First ruling exposes Google's spying program strategy



Reading progress

Millions in use - Google`s spying programs on websites

Whether Google Fonts, Google Maps or YouTube videos - none of it is legal

The Munich Regional Court (3rd Civil Chamber) ruled in January 2022 that the unauthorized disclosure of dynamic IP addresses to Google constitutes a violation of the general right of personality in the form of the right of informational self-determination under Section 823 (1) of the German Civil Code. The plaintiff is entitled to injunctive relief and damages based on the disclosure of IP addresses to Google through the use of Google Fonts. The defendant was ordered to pay 100 euros in damages for pain and suffering (judgment LG München: 3 O 17493/20 of January 20, 2022).

What exactly is at stake: Google provides a large selection of fonts under Google Fonts, which may be used free of charge and which enable the display of text on a website in the first place.

There is a static or a dynamic variant for integration into your own website. In the case of the static variant, no connection is established to Google servers, which means that this variant is harmless in terms of data protection and privacy law. The dynamic variant is different. Here, a connection is established to the Google server and at least the IP address is transferred to Google.

In the present case, the defendant had integrated dynamic Google Fonts into its website. For this, it did not obtain consent from its visitors in advance via a content banner. The plaintiff felt disturbed by this. He demanded damages and injunctive relief from the website operator.

The Munich Regional Court ruled in favor of the plaintiff.

The unauthorized disclosure of the plaintiff's dynamic IP address to Google constitutes a violation of the general right of personality in the form of the right of informational self-determination pursuant to Section 823 (1) BGB. In addition, the plaintiff is entitled to an injunction against the disclosure of his IP addresses to Google under § 823 (1) in conjunction with § 1004 BGB analog. § 1004 BGB analogously.

Through the dynamic address, the website operator has abstract means to have the person in question determined on the basis of the stored IP addresses. It does not matter whether the defendant or Google has the concrete possibility to link the IP address to the plaintiff.

By forwarding the dynamic IP address to Google when the plaintiff accessed the website, the defendant violated the plaintiff's right to informational self-determination. Furthermore, the automatic forwarding of the IP address represents an inadmissible encroachment on the plaintiff's general right of personality under data protection law. The encroachment is also not justified because the defendant has no legitimate interest. Nor was the plaintiff obligated to encrypt his own IP address, e.g. by using a VPN, since such an obligation would restrict him in exercising his rights.

The court also affirmed a risk of repetition, which can only be eliminated by a cease-and-desist declaration with a penalty clause.

The plaintiff is entitled to information under Art. 15, Art. 4 No. 2 GDPR. The claim for damages arises from Article 82 (1) of the GDPR, whereby non-material damage is also sufficient. This consists here in a loss of control of the plaintiff over his data and in a discomfort felt by him as a result. Liability under Art. 82 (1) GDPR is intended to create an incentive for security measures and to prevent further breaches.

Giving away free services is strategy. The unsuspecting website operators unknowingly become data stealers

The passing on of the dynamic IP address also happens with the integration of Google Analytics, Google Maps and YouTube videos. Vimeo videos are also not legal to use.

In addition, it should be noted, and here the court is mistaken, that even obtaining consent via a Consent Banner cannot prevent the disclosure of the IP address, because the services are already loaded before or at the same time as the Consent Banner, so the infringement has already occurred without the user's consent. In the case of fonts, the web page would be without texts and thus not recognizable as such. In the case of embedded videos, the player component is already loaded beforehand and thus the IP address is transmitted. A Consent Banner cannot prevent this. So there is no choice but to remove all US services from the website and replace them with data protection and privacy respecting services: Matomo (instead of Google Analytics), Open Street Map (instead of Google Maps) Google Fonts self-hosted (instead of Google hosted Fonts) Video.Taxi (instead of YouTube or Vimeo).

Only the IP address - my ass

Every time the visitor's IP address is transmitted, a whole packet of sensitive information is transferred. It is the following information:

  • Rough location
  • Detailed location
  • Contact information
  • physical address
  • E-mail address
  • Name
  • Phone number
  • Search history
  • Browsing history
  • Identifiers
  • User ID
  • Device ID
  • Usage data
  • Product interaction
  • Advertising data

This data is never deleted and forms a building block in the construction of the user's digital Zwiling. Money is then made with this information without the owner of the data being paid for it. He will probably not even know what is happening to his property.