Lg munich: integration of google fonts without consent

google fonts dsgvo

The dynamic integration of US web services into a website (here: Google Fonts) is against data protection without the visitors’ consent. Website operators owe omission and damages (LG Munich, judgement of 20.01.2022, Az. 3 O 17493/20).

Content overview

1. What are Google Fonts?

Google posts at https://fonts.google.com/ a wide selection of fonts under Apache license (version 2.0) at the disposal. In principle, these fonts may be used free of charge.

2. How to integrate Google Fonts into a website?

There are two ways to embed Google Fonts in a web page:

  1. Static variant: Website operators can download the desired font and upload it again to their own web space, from where the file is locally embedded into the website, according to preference z.B. in the format TTF, WOFF or. WOFF2. If users visit such a website, no connection is established to Google servers. From the point of view of data protection and personal rights, this form of integration is therefore uncritical.
  2. Dynamic VariantAlternatively, it is possible to include a code snippet in the HTML code of the web pages, either per @import or<link>.

google fonts link

Example for the dynamic integration of the font "Comforter" via link method.

3. Problem: Dynamic integration of Google Fonts without consent

In the proceedings before the Munich Regional Court, the operator of a website had dynamically integrated Google Fonts into her website without obtaining prior consent (via a consent banner) from each visitor. The plaintiff was annoyed by this and demanded injunctive relief and damages.

4. LG Munich: Claim for injunction and damages

The Munich Regional Court upheld the claim. The plaintiff is entitled to a claim against the website operator for Cease and desist from disclosing his IP addresses to Google to (§ 823 Abs. 1 i.V.m. § 1004 BGB analogue). The unauthorized disclosure of the plaintiff’s dynamic IP address to Google violated the plaintiff’s general right of personality in the form of the right of informational self-determination pursuant to Section 823 para. 1 BGB.

At the latest since the entry into force of the Basic Data Protection Regulation, it is no longer disputed that a dynamic IP address a personal data represents (cf. Type. 4 no. 1 DSGVO). The reason for this is that the website operator can have the IP address stored by the Internet access provider used to determine who the visitor was with the help of the authorities (cf. BGH, judgment of 16.05.2017, Az. VI ZR 135/13). It does not matter whether this linking option is actually used by the website operator. Sufficient is an abstract determinability.

5. Consent missing, appeal to legitimate interest unsuccessful

In the case was indisputable that the defendant no consent for the disclosure of dynamic IP addresses to Google had obtained from their visitors (cf. Type. 6 Abs. 1 a) DSGVO).

Your attempt to rely instead on a legitimate interest within the meaning of Art. 6 para. 1 f) DSGVO to invoke, failed. According to LG Munich, Google Fonts could also be used by the website operator without a connection to a Google server being established when the website is called up and without a transfer of the IP address of the website user to Google taking place (cf. static variant above).

6. No obligation of the visitor to disguise the own IP address

Website visitors are also not obliged to "encrypt" their own IP address (the court probably means here a disguise, for example by means of VPN). Such an obligation would run counter to the purpose of data protection law, which is primarily to protect natural persons against interference in the processing of their personal data (cf. LG Dresden, judgment of 11.01.2019, Az. 1 AO 1582/18).

7. Claim for 100 euros DSGVO damages, u.a. because of "discomfort

In addition, the Munich Regional Court awarded the plaintiff compensation in the amount of 100 euros to (type. 82 para. 1 GDPR).

The question of whether a GDPR violation must have reached a certain materiality in order to justify the award of damages did not matter in the view of the court. The data transfer associated with Google Loss of control and that therefore individual discomfort felt by the plaintiff Were so substantial as to justify a claim for damages. It must also be taken into account that the IP address was indisputably transmitted to a Google server in the USA, although no adequate level of data protection is guaranteed there (cf. ECJ, judgment of 16.07.2020, Az. C-311/18 – Facebook Ireland u. Schrems). In addition, the liability from Art. 82 para. 1 GDPR prevent further infringements and create incentive for security measures.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: