Many website operators are currently receiving a payment request for €100 for violating the GDPR. What is behind it and how can you defend yourself?
Thousands of recipients are currently amazed at letters of demand that they find in their e-mail inbox or letter box. because they have embedded google’s free fonts in their websites, they are said to shell out 100 to almost 500 euros.
The addressees of the letters are all website operators. The warnings accuse them of an “inadmissible interference with the general right of personality” and a violation of the General Data Protection Regulation (GDPR). Your crime: You use fonts on your website that Google offers free of charge.
This is a directory of several hundred freely usable fonts. Website operators can download the fonts and make them available locally on their own web server. Alternatively, you can also integrate the fonts online. This then leads to the visitor’s browser loading them from the US group’s servers when a page is called up. And that’s a problem.
Court judgment from Munich
In January 2022, the district court (LG) Munich had banned the online use of Google Fonts on the grounds that unauthorized personal data was passed on to Google in the USA (Az. 3 O 17493/20). This decision forms the basis for the warnings and letters of demand sent.
According to the Munich judges, the transmitted dynamic IP addresses are information that falls within the scope of data protection. The site operator violated the plaintiff’s right to informational self-determination by forwarding the visitor’s dynamic IP address to Google when the site was accessed. There was no legal basis for this in the form of consent or a legitimate interest. The plaintiff is therefore entitled to an injunctive relief.
But that’s not all, the LG Munich had granted the website visitor a claim for damages of 100 euros. Such a right may arise from Article 82 of the GDPR and is available to any person “who has suffered material or non-material damage as a result of a breach of this regulation”. The question of what intensity such an intervention must have in order to trigger compensation for pain and suffering is highly controversial. In the legal discussion, the decision from Munich is mostly criticized as exaggerated.
Matter of interpretation 63
Developments in GDPR fines and damages
Fines vary from state to state. That should now change with a new calculation model: A topic for the c’t data protection podcast.
In the present case, the judges saw a “loss of control” on the part of the person concerned and an “individual malaise” as a result of the transmission to Google. Because Google is known for collecting data about its users. In addition, it is undisputed that the IP address is transmitted to a server in the USA, where an adequate level of data protection is not guaranteed.
The writers of the demanding letters are now adopting this line of argument. The recipient’s website was visited, he was using the online version of Google Fonts and should therefore transfer 100 euros to the sender as soon as possible because of the individual discomfort this caused.
It gets a little more complicated when the letter comes from a lawyer. Apparently, legal veterans of past mass warnings have found a new field of activity. They not only demand that the recipients pay for their clients’ damages. They should also issue a cease-and-desist declaration for the use of Google Fonts – and pay the attorney’s fees, usually 367.23 euros.
What to do?
However, there are a number of potential objections to legal warnings, so that these are by no means “safe cases” for the warning party. There is already some evidence that the lawyer’s letters are abusive, since the alleged victims are likely to have deliberately accessed the websites. Nevertheless, at least legal laypeople should get an IT lawyer on board as a precaution in these cases.
On the other hand, defending against letters of formal notice that do not come from a lawyer is less risky. As things currently stand, it is rather unlikely that the majority of the courts will follow the views of the Munich Regional Court with regard to the payment of monetary compensation. There is therefore some evidence that such letters may be ignored. However, every website operator should switch to the locally hosted version of Google Fonts.
more on the subject
Legal uncertainties in intercontinental data transfer
EU data protection regulations make it difficult for local companies to use US online services. There are difficulties with the transfer of personal data.