of income for themselves. They seem to be specifically looking for websites that use Google Fonts that are not locally embedded. Then they probably secure corresponding evidence of how their IP address is transmitted when they visit the website and then contact the responsible party stored in the imprint.

Data protection assessment of such threatening letters

Addressees of such threatening letters under data protection law are faced with the big question of whether they should respond to such letters with a payment or whether the letter is "much ado about nothing".

First and foremost, it should be noted that the actions of the website operators concerned in any case constitute a violation of the GDPR. It is only questionable how the courts would decide and whether the case is actually the same as the one in which the LG Munich last decided.

Contributory negligence of the author of the threatening letters

Even though the concept of damage under the GDPR is still controversial, it is at least questionable in these cases whether contributory negligence exists. According to Section 254 I BGB, damages are to be reduced in accordance with contributory negligence if the injured party is jointly responsible for the occurrence of the damage.

In the case of the threatening letters, the potentially injured party called up the websites precisely because he wanted to record the transmission of the personal data. In doing so, he or she caused the damage to occur on his or her own responsibility.

In addition, the injured party has a duty to mitigate damages (§ 254 II BGB), which he also violates with this action. The author has virtually provoked the occurrence of the damage.

According to unanimous opinion, these standards of national law are also applicable to the GDPR in a supplementary manner.

In view of these facts, it seems very unlikely that the authors of such letters would be proven right in legal proceedings. However, the case law on Art. 82 GDPR is still in flux, so that no conclusive assessment is possible.

Control over personal data

The Munich Regional Court based its decision precisely on the fact that the plaintiff lost control over his personal data when he accessed the website and the IP address was transmitted. However, if the website visitor calls up the website precisely because he wants to prove this transmission, such a loss of control is obviously no longer present. It can be assumed that this would also be recognized in court.

Conclusion

In any case, the use of Google Fonts without local integration is a violation of the GDPR. Threatening letters that refer to the targeted causation of damage under data protection law probably have little potential to become an acute danger.

The real danger lies rather in the design of the website. Any design that does not comply with data protection must be eliminated immediately.

Do you need support in finding and eliminating data protection violations, e.g. on your website? Our team of experts will be happy to help you!