If a website operator does not locally host fonts but rather links to a third party server when the website is opened, the (dynamic) IP address will be saved by default by the third party server log records. In a decision made on 20 January 2022, the District Court in Munich awarded EUR 100 in damages to a website user whose (dynamic) IP address was transferred to Google without prior consent upon opening the page (Case number: 3 O 17493/20). This presents an intrusion on the user’s privacy rights resulting in damages as per Art. 82 of the GDPR.
Facts of the case
The plaintiff and user of the defendant’s website had loaded the website many times. On this website, the defendant used Google Fonts which loaded fonts from a decentralised library. Loading the website establishes a connection to a Google server and the (dynamic) IP address of the plaintiff, inter alia, is transmitted to Google. The user’s prior consent was not obtained. The defendant supports his use of Google Fonts based on his legal interest as per Art. 6 (1) (f) GDPR.
Plaintiff and defendant argued whether and under which conditions the damages to the plaintiff may be made as per Art. 82 of the GDPR. Further, the defendant was ordered to refrain from disclosing the plaintiff’s data to Google without his consent. In addition to classifying the IP address as personal data, the plaintiff made the case that his privacy rights were intruded upon through the non-consensual transmission of his data.
The District Court in Munich is of the opinion that the plaintiff can demand injunctive relief from the transmission of the plaintiff’s IP addresses to Google analogous to German Civil Code Section 823 paragraph 1 in connection with Section 1004. The court clarifies, that the unlawful transmission to Google by the defendant of the plaintiff’s dynamic IP addresses constitutes a violation to general privacy rights in the form of the right to informational self-determination as per German Civil Code Section 823 paragraph 1. The right to informational self-determination specifically ensures the right of the individual to self-determine the disclosure and usage of his personal data.
A dynamic IP address is also an item of personal data. According to the court, the issue is not whether the website operator or other recipients have the possibility to associate an IP address to a natural person. The abstract possibility – through the involvement of an internet service provider – is enough to confirm reference to a person.
The automatic transmission of personal data by the defendant to Google is an intrusion on privacy rights under data protection law, as it is indisputable that the plaintiff did not consent to this intrusion. The defendant has no basis for legal interest in requiring the service, as the same functionality is possible without using Google. It is also not reasonable for the defendant to take measures to prevent data transmission in this case.
The district court of Munich further confirmed the claim based on Art. 82 of the GDPR. The term compensation is interpreted broadly as laid down in Recital 146 GDPR. The claimant’s loss of control represents a non-material damage, given that Google is known as a company that collects user data and that the transfer resulted in substantial discomfort for the claimant, thereby justifying a compensation claim.
Data protection law assessment
Some heavily discussed questions in the legal community, such as the presence of a materiality threshold for petty violations or the blocking of national sanctions regimes external to the GDPR, such as injunction claims in civil law, are all confirmed by the court.
The partially required significance of damages was not further debated because a decision in the present case was not deemed necessary by the court. In this case, the reference to a third country also played a role, through the transfer of the IP address to Google and the U.S., as well as the fact that multiple data transfers were made by the defendant.
It surprises no one that the website operator’s legal interest in this case did not represent the user’s interest. The use of this service is simply not necessary to provide the same functionality.
The judgement also confirmed the personal relevance in regards to the user’s (dynamic) IP address. The observable trend is heading more in the direction of an interpretation of absolute personal reference. This will be confirmed when it is factually possible – with the help of third parties – to establish it as such. An intention or even a specific possibility plays a minor role in the classification.
The opinion of the District Court of Munich will have far reaching consequences for the industry, as all website users will have the future possibility of suing against data protection violations.
For website operators, these types of risks are easily avoided if they think ahead about how they connect to services. Sometimes only a little work is necessary to find a legal solution. And there needn’t be a limitation in function. See how you can integrate fonts in your particular case using our practical instructions (in German).