Germanys first ruling reveals Google`s spying programme

Michael-450x300

Millions in use - Google`s spying programmes on websites

Whether Google Fonts, Google Maps or YouTube Videos – none of this is legal

In January 2022, the Munich Regional Court (3rd Civil Chamber) ruled that the unauthorised disclosure of dynamic IP addresses to Google constitutes a violation of the general right of personality in the form of the right of informational self-determination under Section 823 (1) of the German Civil Code. The plaintiff is entitled to injunctive relief and damages based on the disclosure of IP addresses to Google through the use of Google Fonts. The defendant was ordered to pay 100 euros in damages for pain and suffering (judgment LG München: 3 O 17493/20 of 20.01.2022).

What exactly is at stake: Google provides a large selection of fonts under Google Fonts, which may be used free of charge and which enable the display of texts on a website in the first place.

There is a static or a dynamic variant for integration into one’s own website. With the static variant, no connection is established to Google servers, which makes this variant harmless in terms of data protection and privacy. The dynamic variant is different. Here, a connection is established to the Google server and at least the IP address is transmitted to Google.

In the present case, the defendant had integrated dynamic Google Fonts into its website. For this, it did not obtain the consent of its visitors in advance via a content banner. The plaintiff felt disturbed by this. He demanded damages and injunctive relief from the website operator.

The Munich Regional Court ruled in favour of the plaintiff.

The unauthorised disclosure of the plaintiff’s dynamic IP address to Google constitutes a violation of the general right of personality in the form of the right of informational self-determination pursuant to § 823 para. 1 BGB. In addition, the plaintiff is entitled to an injunction against the disclosure of his IP addresses to Google under § 823 para. 1 in conjunction with § 1004 BGB analogue. § 1004 BGB analogously.

Through the dynamic address, the website operator has abstract means to have the person in question determined on the basis of the stored IP addresses. It does not matter whether the defendant or Google has the concrete possibility to link the IP address to the plaintiff.

By forwarding the dynamic IP address to Google when the plaintiff accessed the website, the defendant violated the plaintiff’s right to informational self-determination. Furthermore, the automatic forwarding of the IP address constitutes an inadmissible encroachment on the plaintiff’s general right of personality under data protection law. The encroachment is also not justified because the defendant has no legitimate interest. Nor was the plaintiff obliged to encrypt his own IP address, e.g. by using a VPN, as such an obligation would restrict him in the exercise of his rights.

The court also affirmed a risk of repetition, which can only be eliminated by a cease-and-desist declaration with a penalty clause.

The plaintiff is entitled to information under Art. 15, Art. 4 No. 2 DSGVO. The claim for damages results from Article 82 (1) of the GDPR, whereby immaterial damage is also sufficient. In this case, the damage consists of the plaintiff’s loss of control over his data and the discomfort he feels as a result. Liability under Article 82(1) of the GDPR is intended to create an incentive for security measures and prevent further infringements.

Giving away free services is strategy. Unsuspecting website operators unwittingly become data thieves

Passing on the dynamic IP address also happens when integrating Google Analytics, Google Maps and YouTube videos. Vimeo videos are also not legal to use.

In addition, it should be noted, and here the court is mistaken, that even obtaining consent via a consent banner cannot prevent the disclosure of the IP address, because the services are already loaded before or at the same time as the consent banner, so the infringement has already occurred without the user’s consent. In the case of fonts, the website would be without texts and thus not recognisable as such. In the case of embedded videos, the player component is loaded beforehand and thus the IP address is transmitted.

A Consent Banner cannot prevent this. So there is no choice but to remove all US services from the website and replace them with services that respect data protection and privacy: Matomo (instead of Google Analytics), static pictures of maps (instead of Google Maps) self-hosted Google Fonts (instead of Google hosted Fonts) Video.Taxi (instead of YouTube or Vimeo).